Comments on: Crash Dump Analysis Patterns (Part 83)

By: Dmitry Vostokov

Dmitry Vostokov — Fri, 14 Feb 2014 13:35:19 +0000

Sometimes we need to check return addresses to see whether a function introduced an alternative execution path such as with hooking:

[…]
retA ntdll!NtCreateFile
retB DLL!HookCreateFile
retC kernel32!OtherFunction
[…]

Here we can check what function was called from kernel32!OtherFunction:

ub retB
[…]
call [kernel32!_imp_NtCreateFile]

If it is the same function semantically we can assume the hook is pass-through but it is not then we have a divergence of execution flow and we need to pay attention to that.

By: Crash Dump Analysis » Blog Archive » Stack trace collection, blocked threads, pass through functions and main thread: pattern cooperation

Fri, 13 Aug 2010 19:06:55 +0000

[…] functions shown in blue are known from past issues to be pass through forwarding IRP to the lower drivers in a device driver […]

By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 89)

Fri, 23 Oct 2009 20:29:14 +0000

[…] WinDbg to ignore our own functions and modules as well if we are sure they were well-tested or pass-through. For details please see the old minidump analysis case […]

By: Crash Dump Analysis » Blog Archive » Hunting for a Driver

Crash Dump Analysis » Blog Archive » Hunting for a Driver — Mon, 06 Jul 2009 15:55:21 +0000

[…] see that DriverA and DriverB are possibly pass-through and have little influence. For DriverC and DriverD we don’t even have symbol files but they […]

By: Crash Dump Analysis » Blog Archive » Null data pointer, pass through functions and platformorphic fault: pattern cooperation

Fri, 19 Jun 2009 23:31:29 +0000

[…] DriverA function on the stack trace looks like a passthrough, DriverA was removed from the system. However, the same pattern continued […]