Finding out the call site from hex representation

I'm trying to analyse a crash dump of MS BizTalk service, which is constantly consuming 100% CPU (and I assume that's because of our code :) ). I have a couple of dumps and the stack trace of the busiest threads looks similar - the only problem is, that the top of the stack seems to be missing symbols. It looks like this:

0x642`810b2fd0

So, the question is - how can I find out the module/function from t开发者_JS百科his address? (or at least the module, so that I know what symbol file is missing).

lm in WinDbg dumps list of modules. In your case WinDbg does not find any modules that occupy this address -- otherwise it would have printed +. Some of the libraries generate code dynamically, in this case the body of the function will be placed in the heap and won't have any symbols or even module associated with it. I know MCF at some point did this.

I suggest you try to analyze the frames at the top of the stack that have symbols and try to find out what they might be doing.

Wish I could help more, but the only thing I can suggest is reading this cheat sheet of WinDbg commands. There is one command wt which has a list of params which could help with getting module information about that call site.

Let me know if this is any use for you.