Crash Dump Analysis Patterns (Part 159)
Sometimes we have a value or a pointer or a handle and would like to know all memory addresses that reference it. This can be done by virtual memory search (s WinDbg command). If you look for references in code (for example, or pool tags please see this case study) you can combine search with !for_each_module WinDbg extension command. There is also !search command for physical pages. We cover this Value References pattern in the forthcoming Advanced Windows Memory Dump Analysis training with a step-by-step complete memory dump analysis exercise. For object references there is also recently added !obtrace command with good examples in WinDbg help.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
March 23rd, 2012 at 1:22 pm
Useful command to find a value pointers in the whole virtual address space:
!heap -x -v
June 12th, 2015 at 5:44 pm
If we have an object with handle references to it we can search for its process handle container, for example, for zombie processes, we can dump all handle tables from all processes:
!handle 0 3 0 Process
September 19th, 2016 at 11:21 am
If we have an object address we can use !findhandle to find its process container:
002c: Object: fffffa80a95cb610 GrantedAccess: 001fffff Entry: fffff8a0000030b0
Object: fffffa80a95cb610 Type: (fffffa80a943bf30) Thread
ObjectHeader: fffffa80a95cb5e0 (new version)
HandleCount: 1 PointerCount: 2
0: kd> !findhandle fffffa80a95cb610
Now checking process fffffa80a943b6d0…
[fffffa80a943b6d0 System]
2c: Entry fffff8a0000030b0 Granted Access 1fffff
February 4th, 2022 at 4:03 pm
There is also !findthreads command