O'Reilly logo

Accelerated .NET Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises, Third Edition by Software Diagnostics Services, Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

 

Selected Q&A

 

Q. Could you share some insights about ds:[]?

A. Let’s look at the typical output of an invalid pointer access violation context:

0:000> r

Last set context:

eax=00000000 ebx=00000001 ecx=00000000 edx=0018fe40 esi=00426310 edi=00000111

eip=0041ff21 esp=0018f81c ebp=0018f850 iopl=0 nv up ei pl zr na pe nc

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246

Module!Function+0xb1:

0041ff21 mov dword ptr ds:[812c2bef],0 ds:002b:812c2bef=????????

 

We can ignore ds (data segment register) as segmentation is no longer used and is in fact abandoned in x64 model. The same is for ss (stack segment), es (extra data segment), cs (code segment). You can treat what’s in square brackets [] as a memory address so the whole [] expression is a value ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required