O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Coincidental Error Code

Address space-wide search for errors and status codes (page 29) may show coincidental error codes:

0:000> !heap -x -v c0000005
Search VM for address range c0000005 - c0000005 : 028690b8 (c0000005),
[...]

0:000> dd 028690b8 l1
028690b8 c0000005

In such cases we need to check whether the addresses belong to volatile regions such as stack because it is possible to have such values as legitimate code and image data:

0:000> !address 028690b8
Usage:                Image
Allocation Base:      02700000
Base Address:         02869000
End Address:          02874000
Region Size:          0000b000
Type:                 01000000 MEM_IMAGE
State:                00001000 MEM_COMMIT
Protect:              00000002 PAGE_READONLY More info: lmv m ModuleA More info: !lmi ModuleA More info: ln 0×28690b8 0:000> u 028690b8 ModuleA!ComputeB: ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required