Comments on: Data Hiding in Crash Dumps https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Tue, 05 May 2026 18:09:05 +0000 http://wordpress.org/?v=2.3.3 By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 104) https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/#comment-173272 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 104) Wed, 04 Aug 2010 23:07:14 +0000 https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/#comment-173272 [...] of .dump command (including privacy-aware) instead of /ma or deprecated /f option. On the contrary, manually erased data in crash dumps looks more like an example of another pattern called Lateral [...] […] of .dump command (including privacy-aware) instead of /ma or deprecated /f option. On the contrary, manually erased data in crash dumps looks more like an example of another pattern called Lateral […]

]]> By: Crash Dump Analysis » Blog Archive » Hardening Dump Security: Beware of PEB data https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/#comment-41932 Crash Dump Analysis » Blog Archive » Hardening Dump Security: Beware of PEB data Tue, 09 Sep 2008 11:29:39 +0000 https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/#comment-41932 [...] - Include PEB but erase specific sections and regions pointed to like environment blocks. See the previous Data Hiding in Crash Dumps post. [...] […] - Include PEB but erase specific sections and regions pointed to like environment blocks. See the previous Data Hiding in Crash Dumps post. […]

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/#comment-30184 Dmitry Vostokov Thu, 12 Jun 2008 16:57:56 +0000 https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/#comment-30184 Kdexts!vad is for kernel and complete memory dumps. The following prompt suggests that you have a process dump: 0:000> Kdexts!vad is for kernel and complete memory dumps. The following prompt suggests that you have a process dump:

0:000>

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 59b) https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/#comment-30182 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 59b) Thu, 12 Jun 2008 16:51:36 +0000 https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/#comment-30182 [...] Crash Dump Analysis Exploring Crash Dumps and Debugging Techniques on Windows Platforms « Data Hiding in Crash Dumps [...] […] Crash Dump Analysis Exploring Crash Dumps and Debugging Techniques on Windows Platforms « Data Hiding in Crash Dumps […]

]]> By: Ray Kinsella https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/#comment-30161 Ray Kinsella Thu, 12 Jun 2008 11:33:27 +0000 https://www.dumpanalysis.org/blog/index.php/2008/06/10/data-hiding-in-crash-dumps/#comment-30161 Ah .load Kdexts.dll solved that one, now I am getting :- 0:000> !vad unable to get nt!MmHighestUserAddress VAD level start end commit 00000000: Unable to get contents of VAD1 Ah .load Kdexts.dll solved that one, now I am getting :-

0:000> !vad
unable to get nt!MmHighestUserAddress
VAD level start end commit
00000000: Unable to get contents of VAD1

]]>