Software Diagnostics Library

Archive for May 19th, 2012

Crash Dump Analysis Patterns (Part 20d)

Saturday, May 19th, 2012

This is a specialization of Insufficient Memory (kernel pool) pattern called Memory Leak (I/O completion packets). The currently unique diagnostics this pattern provides in comparison with other kernel pool tags is that the pool allocation entries show the leaking process:

0: kd> !poolused 3 Sorting by NonPaged Pool Consumed

Pool Used: NonPaged Paged Tag Allocs Frees Diff Used Allocs Frees Diff Used Icp 1294074 42875 1251199 96642976 0 0 0 0 I/O completion packets queue on a completion ports […]

0: kd> !poolfind Icp

Scanning large pool allocation table for Tag: Icp (fffffa8013e00000 : fffffa8014100000)

*fffffa800e188260 size: 50 previous size: 40 (Allocated) Icp Process: fffffa800899dc40 *fffffa800e1882e0 size: 50 previous size: 30 (Allocated) Icp Process: fffffa800899dc40 *fffffa800e188330 size: 50 previous size: 50 (Allocated) Icp Process: fffffa800899dc40 *fffffa800e188380 size: 50 previous size: 50 (Allocated) Icp Process: fffffa800899dc40 *fffffa800e1883d0 size: 50 previous size: 50 (Allocated) Icp Process: fffffa800899dc40 *fffffa800e188420 size: 50 previous size: 50 (Allocated) Icp Process: fffffa800899dc40 *fffffa800e188470 size: 50 previous size: 50 (Allocated) Icp Process: fffffa800899dc40 *fffffa800e1884c0 size: 50 previous size: 50 (Allocated) Icp Process: fffffa800899dc40

0: kd> !process fffffa800899dc40 1 PROCESS fffffa800899dc40 SessionId: 0 Cid: 43a4 Peb: 7efdf000 ParentCid: 0412 DirBase: 09d6b000 ObjectTable: fffff8a0046c8c10 HandleCount: 1068. Image: ServiceA.exe […]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging | No Comments »

Crash Dump Analysis Patterns (Part 172)

Saturday, May 19th, 2012

Recently I observed a few occurrences of a rare No Current Thread pattern in a large set of process memory dumps:

0:???> k WARNING: The debugger does not have a current process or thread WARNING: Many commands will not work ^ Illegal thread error in ‘k’

0:???> ~ WARNING: The debugger does not have a current process or thread WARNING: Many commands will not work 0 Id: 95f4.6780 Suspend: 1 Teb: 7efdd000 Unfrozen

Setting a current thread helps:

0:???> ~0s WARNING: The debugger does not have a current process or thread WARNING: Many commands will not work eax=037d0010 ebx=0002bda0 ecx=03b1a010 edx=00000007 esi=037d0010 edi=03b069fc eip=0397939f esp=0018fd98 ebp=0018fdd8 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 DllA+0×939f: 0397939f 8b10 mov edx,dword ptr [eax] ds:002b:037d0010=03b1a010

0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0018fdd8 03975257 DllA+0x939f 0018fdf8 03975577 DllA+0x5257 0018fe58 772bb9a0 DllA+0x5577 0018fe78 772d9b96 ntdll!LdrpCallInitRoutine+0x14 0018ff1c 772d9a38 ntdll!LdrShutdownProcess+0x1aa 0018ff30 752279f4 ntdll!RtlExitUserProcess+0x74 0018ff44 0040625d kernel32!ExitProcessStub+0x12 0018ff5c 012528e5 Application+0x625d 0018ff88 7522339a Application!foo+0xdc88f1 0018ff94 772bbf42 kernel32!BaseThreadInitThunk+0xe 0018ffd4 772bbf15 ntdll!__RtlUserThreadStart+0x70 0018ffec 00000000 ntdll!_RtlUserThreadStart+0x1b

However, EIP of the new current thread doesn’t point to any access violation and the dereferenced address is valid:

0:000> !address 037d0010 Usage: <unclassified> Allocation Base: 037d0000 Base Address: 037d0000 End Address: 038dd000 Region Size: 0010d000 Type: 00020000 MEM_PRIVATE State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE

Also, if we inspect the raw stack data we won’t find any hidden exceptions there. So we conclude that the missing thread was exceptional. Indeed, there is a saved exception context in the process memory dump:

0:000> .exr -1 ExceptionAddress: 08a9ae18 (<Unloaded_DllB.dll>+0x001cae18) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 00000008

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging | No Comments »

Archive for May 19th, 2012

Crash Dump Analysis Patterns (Part 20d)

Crash Dump Analysis Patterns (Part 172)

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

May 2012
M	T	W	T	F	S	S
« Apr				Jun »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31