Comments on: Crash Dump Analysis AntiPatterns (Part 13) https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Tue, 05 May 2026 19:07:19 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/#comment-664744 Dmitry Vostokov Mon, 07 Jan 2013 20:15:50 +0000 https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/#comment-664744 Indeed, so I will update this in the second edition of Volume 1 to be published this year with credits. Thank you! Indeed, so I will update this in the second edition of Volume 1 to be published this year with credits. Thank you!

]]> By: Neelabh Mam https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/#comment-664160 Neelabh Mam Mon, 07 Jan 2013 05:50:12 +0000 https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/#comment-664160 verifier , as far as I can tell, is effectively a UI wrapper on top of gflags command line. Settings from either of the two eventually go to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Now as per: http://msdn.microsoft.com/en-us/library/windows/hardware/ff549566(v=vs.85).aspx backward implies /backwards Places the zone of reserved virtual memory at the beginning of an allocation, rather than at the end. As a result, the debugger traps overruns at the beginning of the buffer, instead of those at the end of the buffer. Valid only with the /full parameter. much like when we run, say a for loop backwards... This must have been an addition to gflags/AV post this blog post was originally published ... verifier , as far as I can tell, is effectively a UI wrapper on top of gflags command line. Settings from either of the two eventually go to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Now as per:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff549566(v=vs.85).aspx backward implies

/backwards
Places the zone of reserved virtual memory at the beginning of an allocation, rather than at the end. As a result, the debugger traps overruns at the beginning of the buffer, instead of those at the end of the buffer. Valid only with the /full parameter.

much like when we run, say a for loop backwards…

This must have been an addition to gflags/AV post this blog post was originally published …

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/#comment-663777 Dmitry Vostokov Sun, 06 Jan 2013 21:34:32 +0000 https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/#comment-663777 I have to check there as I rarely used app verifier only gflags.exe. I have to check there as I rarely used app verifier only gflags.exe.

]]> By: Neelabh Mam https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/#comment-663610 Neelabh Mam Sun, 06 Jan 2013 16:55:44 +0000 https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/#comment-663610 but verifier does expose a "backward" check box under "heap" tree item's properties. Does that not introduce a guard page at the front as well for underwrites ? but verifier does expose a “backward” check box under “heap” tree item’s properties. Does that not introduce a guard page at the front as well for underwrites ?

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/#comment-84319 Dmitry Vostokov Sun, 12 Jul 2009 12:55:14 +0000 https://www.dumpanalysis.org/blog/index.php/2009/07/09/crash-dump-analysis-antipatterns-part-13/#comment-84319 Another instance that I observed recently is looking at 32-bit stacks of a WOW64 process ignoring 64-bit stacks. Another instance that I observed recently is looking at 32-bit stacks of a WOW64 process ignoring 64-bit stacks.

]]>