Comments on: Minidump Analysis (Part 2)

By: Wisdom-Fu: E-mail alert when you find a memory dump « Wag the Real

Wisdom-Fu: E-mail alert when you find a memory dump « Wag the Real — Wed, 24 Mar 2010 01:42:18 +0000

[…] Minidump Analysis (Part 2) […]

By: Crash Dump Analysis » Blog Archive » Null data pointer, pass through functions and platformorphic fault: pattern cooperation

Fri, 19 Jun 2009 23:30:29 +0000

[…] !analyze -v pointed to the first non-MS module DriverA (the identification process is explained here) located on the following stack trace (that also shows exception processing in file system kernel […]

By: Andrei Belogortseff

Andrei Belogortseff — Fri, 07 Dec 2007 16:27:10 +0000

Thank you very much, it’s very helpful!

By: Dmitry Vostokov

Dmitry Vostokov — Fri, 07 Dec 2007 12:49:41 +0000

Also timestamp can be used to differentiate files because it is set by a linker.

By: Dmitry Vostokov

Dmitry Vostokov — Fri, 07 Dec 2007 12:43:47 +0000

Seems it is taken from PE header:

DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9d

1: kd> !dh -f nt

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
19 number of sections
45E53F9D time date stamp Wed Feb 28 08:38:53 2007

By: Andrei Belogortseff

Andrei Belogortseff — Fri, 07 Dec 2007 00:36:20 +0000

Thank you for very useful posts, I’ve just discovered your blog and have not read everything in detail yet (but intend to!)

I have one question that I cannot find an answer to anywhere:
what value of DEBUG_FLR_IMAGE_TIMESTAMP is displayed in the minidump? Is it related to the time stamp of the sys file, or to the time stamp in its PE header, or anything else? Can it be used to distinguish between different revisions of the same driver?

Thank you in advance!

By: Dmitry Vostokov

Dmitry Vostokov — Wed, 12 Sep 2007 15:31:20 +0000

Part 3:

http://www.dumpanalysis.org/blog/index.php/2007/09/12/minidump-analysis-part-3/