O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Improbable Occurrence

We were analyzing a raw thread stack when came upon this symbolic address which we thought was coincidental (Volume 1, page 390):

363b0030 77777777 advapi32!LsaEnumerateAccountRights+0×56

Forward disassembly makes sense here and every instruction has a purpose:

0:000> u 77777777
advapi32!LsaEnumerateAccountRights+0×56:
77777777 a4            movs byte ptr es:[edi],byte ptr [esi]
77777778 fc            cld
77777779 ffc3          inc ebx
7777777b 8b65e8        mov esp,dword ptr [ebp-18h]
7777777e ff75e0        push dword ptr [ebp-20h]
77777781 ff15e4187377  call dword ptr [advapi32!_imp__I_RpcMapWin32Status
(777318e4)]
77777787 50            push eax
77777788 e8c6f6fbff    call advapi32!LsapApiReturnResult (77736e53)

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required