Archive for June, 2025

Collection Patterns

Sunday, June 8th, 2025

A page to reference all different kinds of collection-related analysis patterns is necessary, so I created this post:

I’ll update it as soon as I add more similar patterns.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Core Dump Analysis, Crash Dump Analysis, Crash Dump Patterns, Debugging | Comments Off

Crash Dump Analysis Patterns (Part 299)

Tuesday, June 3rd, 2025

Interrupt Stack Collection is another area to mine for Execution Residue and Rough Stack Traces. Some Interrupt Stacks may be visible in Stack Trace Collections such as from CPUs. In addition to Stack Overflow double fault stack region, we also have debug, NMI, and machine check interrupt stack 6Kb regions:

6: kd> !idt

Dumping IDT: ffffbd014d6b1000

00: fffff806f53ad100 nt!KiDivideErrorFaultShadow
01: fffff806f53ad180 nt!KiDebugTrapOrFaultShadow Stack = 0xFFFFBD014D6B59D0
02: fffff806f53ad240 nt!KiNmiInterruptShadow Stack = 0xFFFFBD014D6B57D0
03: fffff806f53ad2c0 nt!KiBreakpointTrapShadow
04: fffff806f53ad340 nt!KiOverflowTrapShadow
05: fffff806f53ad3c0 nt!KiBoundFaultShadow
06: fffff806f53ad440 nt!KiInvalidOpcodeFaultShadow
07: fffff806f53ad4c0 nt!KiNpxNotAvailableFaultShadow
08: fffff806f53ad540 nt!KiDoubleFaultAbortShadow Stack = 0xFFFFBD014D6B53D0
09: fffff806f53ad5c0 nt!KiNpxSegmentOverrunAbortShadow
0a: fffff806f53ad640 nt!KiInvalidTssFaultShadow
0b: fffff806f53ad6c0 nt!KiSegmentNotPresentFaultShadow
0c: fffff806f53ad740 nt!KiStackFaultShadow
0d: fffff806f53ad7c0 nt!KiGeneralProtectionFaultShadow
0e: fffff806f53ad840 nt!KiPageFaultShadow
10: fffff806f53ad8c0 nt!KiFloatingErrorFaultShadow
11: fffff806f53ad940 nt!KiAlignmentFaultShadow
12: fffff806f53ad9c0 nt!KiMcheckAbortShadow Stack = 0xFFFFBD014D6B55D0
13: fffff806f53adac0 nt!KiXmmExceptionShadow
[…]

These stacks are different for each CPU. It is also possible to get these stack bases from TSS:

6: kd> ~0s

0: kd> !pcr
KPCR for Processor 0 at fffff80680079000:
Major 1 Minor 1
NtTib.ExceptionList: fffff8068743efb0
NtTib.StackBase: fffff8068743d000
NtTib.StackLimit: 0000000000000000
NtTib.SubSystemTib: fffff80680079000
NtTib.Version: 0000000080079180
NtTib.UserPointer: fffff80680079870
NtTib.SelfTib: 00000060414a8000

SelfPcr: 0000000000000000
Prcb: fffff80680079180
Irql: 0000000000000000
IRR: 0000000000000000
IDR: 0000000000000000
InterruptMode: 0000000000000000
IDT: 0000000000000000
GDT: 0000000000000000
TSS: 0000000000000000

CurrentThread: ffffa80b0c8240c0
NextThread: 0000000000000000
IdleThread: fffff806f57d0640

DpcQueue:

0: kd> dt nt!_KPCR fffff80680079000
nt!_KPCR
+0×000 NtTib : _NT_TIB
+0×000 GdtBase : 0xfffff806`8743efb0 _KGDTENTRY64
+0×008 TssBase : 0xfffff806`8743d000 _KTSS64
+0×010 UserRsp : 0
+0×018 Self : 0xfffff806`80079000 _KPCR
+0×020 CurrentPrcb : 0xfffff806`80079180 _KPRCB
+0×028 LockArray : 0xfffff806`80079870 _KSPIN_LOCK_QUEUE
+0×030 Used_Self : 0×00000060`414a8000 Void
+0×038 IdtBase : 0xfffff806`8743c000 _KIDTENTRY64
+0×040 Unused : [2] 0
+0×050 Irql : 0 ”
+0×051 SecondLevelCacheAssociativity : 0×10 ”
+0×052 ObsoleteNumber : 0 ”
+0×053 Fill0 : 0 ”
+0×054 Unused0 : [3] 0
+0×060 MajorVersion : 1
+0×062 MinorVersion : 1
+0×064 StallScaleFactor : 0×840
+0×068 Unused1 : [3] (null)
+0×080 KernelReserved : [15] 0
+0×0bc SecondLevelCacheSize : 0×800000
+0×0c0 HalReserved : [16] 0×7de29000
+0×100 Unused2 : 0
+0×108 KdVersionBlock : (null)
+0×110 Unused3 : (null)
+0×118 PcrAlign1 : [24] 0

0: kd> dt nt!_KTSS64 0xfffff806`8743d000
nt!_KTSS64
+0×000 Reserved0 : 0
+0×004 Rsp0 : 0xfffff806`87440200
+0×00c Rsp1 : 0
+0×014 Rsp2 : 0
+0×01c Ist : [8] 0
+0×05c Reserved1 : 0
+0×064 Reserved2 : 0
+0×066 IoMapBase : 0×68

0: kd> dps 0xfffff806`8743d000+1c L8
fffff806`8743d01c 00000000`00000000
fffff806`8743d024 fffff806`874403d0
fffff806`8743d02c fffff806`874405d0
fffff806`8743d034 fffff806`874407d0
fffff806`8743d03c fffff806`874409d0
fffff806`8743d044 00000000`00000000
fffff806`8743d04c 00000000`00000000
fffff806`8743d054 00000000`00000000

0: kd> !idt 2

Dumping IDT: fffff8068743c000

02: fffff806f53ad240 nt!KiNmiInterruptShadow Stack = 0xFFFFF806874407D0

These stack base values may be transition stack values. In such a case, a redirection is required:

0: kd> dps fffff806`874407d0 L4
fffff806`874407d0 fffff806`80079000
fffff806`874407d8 fffff806`87471fe0
fffff806`874407e0 fffff806`80079000
fffff806`874407e8 00000004`237bf002

0: kd> dpS fffff806`87471fe0+20-6000 L6000/8
fffff806`f4dcd566 nt!KiSaveProcessorState+0xb6
fffff806`f4dc588a nt!KiFreezeTargetExecution+0×1ba
fffff806`f4db72ea nt!KiCheckForFreezeExecution+0×2a
fffff806`f4dbb242 nt!KiProcessNMI+0×52
fffff806`f4eb0fc2 nt!KxNmiInterrupt+0×82
fffff806`f4dcd124 nt!KiMcheckFastForward+0×64

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Memory Forensics, x64 Windows | Comments Off