O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Broken Link

Sometimes we have a broken linked list for some reason, either from memory corruption, Lateral Damage (Volume 1, page 264) or Truncated Dump (Volume 1, page 340). For example, an active process list enumeration stopped after showing some processes (!for_each_thread and !vm also don't work):

0: kd> !process 0 3f


[...]


TYPE mismatch for process object at fffffa80041da5c0


0: kd> !validatelist nt!PsActiveProcessHead
Blink at address fffffa80041da748 does not point back to previous at fffffa8005bc8cb8

Here we can either try to repair or navigate links manually or use other means such as dumping pool allocations for process structures with Proc pool tag:

 0: kd> !poolfind Proc Searching NonPaged pool (fffffa80032fc000 : ffffffe000000000) ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required