Crash Dump Analysis Patterns (Part 138)
Sometimes we don’t have symbols (No Component Symbols pattern) or have only a restricted set that we call No Data Types pattern. For example, in a base OS we have data types:
0:016> dt ntdll!*
ntdll!LIST_ENTRY64
ntdll!LIST_ENTRY32
ntdll!_KUSER_SHARED_DATA
ntdll!_KSYSTEM_TIME
ntdll!_KSYSTEM_TIME
ntdll!_NT_PRODUCT_TYPE
[...]
In the “private” version we don’t have them although the symbol file exists:
0:015> dt ntdll!*
0:015> !lmi ntdll
Loaded Module Info: [ntdll]
Module: ntdll
Base Address: 0000000076de0000
Image Name: ntdll.dll
Machine Type: 34404 (X64)
Time Stamp: 4dcd9861 Fri May 13 21:45:21 2011
Size: 17f000
CheckSum: 188814
Characteristics: 2022 perf
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 22, f72a8, f66a8 RSDS - GUID: {05A648A7-625D-42E7-B736-7816F0CA1E0C}
Age: 2, Pdb: ntdll.pdb
CLSID 8, f72a0, f66a0 [Data not mapped]
Image Type: MEMORY - Image read successfully from loaded memory.
Symbol Type: PDB - Symbols loaded successfully from symbol server.
c:\mss\ntdll.pdb\05A648A7625D42E7B7367816F0CA1E0C2\ntdll.pdb
Load Report: public symbols , not source indexed
c:\mss\ntdll.pdb\05A648A7625D42E7B7367816F0CA1E0C2\ntdll.pdb
In such cases manually loading a proximate module might help: Coping with missing symbolic information (although I haven’t yet tested it on x64 systems). I also thought of naming the pattern as Private Modification but that would not cover many other cases where types were missing from the very beginning.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
November 19th, 2019 at 10:57 pm
Tip: If the current version of ntdll doesn’t have full symbols with data structures then load all modules via .reload /f and you may find your structure in some other module’s symbols.
Example:
0:003> !teb
TEB at 00be0000
error InitTypeRead( TEB )…
0:003> dt _TEB
Symbol _TEB not found.
0:003> dt ntdll!_TEB
Symbol ntdll!_TEB not found.
0:003> .reload /f
0:003> dt _TEB
combase!_TEB
+0×000 NtTib : _NT_TIB
[…]
0:003> dt _NT_TIB 00be0000
combase!_NT_TIB
+0×000 ExceptionList : 0×0515f8b4 _EXCEPTION_REGISTRATION_RECORD
+0×004 StackBase : 0×05160000 Void
+0×008 StackLimit : 0×0515f000 Void
+0×00c SubSystemTib : (null)
+0×010 FiberData : 0×00001e00 Void
+0×010 Version : 0×1e00
+0×014 ArbitraryUserPointer : (null)
+0×018 Self : 0×00be0000 _NT_TIB