O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Out-of-Module Pointer

This pattern is about pointers to addresses outside the container module range. Typical example here would be some kernel table or structure, for example, a driver IRP dispatch table having pointers to outside that driver module address range. Other examples may include 32-bit SSDT pointing outside nt module range and IDT entries pointing outside hal and expected drivers:

 [...] 818809dc 8193c4e7 nt!NtQueryOpenSubKeys 818809e0 8193c76b nt!NtQueryOpenSubKeysEx 818809e4 81a909b0 nt!NtQueryPerformanceCounter 818809e8 819920e7 nt!NtQueryQuotaInformationFile 818809ec 819e34f2 nt!NtQuerySection 818809f0 819f470b nt!NtQuerySecurityObject 818809f4 81a882fe nt!NtQuerySemaphore 818809f8 819eff54 nt!NtQuerySymbolicLinkObject 818809fc ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required