O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Activity Resonance

This pattern is observed when two products from different vendors compete in some functional domain such malware detection. In the example below ApplicationA and AV-DriverA modules belong to Vendor A and AV-B module belongs to Vendor B. Both threads are spiking threads (Volume 1, page 305) blocking all other activity in the system:

0: kd> !running System Processors: (0000000000000003) Idle Processors: (0000000000000000) (0000000000000000) (0000000000000000) (0000000000000000) Prcbs Current Next 0 fffff80001845e80 fffffa8004350060 ................ 1 fffff880009c4180 fffffa80028e7060 ................ 0: kd> !thread fffffa8004350060 3f THREAD fffffa8004350060 Cid 14424.14b34 Teb: 000000007efdb000 Win32Thread: fffff900c1d32c30 ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required