CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe"
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
ModLoad: 00400000 0049a000 iexplore.exe
ModLoad: 7c900000 7c9b0000 ntdll.dll
ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77f10000 77f56000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 7c9c0000 7d1d4000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 774e0000 7761c000 C:\WINDOWS\system32\ole32.dll
ModLoad: 61410000 61534000 C:\WINDOWS\system32\urlmon.dll
ModLoad: 77120000 771ac000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 5dca0000 5dce5000 C:\WINDOWS\system32\iertutil.dll
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
(9a0.bc): Break instruction exception - code 80000003 (first chance)
eax=00241eb4 ebx=7ffde000 ecx=00000004 edx=00000010 esi=00241f48 edi=00241eb4
eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:000> g
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 773d0000 774d2000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
ModLoad: 5d090000 5d127000 C:\WINDOWS\system32\comctl32.dll
ModLoad: 7e1e0000 7e7a9000 C:\WINDOWS\system32\IEFRAME.dll
ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\UxTheme.dll
ModLoad: 76cc0000 76ccb000 C:\Program Files\Internet Explorer\custsat.dll
ModLoad: 74720000 7476b000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 20000000 202c5000 C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
ModLoad: 5dff0000 5e01f000 C:\WINDOWS\system32\IEUI.dll
ModLoad: 76380000 76385000 C:\WINDOWS\system32\MSIMG32.dll
ModLoad: 4ec50000 4edf3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll
ModLoad: 47060000 47081000 C:\WINDOWS\system32\xmllite.dll
ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\apphelp.dll
ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll
ModLoad: 746f0000 7471a000 C:\WINDOWS\system32\msimtf.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 77a20000 77a74000 C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000 C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 32520000 32532000 C:\Program Files\Microsoft Office\Office10\msohev.dll
ModLoad: 61930000 6197a000 C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 771b0000 7727e000 C:\WINDOWS\system32\WININET.dll
ModLoad: 011e0000 011e9000 C:\WINDOWS\system32\Normaliz.dll
ModLoad: 75cf0000 75d81000 C:\WINDOWS\system32\MLANG.dll
ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\ws2_32.dll
ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 10000000 1000e000 C:\Program Files\Adobe\Acrobat7.0\ActiveX\AcroIEHelper.dll
ModLoad: 7c340000 7c396000 C:\WINDOWS\system32\MSVCR71.dll
ModLoad: 50110000 5015d000 C:\Program Files\CommonFiles\ReGetShared\Catcher.dll
ModLoad: 75e90000 75f40000 C:\WINDOWS\system32\SXS.DLL
ModLoad: 71a50000 71a8f000 C:\WINDOWS\system32\mswsock.dll
ModLoad: 662b0000 66308000 C:\WINDOWS\system32\hnetcfg.dll
ModLoad: 71a90000 71a98000 C:\WINDOWS\System32\wshtcpip.dll
ModLoad: 76ee0000 76f1c000 C:\WINDOWS\system32\RASAPI32.dll
ModLoad: 76e90000 76ea2000 C:\WINDOWS\system32\rasman.dll
ModLoad: 5b860000 5b8b4000 C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 76eb0000 76edf000 C:\WINDOWS\system32\TAPI32.dll
ModLoad: 76e80000 76e8e000 C:\WINDOWS\system32\rtutils.dll
ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll
ModLoad: 5cd70000 5cd77000 C:\WINDOWS\system32\serwvdrv.dll
ModLoad: 5b0a0000 5b0a7000 C:\WINDOWS\system32\umdmxfrm.dll
ModLoad: 769c0000 76a73000 C:\WINDOWS\system32\USERENV.dll
ModLoad: 77c70000 77c93000 C:\WINDOWS\system32\msv1_0.dll
ModLoad: 76d60000 76d79000 C:\WINDOWS\system32\iphlpapi.dll
ModLoad: 02380000 02646000 C:\WINDOWS\system32\msi.dll
ModLoad: 722b0000 722b5000 C:\WINDOWS\system32\sensapi.dll
ModLoad: 71d40000 71d5c000 C:\WINDOWS\system32\actxprxy.dll
ModLoad: 76fc0000 76fc6000 C:\WINDOWS\system32\rasadhlp.dll
ModLoad: 7e830000 7eb9f000 C:\WINDOWS\system32\mshtml.dll
ModLoad: 746c0000 746e9000 C:\WINDOWS\system32\msls31.dll
ModLoad: 72ea0000 72f00000 C:\WINDOWS\system32\ieapfltr.dll
ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 77a80000 77b14000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 77690000 776b1000 C:\WINDOWS\system32\NTMARTA.DLL
ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 71bf0000 71c03000 C:\WINDOWS\system32\SAMLIB.dll
ModLoad: 63380000 633f8000 C:\WINDOWS\system32\jscript.dll
ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll
ModLoad: 79000000 79045000 C:\WINDOWS\system32\mscoree.dll
ModLoad: 63f00000 63f0c000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
ModLoad: 78130000 781cb000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll
ModLoad: 63f50000 63f68000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
ModLoad: 64020000 64033000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
ModLoad: 74e30000 74e9c000 C:\WINDOWS\system32\RichEd20.dll
ModLoad: 79e70000 7a3d1000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
ModLoad: 732d0000 732d5000 C:\WINDOWS\system32\SOFTPUB.DLL
ModLoad: 0ffd0000 0fff8000 C:\WINDOWS\system32\rsaenh.dll
ModLoad: 60340000 60348000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll
ModLoad: 790c0000 79ba8000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\8777c689c6eb554fbb138a684f87bb16\mscorlib.ni.dll
ModLoad: 60650000 6065c000 IEHost.dll
ModLoad: 60650000 6065c000 C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
ModLoad: 60680000 60688000 IIEHost.dll
ModLoad: 60680000 60688000 C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
ModLoad: 79060000 790b3000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
ModLoad: 7a440000 7abfe000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\578bcbd50836b0438e0e0510d3b21e7a\System.ni.dll
ModLoad: 11000000 11016000 image11000000
ModLoad: 11000000 11016000 image11000000
ModLoad: 11000000 11016000 image11000000
ModLoad: 11000000 11016000 image11000000
ModLoad: 11000000 11016000 C:\Documents and Settings\Vladimir Scherbina\LocalSettings\Application Data\assembly\dl3\2AJQAA8N.E81\D2E4KLW7.N96\04a708e5\0007d162_1e06c701\inkarea.dll
ModLoad: 7afd0000 7b4e6000 System.Windows.Forms.dll
ModLoad: 7ade0000 7af74000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d8fb3fbffbd7c2419066781e01344f59\System.Drawing.ni.dll
ModLoad: 7afd0000 7bc56000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f51ae980020ed444a321d21d14c7e2cf\System.Windows.Forms.ni.dll
ModLoad: 7afd0000 7b4e6000 C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
ModLoad: 7ade0000 7af74000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d8fb3fbffbd7c2419066781e01344f59\System.Drawing.ni.dll
(9a0.8a0): C++ EH exception - code e06d7363 (first chance)
(9a0.8a0): C++ EH exception - code e06d7363 (first chance)
(9a0.8a0): C++ EH exception - code e06d7363 (first chance)
(9a0.8a0): CLR exception - code e0434f4d (first chance)
(9a0.8a0): C++ EH exception - code e06d7363 (first chance)
(9a0.8a0): CLR exception - code e0434f4d (first chance)
(9a0.8a0): CLR exception - code e0434f4d (first chance)
ModLoad: 5e380000 5e409000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
(9a0.bfc): C++ EH exception - code e06d7363 (first chance)
(9a0.bfc): C++ EH exception - code e06d7363 (first chance)
(9a0.8a0): CLR exception - code e0434f4d (first chance)
(9a0.8a0): CLR exception - code e0434f4d (first chance)
(9a0.bfc): C++ EH exception - code e06d7363 (first chance)
(9a0.bfc): CLR exception - code e0434f4d (first chance)
(9a0.bfc): C++ EH exception - code e06d7363 (first chance)
(9a0.8a0): C++ EH exception - code e06d7363 (first chance)
(9a0.8a0): C++ EH exception - code e06d7363 (first chance)
(9a0.8a0): CLR exception - code e0434f4d (first chance)
(9a0.8a0): CLR exception - code e0434f4d (first chance)
(9a0.8a0): CLR exception - code e0434f4d (first chance)
ModLoad: 35c50000 35c89000 C:\WINDOWS\system32\Dxtrans.dll
ModLoad: 76b20000 76b31000 C:\WINDOWS\system32\ATL.DLL
ModLoad: 6d430000 6d43a000 C:\WINDOWS\system32\ddrawex.dll
ModLoad: 73760000 737a9000 C:\WINDOWS\system32\DDRAW.dll
ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.dll
ModLoad: 35cb0000 35d07000 C:\WINDOWS\system32\Dxtmsft.dll
(9a0.bfc): CLR exception - code e0434f4d (first chance)
(9a0.bfc): CLR exception - code e0434f4d (!!! second chance !!!)
eax=05ddf9ac ebx=0358f760 ecx=00000000 edx=00000025 esi=05ddfa38 edi=e0434f4d
eip=7c81eb33 esp=05ddf9a8 ebp=05ddf9fc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
kernel32!RaiseException+0x53:
7c81eb33 5e pop esi
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
The loc_79FE2B54 seems to be interesting, because it checks for some flag in sub_79E744CF and if flag is zero it calls l_callUnregisterServer, however, if the flag is non-zero the following code is executed:
I tried to spoof the value of eax and force the CPU to execute mentioned above branch and get well formatted string, but I failed. Values passed to sub_7A12F0A0 was incorrect in this case.
I continued analyzing the code and found an interesting information. The procedure (which is callded before written above code) sub_79E783E9 retrieves the latest error value using GetLastError:
Error code 0x0000007F maps to 'The specified procedure could not be found.' which is quite strange for me, because I don't see near any code that calls GetProcAddress.
At this point I stopped. I guess, my observations at this point will be helpfull for IE team in fixing this problem. I also hope I will have the time to continue investigations if necessary.