O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Hidden Parameter

This pattern is a variant of Execution Residue (Volume 2, page 239) and String Parameter (Volume 6, page 49) where we have parameters left out from stack trace due to register calling conventions and compiler optimizations. However, using raw stack analysis of a region around stack frames of interest we find what we are looking for. Here's an example from an x64 system blocked thread waiting for data from a named pipe:

0: kd> kL *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site fffffa60`2c3627d0 fffff800`018b90fa nt!KiSwapContext+0x7f fffffa60`2c362910 fffff800`018add3b nt!KiSwapThread+0x13a fffffa60`2c362980 fffff800`01b2121f nt!KeWaitForSingleObject+0x2cb fffffa60`2c362a10 fffff800`01b319b6 ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required