O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Hidden Process

Not all processes are linked into a list that some commands traverse such as !process 0 0. A process may unlink itself or be in an initialization stage. However, a process structure is allocated from nonpaged pool and such pool can be searched for ”Proc” pool tag (unless a process changes that in memory). For example:

0: kd> !poolfind Proc
Searching NonPaged pool (83c3c000 : 8bc00000) for Tag: Proc
*87b15000 size:  298 previous size:     0  (Free)      Pro.
*87b18370 size:  298 previous size:    98  (Allocated) Proc (Protected)
[...]
*8a35e900 size:  298 previous size:    30  (Allocated) Proc (Protected)
*8a484000 size:  298 previous size:     0  (Allocated) Proc (Protected) *8a4a2d68 size: 298 previous size: 28 (Allocated) Proc (Protected) [...] ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required