Crash Dump Analysis Patterns (Part 10a)
Optimized VM Layout is a specialization of the general Changed Environment pattern where the whole modules are moved in virtual memory by changing their load order and load addresses. This can result in dormant bugs being exposed and one of workarounds usually is to disable such external optimization programs or services or adding applications that behave improperly to exclusion lists. Some optimized virtual memory cases can easily be detected by looking at module list where system DLLs are remapped to lower addresses instead of 0×7X000000 range:
0:000> lm
start end module name
00400000 00416000 Application
00470000 0050b000 advapi32
00520000 00572000 shlwapi
02340000 023cb000 oleaut32
04b80000 0523e000 System_Data_ni
1a400000 1a524000 urlmon
4dd60000 4df07000 GdiPlus
5f120000 5f12e000 ntlanman
5f860000 5f891000 netui1
5f8a0000 5f8b6000 netui0
637a0000 63d28000 System_Xml_ni
64890000 6498c000 System_Configuration_ni
64e70000 6515c000 System_Data
65ce0000 65ecc000 System_Web_Services_ni
71bd0000 71be1000 mpr
71bf0000 71bf8000 ws2help
71c00000 71c17000 ws2_32
71c20000 71c32000 tsappcmp
71c40000 71c97000 netapi32
73070000 73097000 winspool
75e90000 75e97000 drprov
75ea0000 75eaa000 davclnt
76190000 761a2000 msasn1
761b0000 76243000 crypt32
76a80000 76a92000 atl
76b80000 76bae000 credui
76dc0000 76de8000 adsldpc
76df0000 76e24000 activeds
76f00000 76f08000 wtsapi32
76f10000 76f3e000 wldap32
771f0000 77201000 winsta
77670000 777a9000 ole32
77ba0000 77bfa000 msvcrt
78130000 781cb000 msvcr80
79000000 79046000 mscoree
79060000 790b6000 mscorjit
790c0000 79bf6000 mscorlib_ni
79e70000 7a3ff000 mscorwks
7a440000 7ac2a000 System_ni
7ade0000 7af7c000 System_Drawing_ni
7afd0000 7bc6c000 System_Windows_Forms_ni
7c340000 7c396000 msvcr71
7c8d0000 7d0ce000 shell32
7d4c0000 7d5f0000 kernel32
7d600000 7d6f0000 ntdll
7d800000 7d890000 gdi32
7d8d0000 7d920000 secur32
7d930000 7da00000 user32
7da20000 7db00000 rpcrt4
7dbd0000 7dcd3000 comctl32
7df50000 7dfc0000 uxtheme
7e020000 7e02f000 samlib
The similar address space reshuffling happens with ASLR-enabled applications with the difference that system modules are never remapped below 0×70000000.
- Dmitry Vostokov @ DumpAnalysis.org -