O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Raw Pointer

This pattern is about pointers without matching symbol files. They may be in the expected module range or in some other known module range in the form of module + offset or can be completely out of range of any module from the loaded module list and therefore just a number. For example, usually we have certain structures or arrays (tables) where we expect pointers with matching symbols such as IAT, IDT and 32-bit SSDT where an occurrence of a raw pointer immediately triggers a suspicion such as in this Import Address Table from ProcessA:

 [...] 00000001`3f8a9048 00000000`76e282d0 ntdll!RtlSizeHeap 00000001`3f8a9050 00000000`76bf9070 kernel32!GetStringTypeWStub 00000001`3f8a9058 00000000`76c03580 kernel32!WideCharToMultiByteStub ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required