Menu
I'm debugging a process in WinDbg, and the process exited:
0:009> g
(bunch of regs...)
ntdll!NtTerminateProcess+0xc:
770ad43c c20800 ret 8
0:009> g
^ No runnable debuggees error in 'g'
At this point, how do I get the process' exit code?
405
Exit Code 1 indicates that a container shut down, either because of an application failure or because the image pointed to an invalid file. In a Unix/Linux operating system, when an application terminates with Exit Code 1, the operating system ends the process using Signal 7, known as SIGHUP.
25.7. 1 Normal TerminationThe exit function tells the system that the program is done, which causes it to terminate the process. status is the program's exit status, which becomes part of the process' termination status. This function does not return.
Exit code 9 can be due to the OS killing your process due to being out of memory. Check your system logs to see if that is the case.
You could find it as the second argument of ZwTerminateProcess. NtTerminateProcess is just the kernel version of it, right?
0:000> kb
ChildEBP RetAddr Args to Child
003ff414 7774d5ac ffffffff 1234abcd 00000000 ntdll!ZwTerminateProcess+0x12
003ff430 759c79ec 00000000 77e8f3b0 ffffffff ntdll!RtlExitUserProcess+0x85
...
Or the fourth parameter of RtlExitUserProcess
0:000> kn
# ChildEBP RetAddr
00 003ff414 7774d5ac ntdll!ZwTerminateProcess+0x12
01 003ff430 759c79ec ntdll!RtlExitUserProcess+0x85
...
0:000> .frame 01
01 003ff430 759c79ec ntdll!RtlExitUserProcess+0x85
0:000> dd esp L4
003ff414 7771fcc2 7774d5ac ffffffff 1234abcd
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
