Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.
- Create BookmarkCreate Bookmark
- Create Note or TagCreate Note or Tag
- DownloadDownload
- PrintPrint
Selected Q&A
Selected Q&A
Q. When is it useful to enable pool tagging?
A. Pool tagging is enabled by default. In case you suspect certain drivers corrupting pools you should enable Special Pool in Driver Verifier. Here I refer you to Windows Internals, 5th edition, pages 799 – 801 for details.
Q. Can you give some basics on how to get more information about “resources#8221; (like returned by !locks) or even synchronization event objects shown by !process.
A. Unfortunately events are very difficult to analyze as they do not have owners as critical sections, mutants and executive resources (!locks). Here's one example with events as terminating wait chains:
http://www.dumpanalysis.org/blog/index.php/2008/11/07/crash-dump-analysis-patterns-part-42d/
Regarding !locks there are many case studies including this one:
http://www.dumpanalysis.org/blog/index.php/2008/01/22/crash-dump-analysis-patterns-part-42c/
Q. Is there a way to generate a dump file on a server that appears to be in a hung state because it is so slow... i.e., high cpu/memory usage remotely?
A. Please refer to these 2 articles:
http://support.citrix.com/article/CTX129575
http://support.microsoft.com/kb/969028
Some hardware has NMI buttons. Please also refer to this pattern:
http://www.dumpanalysis.org/blog/index.php/2007/12/12/crash-dump-analysis-patterns-part-41a/
Q. What's the difference between .symfix .reload and .loadby sos mscorwks?
A. .symfix and .reload are necessary to specify Microsoft symbol file server and then reload symbol files to update stack traces if necessary. In exercise P12 we have see that there is no need to use .loadby and we only need to pay attention to Framework version and unload and load appropriate sos.dll manually.
Q. Is this type of hooking/modifying kernel drivers what is used by virus scanners to monitor accesses?
A. Yes, you can use !chkimg to detect such modifications. They are also possible in user space and used by 3rd party module to enable value-added services. Please refer to Hooksware page for various case studies:
http://www.dumpanalysis.org/blog/index.php/2008/08/10/hooksware/
Q. Do you have a good reference about integer problems?
A. The only case study I have is about data alignment:
http://www.dumpanalysis.org/blog/index.php/2008/10/06/crash-dump-analysis-patterns-part-76/
Q. Can you make some comments about faulty hardware? How to determine if it's a hardware issue, specially processor and memory?
A. Please refer to this pattern: http://www.dumpanalysis.org/blog/index.php/2008/04/03/crash-dump-analysis-patterns-part-57/
Q. Can you give more info on when nt!IopCancelAlertedRequest does not seem to work?
A. Some explanations can be found on Mark Russinovich's blog:
http://blogs.technet.com/b/markrussinovich/archive/2005/08/17/unkillable-processes.aspx
Q. Is there a possibility to get handle table from process dumps? Tried it but !handle 0 0 doesn't work.
A. Yes, it is possible but depends how the dump was saved, for example, userdump.exe saves handle information but without specific details such as file names and paths:
0:000> !handle Handle 0000000000000004 Type Directory Handle 0000000000000008 Type File Handle 000000000000000c Type File Handle 0000000000000010 Type Key Handle 0000000000000014 Type ALPC Port Handle 0000000000000018 Type Mutant Handle 000000000000001c Type Key Handle 0000000000000020 Type Event Handle 0000000000000024 Type Key Handle 000000000000002c Type Event Handle 0000000000000030 Type WindowStation Handle 0000000000000034 Type Desktop Handle 0000000000000038 Type WindowStation Handle 0000000000000080 Type Event Handle 0000000000000084 Type Event Handle 0000000000000088 Type Event Handle 000000000000008c Type Event Handle 0000000000000090 Type Event Handle 0000000000000094 Type Event Handle 0000000000000098 Type Directory Handle 000000000000009c Type Event Handle 00000000000000a0 Type Event
Handle 00000000000000a4
Type File
Handle 00000000000000a8
Type Key
Handle 00000000000000ac
Type Key
Handle 00000000000000b0
Type Key
Handle 00000000000000b4
Type Key
Handle 00000000000000c0
Type File
Handle 00000000000000c4
Type ALPC Port
Handle 00000000000000c8
Type Mutant
30 Handles
Type Count
None 2
Event 10
File 4
Directory 2
Mutant 2
WindowStation 2
Key 7
Desktop 1
0:000> !handle 000000000000000c ff
Handle 000000000000000c
Type File
Attributes 0
GrantedAccess 0x100020:
Synch
Execute/Traverse
HandleCount 2
PointerCount 3
No object specific information available
Q. Could you please suggest any fundamental/useful resources/books (except WinInternals) to start in kernel development for real noob in kernel?
A. Please refer to this list of books:
Q. What is the difference between Ki* and Ke*?
A. According to Windows Internals book Ke is for kernel and Ki is for internal kernel functions.
Q. I've heard number of times that I should use x64 version of WinDbg to open x64 dumps, and x86 WinDbg to open x86 dumps. Looks like this is not quite required. Is there any restriction or rule on opening or taking dumps with correction version of WinDbg?
A. What you should have in mind is that it is easier to analyze process memory dumps of 32-bit processes if they are saved by 32-bit tools. Then you don't need to switch to x86 context where not all extension commands would work correctly.
Q. WinDbg appears to have many commands. Do you have a list of “most useful#8221; commands and what they do? We can go through the exercises and extract the commands and then look in the help files, but a quick list could be very nice if you have one...
A. OpenTask has recently published a book Windows Debugging Notebook: Essential User Space WinDbg Commands http://www.dumpanalysis.org/Forthcoming+Windows+Debugging+Notebook
Q. Is return address related to the function on the same line or related to the previous function on the next line?
A. It is related to the function on the next line where the execution resumes upon the return, for example:
0:000> k Child-SP RetAddr Call Site 00000000`0027f738 00000000`76d6c95e user32!NtUserGetMessage+0xa 00000000`0027f740 00000000`ff751064 user32!GetMessageW+0x34 00000000`0027f770 00000000`ff75133c notepad!WinMain+0x182 00000000`0027f7f0 00000000`76c4f33d notepad!DisplayNonGenuineDlgWorker+0x2da 00000000`0027f8b0 00000000`771e2cc1 kernel32!BaseThreadInitThunk+0xd 00000000`0027f8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d 0:000> ub 00000000`ff751064 notepad!WinMain+0xf5: 00000000`ff751046 ff1544b40000 call qword ptr [notepad!_imp_SetWinEventHook (00000000`ff75c490)] 00000000`ff75104c 488bd8 mov rbx,rax 00000000`ff75104f eb00 jmp notepad!WinMain+0x16f (00000000`ff751051) 00000000`ff751051 488d4c2440 lea rcx,[rsp+40h] 00000000`ff751056 4533c9 xor r9d,r9d 00000000`ff751059 4533c0 xor r8d,r8d 00000000`ff75105c 33d2 xor edx,edx 00000000`ff75105e ff1524b40000 call qword ptr [notepad!_imp_GetMessageW (00000000`ff75c488)]
Q. Is there a way to load custom symbol paths into WinDbg that it will load by default? The idea would be to load our company's symbol files into a standard location and then WinDbg could always access those symbol files...
A. Yes, it is possible to specify symbols paths in File \ Symbol File Path... and then do File \ Save Workspace.
Q. Why do we still see incorrect symbols warning message during !analyze –v after .symfix and .reload?
A. Sometimes extension commands need private symbols. This is usually happens if Microsoft changes public symbols but doesn't update extension commands.
Q. What is the difference between user space and kernel space addresses on x64?
A. Please see the examples in this article:
http://www.dumpanalysis.org/blog/index.php/category/dictionary-of-debugging/8/
Q. Is there a command to clear screen like tcsh ^L or cls in cmd.exe?
A. Yes, there is such a command: .cls
- Create BookmarkCreate Bookmark
- Create Note or TagCreate Note or Tag
- DownloadDownload
- PrintPrint