O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Unrecognizable Symbolic Information

Sometimes debugging information is absent from module information in memory dumps and a debugger can't recognize and automatically load symbol files. For example, we see this stack trace without loaded component symbols:

THREAD 8a17c6d8 Cid 02ec.02f0 Teb: 7ffdf000 Win32Thread: e17b4420 WAIT: (UserRequest) UserMode Non-Alertable 89873d00 SynchronizationEvent IRP List: 89d9fd20: (0006,0094) Flags: 00000800 Mdl: 00000000 Not impersonating DeviceMap e10086c8 Owning Process 0 Image: <Unknown> Attached Process 8a17cda0 Image: ApplicationA.exe Wait Start TickCount 8164394 Ticks: 2884 (0:00:00:45.062) Context Switch Count 1769160 LargeStack UserTime 00:00:55.250 KernelTime 00:01:56.109 Start Address 0×0103e5e1 Stack ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required