Memory Dump Analysis Anthology, Volume 5 > Crash Dump Analysis Patterns > Hardware Activity

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

This Book

Memory Dump Analysis Anthology, Volume 5

Search

Table of Contents

Dedication

Preface

Acknowledgements

PART 1. Professional Crash Dump Analysis and Debugging

PART 2. Crash Dump Analysis Patterns

Succession of Patterns

Wait Chain (Process Objects)

Coincidental Frames

Fault Context

Coupled Processes (Weak)

Hooked Functions (Kernel Space)

Hardware Activity

Incorrect Symbolic Information

Message Hooks

Blocked Thread (Hardware)

Coupled Machines

High Contention (Processors)

Thread Starvation (Normal Priority)

Coupled Processes (Semantics)

Abridged Dump

Exception Stack Trace

Wait Chain (RPC)

Distrubuted Spike

Instrumentation Information

Template Module

Invalid Exception Information

Shared Buffer Overwrite

Pervasive System

Problem Exception Handler

Deadlock (Self)

Same Vendor

PART 3. Crash Dump Analysis AntiPatterns

PART 4. Pattern Interaction

PART 5. A Bit of Science and Philosophy

PART 6. Fun with Crash Dumps

PART 7. Software Trace Analysis

PART 8. Software Trace Analysis Patterns

PART 9. Models of Software Behaviour

PART 10. The Origin of Crash Dumps

PART 11. Structural Memory Patterns

PART 12. Memory Visualization

PART 13. Art

PART 14. Security and Malware Analysis

PART 15. Miscellanious

Appendix

Hardware Activity

Sometimes, when a high number of interrupts is reported but there are no signs of an interrupt storm^[10] or pending DPCs in a memory dump file it is useful to search for this pattern in running and / or suspected threads. This can be done by examining execution residue left on a thread raw stack. Although the found driver activity might not be related to reported problems it can be a useful start for a driver elimination procedure for a general recommendation to check suspected drivers for any updates. Here is an example of a thread raw stack with a network card doing "Scatter-Gather" DMA:

^[10] http://msdn.microsoft.com/en-us/library/ff540586(VS.85).aspx

Code View: Scroll / Show All

1: kd> !thread
THREAD f7732090 Cid 0000.0000 Teb: 00000000 Win32Thread: 00000000 RUNNING
on processor 1
Not impersonating
Owning Process 8089db40 Image: Idle
Attached Process N/A Image: N/A
Wait Start TickCount 0 Ticks: 24437545 (4:10:03:56.640)
Context Switch Count 75624870
UserTime 00:00:00.000
KernelTime 4 Days 08:56:05.125
Stack Init f78b3000 Current f78b2d4c Base f78b3000 Limit f78b0000 Call 0
Priority 0 BasePriority 0 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f3b30c5c 00000000 00000000 00000000 00000000 LiveKdD+0x1c07

1: kd> dds f78b0000 f78b3000
f78b0000 00000000
f78b0004 00000000
f78b0008 00000000
f78b000c 00000000
f78b0010 00000000
[...]
f78b2870 8b3de0d0
f78b2874 80887b75 nt!KiFlushTargetSingleTb+0xd
f78b2878 8b49032c
f78b287c 00000000
f78b2880 2d003202
f78b2884 00000000
f78b2888 00000000
f78b288c 2d003202
f78b2890 8b490302
f78b2894 f78b28a4
f78b2898 80a61456 hal!KfLowerIrql+0x62

You are currently reading a PREVIEW of this book.

Get instant access to over
$1 million worth of books and videos.

Start a Free Trial

Download Safari Books Online apps: Apple iOS | Android

This Book

Search

Contents

PART 2. Crash Dump Analysis Patterns > Hardware Activity

Hardware Activity