Comments on: Crash Dump Analysis Patterns (Part 60)

By: Dmitry Vostokov

Dmitry Vostokov — Wed, 21 Sep 2022 08:16:19 +0000

Function parameters that were left in memory.

By: Dmitry Vostokov

Dmitry Vostokov — Mon, 26 Oct 2020 12:26:13 +0000

Initially named after residues in complex analysis:
https://en.wikipedia.org/wiki/Residue_(complex_analysis)

By: Dmitry Vostokov

Dmitry Vostokov — Tue, 08 Dec 2015 17:13:34 +0000

The undocumented !ddstack WinDbg extension (ext) command may save some time for listing Execution Residue symbols. It is equivalent to !teb, then dpS, but also gives stack addresses for mapped symbols like dps command but with less output (the command may give incorrect results for WOW64 process memory dumps saved as x64 memory dumps):

0:001> !ddstack
Range: 0000000002ecf000->0000000002ee0000
0×00000000`02edf4b0 0×00000000`775d0000 ntdll!RtlDeactivateActivationContext (ntdll+0×0)+0000000000000000
0×00000000`02edf4c8 0×00000000`775fc454 ntdll!LdrpInitialize+00000000000000a4
0×00000000`02edf538 0×00000000`775fc358 ntdll!LdrInitializeThunk+0000000000000018
0×00000000`02edf5e0 0×00000000`776d4578 ntdll!`string’+0000000000000000
0×00000000`02edf5e8 0×00000000`776d44e0 ntdll!`string’+0000000000000000
0×00000000`02edf5f8 0×00000000`775f0f3b ntdll!TpPostTask+000000000000019b
0×00000000`02edf658 0×00000000`775e6199 ntdll!TppWorkPost+0000000000000089
0×00000000`02edf688 0×00000000`775fc520 ntdll!RtlUserThreadStart+0000000000000000
0×00000000`02edf698 0×00000000`775e6b4d ntdll!TppWaitComplete+000000000000003d
0×00000000`02edf6a8 0×00000000`775e6b4d ntdll!TppWaitComplete+000000000000003d
0×00000000`02edf6c8 0×00000000`775eb828 ntdll!TppWaiterpDoTransitions+0000000000000154
0×00000000`02edf6e8 0×00000000`775e6abe ntdll!TppWaiterpCompleteWait+000000000000004e
0×00000000`02edf6f8 0×00000000`775d7858 ntdll!TppWaiterpWaitTimerExpired+0000000000000038
0×00000000`02edf720 0×00000000`776d4578 ntdll!`string’+0000000000000000
0×00000000`02edf728 0×00000000`776d44e0 ntdll!`string’+0000000000000000
0×00000000`02edf738 0×00000000`776d4500 ntdll!`string’+0000000000000000
0×00000000`02edf748 0×00000000`775eb037 ntdll!TppWaiterpThread+000000000000014d
0×00000000`02edf768 0×00000000`776d4550 ntdll!`string’+0000000000000000
0×00000000`02edf9e8 0×00000000`773c59ed kernel32!BaseThreadInitThunk+000000000000000d
0×00000000`02edfa18 0×00000000`775fc541 ntdll!RtlUserThreadStart+000000000000001d

0:001> !teb
TEB at 000007fffffdb000
ExceptionList: 0000000000000000
StackBase: 0000000002ee0000
StackLimit: 0000000002ecf000
SubSystemTib: 0000000000000000
FiberData: 0000000000001e00
ArbitraryUserPointer: 0000000000000000
Self: 000007fffffdb000
EnvironmentPointer: 0000000000000000
ClientId: 0000000000001344 . 0000000000001ab0
RpcHandle: 0000000000000000
Tls Storage: 0000000000000000
PEB Address: 000007fffffdf000
LastErrorValue: 0
LastStatusValue: 0
Count Owned Locks: 0
HardErrorMode: 0

0:001> dpS 0000000002ecf000 0000000002ee0000
00000000`775d0000 ntdll!RtlDeactivateActivationContext (ntdll+0×0)
00000000`775fc454 ntdll!LdrpInitialize+0xa4
00000000`775fc358 ntdll!LdrInitializeThunk+0×18
00000000`776d4578 ntdll!`string’
00000000`776d44e0 ntdll!`string’
00000000`775f0f3b ntdll!TpPostTask+0×19b
00000000`775e6199 ntdll!TppWorkPost+0×89
00000000`775fc520 ntdll!RtlUserThreadStart
00000000`775e6b4d ntdll!TppWaitComplete+0×3d
00000000`775e6b4d ntdll!TppWaitComplete+0×3d
00000000`775eb828 ntdll!TppWaiterpDoTransitions+0×154
00000000`775e6abe ntdll!TppWaiterpCompleteWait+0×4e
00000000`775d7858 ntdll!TppWaiterpWaitTimerExpired+0×38
00000000`776d4578 ntdll!`string’
00000000`776d44e0 ntdll!`string’
00000000`776d4500 ntdll!`string’
00000000`775eb037 ntdll!TppWaiterpThread+0×14d
00000000`776d4550 ntdll!`string’
00000000`773c59ed kernel32!BaseThreadInitThunk+0xd
00000000`775fc541 ntdll!RtlUserThreadStart+0×1d

By: Dmitry Vostokov

Dmitry Vostokov — Fri, 13 Sep 2013 15:09:39 +0000

We can also use dpS command on an range to get all symbolic references only

By: Dmitry Vostokov

Dmitry Vostokov — Sun, 04 Dec 2011 00:35:52 +0000

System objects can shed extra light on past software behavior:
http://www.dumpanalysis.org/blog/index.php/2011/12/04/crash-dump-analysis-patterns-part-158/

By: Dmitry Vostokov

Dmitry Vostokov — Mon, 10 Oct 2011 12:05:10 +0000

!DumpStack and !EEStack SOS commands provide summary of “call type” execution residue from raw stack

By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 104)

Wed, 04 Aug 2010 23:26:43 +0000

[…] Anyway, we shouldn’t dismiss such dumps and should try to analyze them. For example, some approaches (including using image binaries) are listed in kernel minidump analysis series. We can even see portions of raw stack data in search of execution residue: […]

By: Crash Dump Analysis » Blog Archive » IRP distribution anomaly, inconsistent dump, execution residue, hardware activity, coincidental symbolic information, not my version, virtualized system: pattern cooperation

Mon, 07 Jun 2010 23:45:06 +0000

[…] that the thread 8b56cb10 is also an active running thread so we look at its raw stack to find any executon residue providing hints to possible hardware […]

By: Crash Dump Analysis » Blog Archive » What service is this?

Crash Dump Analysis » Blog Archive » What service is this? — Fri, 23 Apr 2010 10:55:32 +0000

[…] Execution residue and string pointers on thread raw stacks (WinDbg […]

By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 94a)

Mon, 30 Nov 2009 16:48:34 +0000

[…] order to hypothesize about a possible culptit component we look at execution residue left on their raw stack data. Indeed, we see lots of non-coincidental symbolic references to […]