Crash Dump Analysis Patterns (Part 22)
Sometimes we suspect that a problem was caused by some module but WinDbg lmv command doesn’t show the company name and other verbose information for it and Google search has no results for the file name. I call this pattern Unknown Component.
In such cases additional information can be obtained by dumping the module resource section or the whole module address range and looking for ASCII and UNICODE strings. For example (byte values in db output are omitted for clarity):
2: kd> lmv m driver
start end module name
f5022000 f503e400 driver (deferred)
Image path: \SystemRoot\System32\drivers\driver.sys
Image name: driver.sys
Timestamp: Tue Jun 12 11:33:16 2007 (466E766C)
CheckSum: 00021A2C
ImageSize: 0001C400
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
2: kd> db f5022000 f503e400
f5022000 MZ..............
f5022010 ........@.......
f5022020 ................
f5022030 ................
f5022040 ........!..L.!Th
f5022050 is program canno
f5022060 t be run in DOS
f5022070 mode....$.......
f5022080 .g,._.B._.B._.B.
f5022090 _.C.=.B..%Q.X.B.
f50220a0 _.B.].B.Y%H.|.B.
f50220b0 ..D.^.B.Rich_.B.
f50220c0 ........PE..L...
f50220d0 lvnF............
...
...
...
f503ce30 ................
f503ce40 ................
f503ce50 ................
f503ce60 ............0...
f503ce70 ................
f503ce80 ....H...........
f503ce90 ..........4...V.
f503cea0 S._.V.E.R.S.I.O.
f503ceb0 N._.I.N.F.O.....
f503cec0 ................
f503ced0 ........?.......
f503cee0 ................
f503cef0 ....P.....S.t.r.
f503cf00 i.n.g.F.i.l.e.I.
f503cf10 n.f.o...,.....0.
f503cf20 4.0.9.0.4.b.0...
f503cf30 4.....C.o.m.p.a.
f503cf40 n.y.N.a.m.e.....
f503cf50 M.y.C.o.m.p. .A.
f503cf60 G...p.$...F.i.l.
f503cf70 e.D.e.s.c.r.i.p.
f503cf80 t.i.o.n.....M.y.
f503cf90 .B.i.g. .P.r.o.
f503cfa0 d.u.c.t. .H.o.o.
f503cfb0 k...............
f503cfc0 ................
f503cfd0 ....4.....F.i.l.
f503cfe0 e.V.e.r.s.i.o.n.
f503cff0 ....5...1...0...
f503d000 ????????????????
f503d010 ????????????????
f503d020 ????????????????
f503d030 ????????????????
...
...
...
We see that CompanyName is MyComp AG, FileDescription is My Big Product Hook and FileVersion is 5.0.1.
In our example the same information can be retrieved by dumping the image file header and then finding and dumping the resource section:
2: kd> lmv m driver
start end module name
f5022000 f503e400 driver (deferred)
Image path: \SystemRoot\System32\drivers\driver.sys
Image name: driver.sys
Timestamp: Tue Jun 12 11:33:16 2007 (466E766C)
CheckSum: 00021A2C
ImageSize: 0001C400
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
2: kd> !dh f5022000 -f
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
6 number of sections
466E766C time date stamp Tue Jun 12 11:33:16 2007
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
10E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
OPTIONAL HEADER VALUES
10B magic #
6.00 linker version
190A0 size of code
30A0 size of initialized data
0 size of uninitialized data
1A340 address of entry point
2C0 base of code
----- new -----
00010000 image base
20 section alignment
20 file alignment
1 subsystem (Native)
4.00 operating system version
0.00 image version
4.00 subsystem version
1C400 size of image
2C0 size of headers
21A2C checksum
00100000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
0 [ 0] address [size] of Export Directory
1A580 [ 50] address [size] of Import Directory
1AE40 [ 348] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
1B1A0 [ 1084] address [size] of Base Relocation Directory
420 [ 1C] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
0 [ 0] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
2C0 [ 15C] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
2: kd> db f5022000+1AE40 f5022000+1AE40+348
f503ce40 ................
f503ce50 ................
f503ce60 ............0...
f503ce70 ................
f503ce80 ....H...........
f503ce90 ..........4...V.
f503cea0 S._.V.E.R.S.I.O.
f503ceb0 N._.I.N.F.O.....
f503cec0 ................
f503ced0 ........?.......
f503cee0 ................
f503cef0 ....P.....S.t.r.
f503cf00 i.n.g.F.i.l.e.I.
f503cf10 n.f.o...,.....0.
f503cf20 4.0.9.0.4.b.0...
f503cf30 4.....C.o.m.p.a.
f503cf40 n.y.N.a.m.e.....
f503cf50 M.y.C.o.m.p. .A.
f503cf60 G...p.$...F.i.l.
f503cf70 e.D.e.s.c.r.i.p.
f503cf80 t.i.o.n.....M.y.
f503cf90 .B.i.g. .P.r.o.
f503cfa0 d.u.c.t. .H.o.o.
f503cfb0 k...............
f503cfc0 ................
f503cfd0 ....4.....F.i.l.
f503cfe0 e.V.e.r.s.i.o.n.
f503cff0 ....5...1...0...
f503d000 ????????????????
f503d010 ????????????????
...
...
...
- Dmitry Vostokov @ DumpAnalysis.org -
March 19th, 2008 at 11:29 am
Nice tip - very useful!
August 7th, 2008 at 7:35 pm
[…] is why I call this pattern Hidden Module. We can use Unknown Component pattern to see its resources if present in […]
March 11th, 2009 at 2:18 am
[…] we can inspect the unknown module PE headers left in […]
June 9th, 2009 at 11:10 am
[…] where A is for Adobe modules and U is for an unknown module that needs identification, see Unknown Component pattern. […]
May 17th, 2010 at 10:20 am
[…] Today we introduce an icon for Unknown Component pattern: […]
July 22nd, 2010 at 4:23 pm
[…] Viewing the loaded driver list (pp. 546 - 547) - if we don’t see company information in lmv command output we can examine raw driver data like in this pattern: http://www.dumpanalysis.org/blog/index.php/2007/08/16/crash-dump-analysis-patterns-part-22/ […]
October 20th, 2010 at 10:11 am
[…] command was not showing any useful hints so I dumped the whole address range of that Unknown Component and found strange strings […]