Crash Dump Analysis Patterns (Part 248)

If OS is not inside a virtual machine it is difficult to get consistent live snapshots of physical memory (see Inconsistent Dump analysis pattern). Mirror dump options in LiveKd can save a consistent kernel memory dump. Then we can either use Fiber Bundle technique of saving individual process memory dumps or create inconsistent complete memory dump using LiveKd or both. We call this pattern Mirror Dump Set.

We can identify mirror dump with the following current stack trace:

0: kd> version
...
64-bit Kernel bitmap dump: ...
...

0: kd> k
# Child-SP RetAddr Call Site
00 ffffd000`26121700 fffff803`cf5f5ee3 nt!IopLiveDumpEndMirroringCallback+0x7f
01 ffffd000`26121750 fffff803`cf60561b nt!MmDuplicateMemory+0x807
02 ffffd000`26121830 fffff803`cf851c60 nt!IopLiveDumpCaptureMemoryPages+0x53
03 ffffd000`26121890 fffff803`cf447443 nt!IoCaptureLiveDump+0xf8
04 ffffd000`261218e0 fffff803`cf8ceb0d nt!DbgkCaptureLiveKernelDump+0x2e7
05 ffffd000`26121970 fffff803`cf3debb3 nt!NtSystemDebugControl+0x3f5
06 ffffd000`26121a90 00007ffa`2925205a nt!KiSystemServiceCopyEnd+0x13
07 000000a3`5bcddb48 00000000`00000000 0x00007ffa`2925205a

In one analysis case, we got such a set where we analyzed ALPC Wait Chains with user space stack traces in a complete memory having the endpoint blocked in a filter driver. But the search for stack traces having filter manager in their frames failed due to inconsistency:

0: kd> version
...
64-bit Full kernel dump: ...
...

0: kd> !stacks 2 FltMgr
...
TYPE mismatch for thread object at ffffe001b804d638
4.------ NO ETHREAD DATA
TYPE mismatch for thread object at ffffe001b804d638
4.------ NO ETHREAD DATA
TYPE mismatch for thread object at ffffe001b804d638
4.------ NO ETHREAD DATA
TYPE mismatch for thread object at ffffe001b804d638
4.------ NO ETHREAD DATA
TYPE mismatch for thread object at ffffe001b804d638
4.------ NO ETHREAD DATA
...

So we found such kernel space stack traces from the consistent mirror dump.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply