Crash Dump Analysis Patterns (Part 159)

Sometimes we have a value or a pointer or a handle and would like to know all memory addresses that reference it. This can be done by virtual memory search (s WinDbg command). If you look for references in code (for example, or pool tags please see this case study) you can combine search with !for_each_module WinDbg extension command. There is also !search command for physical pages. We cover this Value References pattern in the forthcoming Advanced Windows Memory Dump Analysis training with a step-by-step complete memory dump analysis exercise. For object references there is also recently added !obtrace command with good examples in WinDbg help.

- Dmitry Vostokov @ + -

3 Responses to “Crash Dump Analysis Patterns (Part 159)”

  1. Dmitry Vostokov Says:

    Useful command to find a value pointers in the whole virtual address space:

    !heap -x -v

  2. Dmitry Vostokov Says:

    If we have an object with handle references to it we can search for its process handle container, for example, for zombie processes, we can dump all handle tables from all processes:

    !handle 0 3 0 Process

  3. Dmitry Vostokov Says:

    If we have an object address we can use !findhandle to find its process container:

    002c: Object: fffffa80a95cb610 GrantedAccess: 001fffff Entry: fffff8a0000030b0
    Object: fffffa80a95cb610 Type: (fffffa80a943bf30) Thread
    ObjectHeader: fffffa80a95cb5e0 (new version)
    HandleCount: 1 PointerCount: 2

    0: kd> !findhandle fffffa80a95cb610
    Now checking process fffffa80a943b6d0…
    [fffffa80a943b6d0 System]
    2c: Entry fffff8a0000030b0 Granted Access 1fffff

Leave a Reply

You must be logged in to post a comment.