Selected Q&A

Q. Could you share some insights about ds:[]?

A. Let's look at the typical output of an invalid pointer access violation context:

0:000> r
Last set context:
eax=00000000 ebx=00000001 ecx=00000000 edx=0018fe40 esi=00426310 edi=00000111
eip=0041ff21 esp=0018f81c ebp=0018f850 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
Module!Function+0xb1:
0041ff21 mov dword ptr ds:[812c2bef],0  ds:002b:812c2bef=????????

We can ignore ds (data segment register) as segmentation is no longer used and is in fact abandoned in x64 model. The same is for ss (stack segment), es (extra data segment), cs (code segment). You can treat what's in square brackets [] as a memory address so the whole [] expression is ...

Get Accelerated .NET Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises with Notes now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.