Home/ Questions/Q 3402858
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T05:11:22+00:00

I’m currently investigating a windows crash dump and the Visual Studio debugger shows me

  • 0

I’m currently investigating a windows crash dump and the Visual Studio debugger shows me an “illegal instruction 0xC000001D” when opening the dump file. The code position it shows this error shows a disassembly along the following example:

 void g(int x) {
 00401E80  push        ebp  
 00401E81  mov         ebp,esp 
    if(x > 20) {
 00401E83  cmp         dword ptr [x],14h 
 00401E87  jle         g+14h (401E94h) 
        x *= 4;
>00401E89  db          0fh  // illegal instruction here
 00401E8A  db          0fh  
 00401E8B  xadd        eax,esp 
 00401E8E  add         cl,byte ptr [ecx+9EB0845h] 
        x += 42;
 00401E94  mov         ecx,dword ptr [x]
 ...

I manually created the above example in the debugger by overwriting the function code with some invalid values in the debuggers memory window, but the crash dump I am investigation shows the same db 0fh entry, apparently indicating an invalid instruction. The code is also similar to what my dump file displays in that the instructions prior to the invalid instruction all seem valid and matching the source code.

Now the question is is it possible at all in a normally compiled C++ program – that does not mess around with memory page access restrictions – (Visual C++ 2005 on Windows XP) to mess up the code segment of the process?

If I try to write to the function address in my example above from code, I always get an Access Violation, that is the code segment memory page appears to be write protected.

{
    void* fnAddr = &g; // non-portable but OK in VC++
    unsigned int x = 0xDEADBEEF;
    // Simulate memory corruption: Try to write something to the code segment:
    memcpy((char*)fnAddr+4, &x, sizeof(x)); // generated 0xC0000005 Access Violation
    g(42); // call messed up function - never get here
}

Do you know of any situation where it would in fact be possible to inadvertently overwrite something in the code segment?

I should add that the real program is lots more complicated, with lots of virtual functions, some member function pointers, etc. etc. and the problem is sadly not reproducible, we only currently have this one dump file that looks fine otherwise. — Still, the dump file displays an illegal instruction in the code segment and I would not have thought it possible to mess up the code segment.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No, the memory pages that contain code are write protected. This kind of damage could only occur at process initialization time. But the more likely source is soft RAM errors. Ask your customer to run a RAM test program. Consider file damage is the error is repeatable.

    • 0