>.."give me a hint how you".. Yes sure... Sorry for messy-quick reply but better then nothing I guess: So first u can connect only 1 debuger process to 1 debugee app. Create new console app and call DebugActiveProcess(FirewallPID) Then set DebugSetProcessKillOnExit(FALSE); So if you will exit your new app it will not kill firewall (kinda important) it works like that on >=w2k3(wXP). On <=w2k DebugSetProcessKillOnExit(false) doesn't work and u will kill monitored application by stopping application which is attached as debugger. Then just wait for event from debugee app with WaitForDebugEvent( &de, INFINITE ) ) Handle events and pass them further with Function ContinueDebugEvent( de.dwProcessId, de.dwThreadId, ContinueStatus );//example DBG_EXCEPTION_NOT_HANDLED Now system will pass you events like LOAD_DLL_DEBUG_EVENT where u can monitor loading and unloading of your plugin filter dlls and check its base address etc.. There are more event which u can find in MSDN. Whats interesting for us is EXCEPTION_DEBUG_EVENT When this happens monitored app is paused and you get DEBUG_EVENT &de From where you can get these main info Exceptioncode:de.u.Exception.ExceptionRecord.ExceptionCode ThreadID: de.dwThreadId Address: de.u.Exception.ExceptionRecord.ExceptionAddress .ExceptionAddress is EIP So now we have address and threaded where it broke now lets find out context of that thread We need to call GetThreadContext(threadHandle,&dbthreadcntx) to get context of crashed thread. From DEBUG_EVENT de we don't have however threadHandle only ThreadID Therefore you have to maintain list of Threads So on debug event CREATE_THREAD_DEBUG_EVENT you will add thread handle info to dynamic array of thread handles. Once you call GetThreadContext(threadHandle,&dbthreadcntx) You have now access to crashing thread context and you can read memory based on context to get stack : printf("Thread ID:0x%.8X Thread Handle:0x%.8X\r\n EIP:0x%.8X EBP:0x%.8X ESP:0x%.8X\r\n",ThreadInfos[i].ThreadId,ThreadInfos[i].hThread,dbthreadc ntx.Eip,dbthreadcntx.Ebp,dbthreadcntx.Esp); ... Toolhelp32ReadProcessMemory(foundPID,(BYTE *)((DWORD)dbthreadcntx.Esp),&dwarr[0],16*4,&cbRead); ... printf("Immediate Stack dump:\r\n %.8X %.8X %.8X %.8X %.8X %.8X %.8X %.8X\r\n",dwarr[0],dwarr[1],dwarr[2].... } And based on EBP and stack you can trace previous stack entries. If any question contact me off list pls. Regards David Farinic This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com