O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Small Values

Sometimes we see the so called Small Values in memory (such as on raw stack) or in CPU registers which can be ASCII or UNICODE value, some ID or even a handle. When in aggregates they can form a certain Semantic Structure (Volume 6, page 73) such as a PID.TID example or Regular Data (page 106) pattern. Here we illustrate a handle example (also an example of a Wait Chain analysis in user space, Volume 1, page 482):

0:000> kv
Child-SP          RetAddr           : Args to
Child                                                            : Call Site
00000000`0016de78 000007fe`fcf010dc : 00000000`02c79fa0 00000000`08c3faf0
00000000`021551f0 00000000`08c3fb00 : ntdll!NtWaitForSingleObject+0xa
00000000`0016de80 000007fe`f90e6d7f : 00000000`10b40010 00000000`10b40010
00000000`00000000 00000000`000007e0 : KERNELBASE!WaitForSingleObjectEx+0×79 ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required