O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Injected Symbols

This pattern can be used to add missing symbols when we have Reduced Symbol Information (page 174) like it was done previously in this old case study (Volume 1, page 199). For example, TestWER20 module was compiled with static MFC and CRT libraries and its private PDB file contains all necessary symbols including MSG structure. We can load that module into notepad.exe process space and apply symbols:

0:000:x86> lm
start             end                 module name
00fc0000 00ff0000   notepad     (pdb
symbols)           c:\mss\notepad.pdb\E325F5195AE94FAEB58D25C9DF8C0CFD2\notepad.pdb
10000000 10039000   WinCRT      (deferred) 727f0000 7298e000 comctl32 (deferred) 72aa0000 72af1000 winspool (deferred) 72b10000 72b19000 version (deferred) 72e40000 72e48000 wow64cpu (deferred) ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required