Geek Answers Handbook

WinDbg crash dump parsing for private bytes (except managed heap)?

I want to analyze the complete crash dump file (* .dmp) and get the private byte data. I know that VMMap SysInternals can tell me how many of my personal bytes, heaps, etc. - everything, except what I need - if I have a dump, I have to understand and get the structure and data of the heap (managed heap) in a heap. I already did this while reading PEB, and then walked in heaps.

I cannot figure out how to read private bytes (except for Heap, which should be process data for native code). Can someone point me in the right direction so that I can parse the private bytes, except the heap, from the crash dump.

Thank.

+5
source share
1 answer

! address -summary

In the first section, you'll get a breakdown of usage:

--- Usage Summary ---------------- RgnCount ----------- Total Size -------- %ofBusy %ofTotal
Free                                    170          6f958000 (   1.743 Gb)           87.18%
<unknown>                               477           6998000 ( 105.594 Mb)  40.21%    5.16%
Stack                                   417           5d00000 (  93.000 Mb)  35.42%    4.54%
Image                                   253           3970000 (  57.438 Mb)  21.87%    2.80%
Heap                                     20            600000 (   6.000 Mb)   2.28%    0.29%
TEB                                      93             5d000 ( 372.000 kb)   0.14%    0.02%
Other                                     9             32000 ( 200.000 kb)   0.07%    0.01%
PEB                                       1              1000 (   4.000 kb)   0.00%    0.00%

It would be unknown what would be virtual allocs.

To display unknown memory areas, you can run:

! address -f: VAR

VAR as defined in debugger.chm - Occupied Areas. These regions include all virtual distribution blocks, a bunch of SBH, memory from user allocators, and all other areas of the address space that do not fall into any other classification.

+5
source

More articles:


All Articles