« Crash Dump Analysis Patterns (Part 110)
Crash Dump Analysis of Defective Malware: A Case Study »

Structural Memory Patterns (Part 7)

In order to start the analysis of a structured memory snapshot a debugger engine needs Anchor Region that describes memory layout and where to start unfolding of analysis. For example, it can be a list of modules (another forthcoming structural pattern). We can observe the importance of such regions when we try to open corrupt or severely truncated memory dumps:

[...]
KdDebuggerDataBlock is not present or unreadable.
[...]
Unable to read PsLoadedModuleList
[...]

For certain types of memory snapshots (like software traces) an anchor region coinsides with its structure description (message trace format for structured snapshots) and a trace file header (if any) for aggregate snapshots.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This entry was posted on Monday, October 18th, 2010 at 3:47 pm and is filed under Crash Dump Analysis, Debugging, Memoretics, Structural Memory Patterns. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Structural Memory Patterns (Part 7)”

  1. Dmitry Vostokov Says:
    March 13th, 2016 at 2:53 pm

    Undocumented WinDbg command .dumpdebug can show some anchor values http://sww-it.ru/2016-03-13/1320

Leave a Reply

You must be logged in to post a comment.