O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Module Variable

In addition to functions we also have module variables like nt!MmPagedPoolCommit in Windows 7:

0: kd> x nt!MmPagedPool*
fffff800`031148d0 nt!MmPagedPoolInfo = <no type information>
fffff800`03092d20 nt!MmPagedPoolCommit = <no type information>
fffff800`031141a0 nt!MmPagedPoolEnd = <no type information>
fffff800`031175c0 nt!MmPagedPoolWs = <no type information>

If we are not sure whether we have a function or a Module Variable we can try to disassemble its address:

0: kd> u nt!MmPagedPoolCommit nt!MmPagedPoolCommit: fffff800`03092d20 e3b2 jrcxz nt!MmTotalNonPagedPoolQuota+0x4 (fffff800`03092cd4) fffff800`03092d22 0000 add byte ptr [rax],al fffff800`03092d24 0000 add byte ptr [rax],al fffff800`03092d26 0000 add byte ptr [rax],al ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required