Comments on: Crash Dump Analysis Patterns (Part 24)

By: Dmitry Vostokov

Dmitry Vostokov — Sat, 04 Aug 2018 21:01:39 +0000

Due to possible Disassembly Ambiguity we should try to specify the different number of instructions to disassembly, for example, ub L1, ub L2, …

By: Crash Dump Analysis » Blog Archive » 10 Common Mistakes in Memory Analysis (Part 9)

Thu, 14 Oct 2010 21:52:29 +0000

[…] see and also double check from disassembly by using u/ub WinDbg command that function names are coincidental. It just happened that ApplicationA module spans the address range including 00bf00be and 00cb00ca […]

By: Crash Dump Analysis » Blog Archive » Spiking thread, main thread, message hooks, hooked functions, semantic split, coincidental symbolic information and not my version: pattern cooperation

Wed, 07 Jul 2010 16:33:51 +0000

[…] find a few references to DllBHooks module and initially 11201000 (DllBHooks+0×1000) looks like coincidental symbolic information and it is not a meaningful code […]

By: Crash Dump Analysis » Blog Archive » IRP distribution anomaly, inconsistent dump, execution residue, hardware activity, coincidental symbolic information, not my version, virtualized system: pattern cooperation

Wed, 09 Jun 2010 21:31:47 +0000

[…] But they seem to be coincidental: […]

By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 98)

Sat, 08 May 2010 11:20:37 +0000

[…] We also do a sanity check for coincidental symbols: […]

By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 96)

Sun, 21 Feb 2010 23:54:53 +0000

[…] certain stack traces we should always be aware of Coninsidental Frames similar to Coincidental Symbolic Information pattern for raw stack data. Such frames can lead to a wrong analysis conclusion. Consider this […]

By: Crash Dump Analysis » Blog Archive » 10 Common Mistakes in Memory Analysis (Part 7)

Mon, 08 Feb 2010 22:21:09 +0000

[…] Another common mistake I observe is relying on what debuggers report without double-checking. Present day debuggers, like WinDbg or GDB, are symbol-driven, they do not possess much of that semantic knowledge that a human debugger has. Also, it is better to report more than less: what is irrelevant can be skipped over by a skilled memory analyst but what looks suspicious to the problem at hand shall be double-checked to see if it is not coincidental. One example we consider here is Coincidental Symbolic Information. […]

By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 94a)

Mon, 30 Nov 2009 21:04:41 +0000

[…] component we look at execution residue left on their raw stack data. Indeed, we see lots of non-coincidental symbolic references to 3rdPartyExtension […]

By: Crash Dump Analysis » Blog Archive » NULL code pointer, changed environment, hooked functions and execution residue: pattern cooperation

Thu, 05 Feb 2009 09:53:53 +0000

[…] Execution residue from hookA module was also found on the problem thread raw stack and it looks like real code (not a coincidental symbolic information): […]

By: Crash Dump Analysis » Blog Archive » Bugtation No.51

Crash Dump Analysis » Blog Archive » Bugtation No.51 — Wed, 15 Oct 2008 14:57:57 +0000

[…] bugtation is quite wise and dedicated to beginners learning WinDbg (see Common Mistakes and Coincidental Symbolic Information for some […]