Getting Symbols from crashes at Microsoft Dev Dashboard

Question

The Microsoft Windows Dev Center Dashboard lets me collect stack traces from failures in my native desktop app in the wild.

Unfortunately, minidumps aren't avaialble. I just get a TSV file that (sometimes) has a stack trace in it, which looks like this:

Frame   Image   Function    Offset
0   MyApp       0x2F59A1    
1   MyApp       0x11CEA8    
2   MyApp       0x11AE74    
3   MyApp       0x151289    
4   MyApp       0x2A686 
5   MyApp       0x180720    
6   MyApp       0x1807B6    
7   MyApp       0x2E875A    
8   MyApp       0x2E8882    
9   kernel32    BaseThreadInitThunk 0x24    
10  ntdll   __RtlUserThreadStart    0x2B    
11  ntdll   _RtlUserThreadStart 0x1B    

To make this uesful, I load the matching binary in WinDbg, figure out the offset plus the base address, and unassemble at the resulting address. If my app loads at 0x00400000, I add 0x2F59A1 to it and get 0x006F59A1. Unassembling there shows me the return address of that stack frame, so I can get some idea of what the crash is about.

Is there a better way? How can I request minidumps from Dev Center? (Microsoft Support says I just can't. Really?) Is there a script to convert at TSV file a usable stack trace so I don't manually evaluate each stack frame? Is there some other way?

Answer 1

I don't know if you can get a .dmp or not google says you can not get one from dash board

the answer below is a modified version of a script I once used it to disassemble @ .map file offsets improvise if needed it takes the offsets from the column using pandas
creates a command string and uses subprocess to disassemble at that offset

i assume the tsv is a tab seperated value file if not you have some tweaking to do

assuming tab seperated file with data like below

Frame   Image   Function    Offset
0   calc    0x1012
0   calc    0x1015 

you can automate the process with some for loops in the code below

edit since i do two subprocess calls the offsets for both forward and backward disassembly are different (ASLR effect )

:\>cat Untitled.py
import pandas as pd
df = pd.read_csv("tsv.txt" , delimiter='\t')
print df
offset = df.Function.unique()[1]
print offset
import subprocess
cmdline = "cdb -c \"ub calc+"+offset+";q\" calc.exe | tail"
print cmdline
output = subprocess.check_output(cmdline ,shell=True )
print output
cmdline = "cdb -c \"u calc+"+offset+";q\" calc.exe | tail"
print cmdline
output = subprocess.check_output(cmdline ,shell=True )
print output
:\>python Untitled.py
   Frame Image Function  Offset
0      0  calc   0x1012     NaN
1      0  calc   0x1015     NaN
0x1015
cdb -c "ub calc+0x1015;q" calc.exe | tail
calc!_imp__SHGetFolderPathW+0x1:
00f31005 57              push    edi
00f31006 1f              pop     ds
00f31007 7629            jbe     calc!_imp__GdipCloneImage+0x2 (00f31032)
00f31009 a1237683dd      mov     eax,dword ptr ds:[DD837623h]
00f3100e 27              daa
00f3100f 7646            jbe     calc!_imp__GdipDeleteGraphics+0x3 (00f31057)
00f31011 1e              push    ds
00f31012 197600          sbb     dword ptr [esi],esi
quit:

cdb -c "u calc+0x1015;q" calc.exe | tail
calc!⌂SHELL32_NULL_THUNK_DATA+0x1:
009b1015 0000            add     byte ptr [eax],al
009b1017 007a41          add     byte ptr [edx+41h],bh
009b101a 5f              pop     edi
009b101b 7700            ja      calc!⌂SHLWAPI_NULL_THUNK_DATA+0x1 (009b101d)
009b101d 0000            add     byte ptr [eax],al
009b101f 005fa1          add     byte ptr [edi-5Fh],bl
009b1022 687449a568      push    68A54974h
009b1027 744a            je      calc!_imp__GdiplusShutdown+0x3 (009b1073)
quit:


:\>