By: Dmitry Vostokov

Dmitry Vostokov — Tue, 19 Nov 2019 22:57:34 +0000

Tip: If the current version of ntdll doesn’t have full symbols with data structures then load all modules via .reload /f and you may find your structure in some other module’s symbols.

Example:

0:003> !teb
TEB at 00be0000
error InitTypeRead( TEB )…

0:003> dt _TEB
Symbol _TEB not found.

0:003> dt ntdll!_TEB
Symbol ntdll!_TEB not found.

0:003> .reload /f

0:003> dt _TEB
combase!_TEB
+0×000 NtTib : _NT_TIB
[…]

0:003> dt _NT_TIB 00be0000
combase!_NT_TIB
+0×000 ExceptionList : 0×0515f8b4 _EXCEPTION_REGISTRATION_RECORD
+0×004 StackBase : 0×05160000 Void
+0×008 StackLimit : 0×0515f000 Void
+0×00c SubSystemTib : (null)
+0×010 FiberData : 0×00001e00 Void
+0×010 Version : 0×1e00
+0×014 ArbitraryUserPointer : (null)
+0×018 Self : 0×00be0000 _NT_TIB

Comments on: Crash Dump Analysis Patterns (Part 138)

By: Dmitry Vostokov