[Vol-users] DPC procedure localization

Michael Hale Ligh michael.hale at gmail.com
Mon Jun 3 09:48:37 CDT 2013


Thanks for the explanation George!

Jaroslav - to answer your other question "how can I dump this using the
offset 0x80013000?" you can use the moddump plugin with --base= 0x80013000.

MHL


On Mon, Jun 3, 2013 at 10:43 AM, George M. Garner Jr. <
ggarner_online at gmgsystemsinc.com> wrote:

> Jaroslav,
>
> Kernel timers come and go at a very high rate which leads to a significant
> number of invalid or spurious timer artifacts which result from the fact
> that the memory dump was acquired from the system while it was running.
>  Not that the last two timers are signaled and the periods are not
> coherent.  It is possible that the last two "timer" objects reside in
> memory that once was a kernel timer object and has since been freed and
> that some of the timer fields (e.g. the routine address) have been
> overwritten with incoherent data.  Try running the !pool command on the
> last two timer addresses (0x863ead10 and 0x85e451e8) and see if that memory
> is currently allocated.  (I am assuming that you either have or can convert
> your memory dump to MS crashdump format.)
>
> Regards,
>
> George.
>
>
> On 6/3/2013 9:15 AM, BRTAN Jaroslav wrote:
>
>> Hi all,
>>
>> I'd like to ask you for your help with analysis. The timers module shows
>> that there is a strange DPC at 0x8647e4e0.
>>
>>
>> Timers module output:
>>
>> Offset(V)  DueTime                  Period(ms) Signaled   Routine
>>  Module
>> ---------- ------------------------ ---------- ---------- ----------
>> ------
>> 0x873097d0 0x0000002f:0x2db9d0c3             0 -          0xa7386d8e
>> arp1394.sys
>> 0x85b9a2c8 0x8000002d:0x6d7d7c8e             0 -          0x80538a98
>> ntoskrnl.exe
>> 0x8a332b20 0x0000002f:0x2ea5d991             0 -          0xb9ddef1a
>> NDIS.sys
>> 0x863ead10 0x00010014:0x863ead28    -205...072 Yes        0x8647e4e0
>> UNKNOWN
>> 0x85e451e8 0x00010014:0x85e45200    -205...072 Yes        0x8647e4e0
>> UNKNOWN
>>
>>
> ______________________________**_________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lists.volatilityfoundation.org/mailman/listinfo/vol-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130603/654b6a02/attachment.html


More information about the Vol-users mailing list