Comments on: Crash Dump Analysis Patterns (Part 38) https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Wed, 06 May 2026 22:05:02 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-741685 Dmitry Vostokov Fri, 25 Sep 2015 14:45:33 +0000 https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-741685 Sometimes, several different modules from different products may patch different functions from the DLL. So, in general, we need to check all reported hooked functions. Sometimes, several different modules from different products may patch different functions from the DLL. So, in general, we need to check all reported hooked functions.

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-418239 Dmitry Vostokov Fri, 03 Feb 2012 15:20:56 +0000 https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-418239 To include the mismatch summary use this version: The simplified version of the command: !chkimg -db -d -v ModuleName For example: !chkimg -db -d -v ntdll To include the mismatch summary use this version:

The simplified version of the command:

!chkimg -db -d -v ModuleName

For example:

!chkimg -db -d -v ntdll

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-406878 Dmitry Vostokov Mon, 09 Jan 2012 12:03:45 +0000 https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-406878 The simplified version of the command: !chkimg -db -v ModuleName For example: !chkimg -db -v ntdll The simplified version of the command:

!chkimg -db -v ModuleName

For example:

!chkimg -db -v ntdll

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 111) https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-197156 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 111) Tue, 26 Oct 2010 21:21:53 +0000 https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-197156 [...] command) we see the presence of the whole Pervasive System. It is not just a module that does function and / or message hooking but the whole system of modules from a single vendor that is [...] […] command) we see the presence of the whole Pervasive System. It is not just a module that does function and / or message hooking but the whole system of modules from a single vendor that is […]

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis of Defective Malware: A Case Study https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-194335 Crash Dump Analysis » Blog Archive » Crash Dump Analysis of Defective Malware: A Case Study Mon, 18 Oct 2010 21:56:46 +0000 https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-194335 [...] 0×321aaaf address. We see that wininet function was hooked by a code running in 0×0321XXXX [...] […] 0×321aaaf address. We see that wininet function was hooked by a code running in 0×0321XXXX […]

]]> By: Crash Dump Analysis » Blog Archive » Truncated dump, spiking thread, not my version and hooked functions: pattern cooperation https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-175806 Crash Dump Analysis » Blog Archive » Truncated dump, spiking thread, not my version and hooked functions: pattern cooperation Fri, 13 Aug 2010 19:16:36 +0000 https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-175806 [...] We can stop here and still recommend to upgrade AppA product seen from the thread running on the first processor but the fact that the second thread belongs to innocent calc.exe demands some attention. Was it calculating incessantly some financial figures following button clicks from a financial genius? Taking advantage of a complete memory dump and the fact that this process spent most of the time in user space we can check for Hooked Functions pattern: [...] […] We can stop here and still recommend to upgrade AppA product seen from the thread running on the first processor but the fact that the second thread belongs to innocent calc.exe demands some attention. Was it calculating incessantly some financial figures following button clicks from a financial genius? Taking advantage of a complete memory dump and the fact that this process spent most of the time in user space we can check for Hooked Functions pattern: […]

]]> By: Crash Dump Analysis » Blog Archive » Spiking thread, main thread, message hooks, hooked functions, semantic split, coincidental symbolic information and not my version: pattern cooperation https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-164234 Crash Dump Analysis » Blog Archive » Spiking thread, main thread, message hooks, hooked functions, semantic split, coincidental symbolic information and not my version: pattern cooperation Wed, 07 Jul 2010 16:32:49 +0000 https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-164234 [...] also see a message hook function implemented in DllA. To see if there are any other hooks including patched API we look at the raw [...] […] also see a message hook function implemented in DllA. To see if there are any other hooks including patched API we look at the raw […]

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 100) https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-163878 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 100) Tue, 06 Jul 2010 15:50:23 +0000 https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-163878 [...] via windows message hooking mechanism that I call Message Hooks pattern to differentiate it from Hooked Functions pattern. In some cases message hooking become sources of aberrant software behaviour including [...] […] via windows message hooking mechanism that I call Message Hooks pattern to differentiate it from Hooked Functions pattern. In some cases message hooking become sources of aberrant software behaviour including […]

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 38b) https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-150691 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 38b) Fri, 07 May 2010 23:02:08 +0000 https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-150691 [...] is a variation of Hooked Functions pattern for kernel space. In addition to trampoline patching we also see a modified service [...] […] is a variation of Hooked Functions pattern for kernel space. In addition to trampoline patching we also see a modified service […]

]]> By: Crash Dump Analysis » Blog Archive » 10 Common Mistakes in Memory Analysis (Part 5) https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-91557 Crash Dump Analysis » Blog Archive » 10 Common Mistakes in Memory Analysis (Part 5) Mon, 31 Aug 2009 14:28:26 +0000 https://www.dumpanalysis.org/blog/index.php/2007/11/22/crash-dump-analysis-patterns-part-38/#comment-91557 [...] troubleshooting hypothesis. Here is a sample of !analyze -v output showing massive patching (hooked functions pattern) by DriverA [...] […] troubleshooting hypothesis. Here is a sample of !analyze -v output showing massive patching (hooked functions pattern) by DriverA […]

]]>