O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

RIP Stack Trace

Injected code address may not be in address ranges of loaded modules. In such cases, in the execution call history we would see plain EIP and RIP return addresses on stack traces. We call this pattern RIP Stack Trace partly because we have seen these addresses after something had gone wrong and a process crashed:

 0:005> k ChildEBP RetAddr 02aec974 77655620 ntdll!KiFastSystemCallRet 02aec978 77683c62 ntdll!NtWaitForSingleObject+0xc 02aec9fc 77683d4b ntdll!RtlReportExceptionEx+0x14b 02aeca3c 7769fa87 ntdll!RtlReportException+0x3c 02aeca50 7769fb0d ntdll!RtlpTerminateFailureFilter+0x14 02aeca5c 775f9bdc ntdll!RtlReportCriticalFailure+0x6b 02aeca70 775f4067 ntdll!_EH4_CallFilterFunc+0x12 02aeca98 77655f79 ntdll!_except_handler4+0x8e ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required