Crash Dump Analysis Patterns (Part 138)

Sometimes we don’t have symbols (No Component Symbols pattern) or have only a restricted set that we call No Data Types pattern. For example, in a base OS we have data types:

0:016> dt ntdll!*

In the “private” version we don’t have them although the symbol file exists:

0:015> dt ntdll!*
0:015> !lmi ntdll
Loaded Module Info: [ntdll]
         Module: ntdll
   Base Address: 0000000076de0000
     Image Name: ntdll.dll
   Machine Type: 34404 (X64)
     Time Stamp: 4dcd9861 Fri May 13 21:45:21 2011
           Size: 17f000
       CheckSum: 188814
Characteristics: 2022  perf
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    22, f72a8,   f66a8 RSDS - GUID: {05A648A7-625D-42E7-B736-7816F0CA1E0C}
               Age: 2, Pdb: ntdll.pdb
                CLSID     8, f72a0,   f66a0 [Data not mapped]
     Image Type: MEMORY   - Image read successfully from loaded memory.
    Symbol Type: PDB      - Symbols loaded successfully from symbol server.
    Load Report: public symbols , not source indexed

In such cases manually loading a proximate module might help: Coping with missing symbolic information (although I haven’t yet tested it on x64 systems). I also thought of naming the pattern as Private Modification but that would not cover many other cases where types were missing from the very beginning.

- Dmitry Vostokov @ + -

One Response to “Crash Dump Analysis Patterns (Part 138)”

  1. Dmitry Vostokov Says:

    Tip: If the current version of ntdll doesn’t have full symbols with data structures then load all modules via .reload /f and you may find your structure in some other module’s symbols.


    0:003> !teb
    TEB at 00be0000
    error InitTypeRead( TEB )…

    0:003> dt _TEB
    Symbol _TEB not found.

    0:003> dt ntdll!_TEB
    Symbol ntdll!_TEB not found.

    0:003> .reload /f

    0:003> dt _TEB
    +0×000 NtTib : _NT_TIB

    0:003> dt _NT_TIB 00be0000
    +0×000 ExceptionList : 0×0515f8b4 _EXCEPTION_REGISTRATION_RECORD
    +0×004 StackBase : 0×05160000 Void
    +0×008 StackLimit : 0×0515f000 Void
    +0×00c SubSystemTib : (null)
    +0×010 FiberData : 0×00001e00 Void
    +0×010 Version : 0×1e00
    +0×014 ArbitraryUserPointer : (null)
    +0×018 Self : 0×00be0000 _NT_TIB

Leave a Reply

You must be logged in to post a comment.