Crash Dump Analysis

Crash Dump Analysis Patterns (Part 22)

DATA (Dump Analysis + Trace Analysis) Facebook group
Please join the community of memory (dump) and trace analysis engineers. This group promotes scientific methods and memory dump-based worldview.

Twitter @ DumpAnalysis
You can now follow portal and blog news at DumpAnalysis on Twitter

LinkedIn Group Dr. Watson Enthusiasts
All about Dr. Watson errors and more. Get news, excerpts and progress reports about the forthcoming book The Science of Dr. Watson: An Illustrated History of Debugging (ISBN 978-1906717070)

2010 (0x7DA) - The Year of Dump Analysis
2011 (0x7DB) - 2020 (0x7E4) The Debugging Decade

Sometimes we suspect that a problem was caused by some module but WinDbg lmv command doesn’t show the company name and other verbose information for it and Google search has no results for the file name. I call this pattern Unknown Component.

In such cases additional information can be obtained by dumping the module resource section or the whole module address range and looking for ASCII and UNICODE strings. For example (byte values in db output are omitted for clarity):

2: kd> lmv m driver start end module name f5022000 f503e400 driver (deferred) Image path: \SystemRoot\System32\drivers\driver.sys Image name: driver.sys Timestamp: Tue Jun 12 11:33:16 2007 (466E766C) CheckSum: 00021A2C ImageSize: 0001C400 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

2: kd> db f5022000 f503e400 f5022000 MZ.............. f5022010 ........@....... f5022020 ................ f5022030 ................ f5022040 ........!..L.!Th f5022050 is program canno f5022060 t be run in DOS f5022070 mode....$....... f5022080 .g,._.B._.B._.B. f5022090 _.C.=.B..%Q.X.B. f50220a0 _.B.].B.Y%H.|.B. f50220b0 ..D.^.B.Rich_.B. f50220c0 ........PE..L... f50220d0 lvnF............ ... ... ... f503ce30 ................ f503ce40 ................ f503ce50 ................ f503ce60 ............0... f503ce70 ................ f503ce80 ....H........... f503ce90 ..........4...V. f503cea0 S._.V.E.R.S.I.O. f503ceb0 N._.I.N.F.O..... f503cec0 ................ f503ced0 ........?....... f503cee0 ................ f503cef0 ....P.....S.t.r. f503cf00 i.n.g.F.i.l.e.I. f503cf10 n.f.o...,.....0. f503cf20 4.0.9.0.4.b.0... f503cf30 4.....C.o.m.p.a. f503cf40 n.y.N.a.m.e..... f503cf50 M.y.C.o.m.p. .A. f503cf60 G...p.$...F.i.l. f503cf70 e.D.e.s.c.r.i.p. f503cf80 t.i.o.n.....M.y. f503cf90 .B.i.g. .P.r.o. f503cfa0 d.u.c.t. .H.o.o. f503cfb0 k............... f503cfc0 ................ f503cfd0 ....4.....F.i.l. f503cfe0 e.V.e.r.s.i.o.n. f503cff0 ....5...1...0... f503d000 ???????????????? f503d010 ???????????????? f503d020 ???????????????? f503d030 ???????????????? ... ... ...

We see that CompanyName is MyComp AG, FileDescription is My Big Product Hook and FileVersion is 5.0.1.

In our example the same information can be retrieved by dumping the image file header and then finding and dumping the resource section:

2: kd> !dh f5022000 -f

File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (i386) 6 number of sections 466E766C time date stamp Tue Jun 12 11:33:16 2007

0 file pointer to symbol table 0 number of symbols E0 size of optional header 10E characteristics Executable Line numbers stripped Symbols stripped 32 bit word machine

OPTIONAL HEADER VALUES 10B magic # 6.00 linker version 190A0 size of code 30A0 size of initialized data 0 size of uninitialized data 1A340 address of entry point 2C0 base of code ----- new ----- 00010000 image base 20 section alignment 20 file alignment 1 subsystem (Native) 4.00 operating system version 0.00 image version 4.00 subsystem version 1C400 size of image 2C0 size of headers 21A2C checksum 00100000 size of stack reserve 00001000 size of stack commit 00100000 size of heap reserve 00001000 size of heap commit 0 [ 0] address [size] of Export Directory 1A580 [ 50] address [size] of Import Directory 1AE40 [ 348] address [size] of Resource Directory 0 [ 0] address [size] of Exception Directory 0 [ 0] address [size] of Security Directory 1B1A0 [ 1084] address [size] of Base Relocation Directory 420 [ 1C] address [size] of Debug Directory 0 [ 0] address [size] of Description Directory 0 [ 0] address [size] of Special Directory 0 [ 0] address [size] of Thread Storage Directory 0 [ 0] address [size] of Load Configuration Directory 0 [ 0] address [size] of Bound Import Directory 2C0 [ 15C] address [size] of Import Address Table Directory 0 [ 0] address [size] of Delay Import Directory 0 [ 0] address [size] of COR20 Header Directory 0 [ 0] address [size] of Reserved Directory

2: kd> db f5022000+1AE40 f5022000+1AE40+348 f503ce40 ................ f503ce50 ................ f503ce60 ............0... f503ce70 ................ f503ce80 ....H........... f503ce90 ..........4...V. f503cea0 S._.V.E.R.S.I.O. f503ceb0 N._.I.N.F.O..... f503cec0 ................ f503ced0 ........?....... f503cee0 ................ f503cef0 ....P.....S.t.r. f503cf00 i.n.g.F.i.l.e.I. f503cf10 n.f.o...,.....0. f503cf20 4.0.9.0.4.b.0... f503cf30 4.....C.o.m.p.a. f503cf40 n.y.N.a.m.e..... f503cf50 M.y.C.o.m.p. .A. f503cf60 G...p.$...F.i.l. f503cf70 e.D.e.s.c.r.i.p. f503cf80 t.i.o.n.....M.y. f503cf90 .B.i.g. .P.r.o. f503cfa0 d.u.c.t. .H.o.o. f503cfb0 k............... f503cfc0 ................ f503cfd0 ....4.....F.i.l. f503cfe0 e.V.e.r.s.i.o.n. f503cff0 ....5...1...0... f503d000 ???????????????? f503d010 ???????????????? ... ... ...

- Dmitry Vostokov @ DumpAnalysis.org -

Announcements

Coming Soon:

Debugging Notebook: Essential Concepts, WinDbg Commands and Tools

Crash Dump Analysis for System Administrators and Support Engineers

New Magazines:

Debugged! MZ/PE: MagaZine for/from Practicing Engineers

New Books:

Memory Dump Analysis Anthology, Volume 3

First Fault Software Problem Solving: A Guide for Engineers, Managers and Users

x64 Windows Debugging: Practical Foundations

Also available:

Windows Debugging: Practical Foundations

DLL List Landscape: The Art from Computer Memory Space

Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov

WinDbg: A Reference Poster and Learning Cards

Memory Dump Analysis Anthology, Volume 2

Memory Dump Analysis Anthology, Volume 1

New Children's Book:

Baby Turing

Memory Dump It

This entry was posted on Thursday, August 16th, 2007 at 5:22 pm and is filed under Crash Dump Analysis, Crash Dump Patterns, WinDbg Tips and Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Crash Dump Analysis Patterns (Part 22)”

nickV Says:
March 19th, 2008 at 11:29 am
Nice tip - very useful!
Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 75) Says:
August 7th, 2008 at 7:35 pm
[…] is why I call this pattern Hidden Module. We can use Unknown Component pattern to see its resources if present in […]
Crash Dump Analysis » Blog Archive » Coupled processes, wait chains, message box, waiting thread time, paged out data, incorrect stack trace, hidden exception, unknown component and execution residue: pattern cooperation Says:
March 11th, 2009 at 2:18 am
[…] we can inspect the unknown module PE headers left in […]
Crash Dump Analysis » Blog Archive » Chemistry of Virtual Memory Space (Part 1) Says:
June 9th, 2009 at 11:10 am
[…] where A is for Adobe modules and U is for an unknown module that needs identification, see Unknown Component pattern. […]

Crash Dump Analysis Patterns (Part 22)

4 Responses to “Crash Dump Analysis Patterns (Part 22)”

Leave a Reply