3 days ago by snoone

I go on and on about thread and process context in this blog and in my courses, but every once in a rare while session context becomes an important topic. Historically we’ve thought of sessions as being a Terminal Services only concept, where each user logged on to the Terminal Server is provided th ...

Analyze -v - analyze-v.com

6 days ago by snoone

Doron Holan’s blog has a guest post by Jake Oshins on IRQL that provids a nice summary on the concept: http://blogs.msdn.com/doronh/archive/2010/02/02/what-is-irql.aspx For those who aren’t aware, Jake has done lots of development work on the HAL and ACPI (amongst other things) so he’s the one that ...

Analyze -v - analyze-v.com

36 days ago by Helge Klein

Normally, finding the cause for high CPU utilization is easy – just start Task Manager. But what if the component consuming CPU cycles is a driver that runs in the kernel? In that case, there is no regular process Task Manager could attribute the usage to. You will see the “System Idle Process” at a ...

Helge Klein - blogs.sepago.de/helge · Rank: 100,732 · 29 references

52 days ago by snoone

We’re working up to analyzing an interesting crash by learning more about working with the x64… In order to work with x64 dumps we’re going to need to understand the calling convention used, that is going to allow us to do things such as identify the parameters passed to a particular function. The b ...

Analyze -v - analyze-v.com

54 days ago by snoone

The first thing that anyone working with x64 dumps needs to know is that trap frames on the x64 do not contain non-volatile register state. What this means for you the analyst is that when you use the .trap command with an x64 target you cannot trust the register contents displayed for rbx, rbp, rdi ...

Analyze -v - analyze-v.com

55 days ago by Helge Klein

This article describes a bug that dramatically reduces file copy performance on Windows systems. I cannot provide a fix (not having access to the Windows source code), but I have found a workaround. Situation I have been using a simple backup system for years: I regularly copy new and changed files ...

Helge Klein - blogs.sepago.de/helge · Rank: 100,732 · 29 references

60 days ago by snoone

I’ve mentioned this here before, but more information on crash dumps and Windows 7 in the latest issue of The NT Insider: http://www.osronline.com/article.cfm?article=545 Also, if you’re a subscriber the mailed issue has another article on common crash dump analysis/bug reporting mistakes that will ...

Analyze -v - analyze-v.com

77 days ago by Cypher

Project: WinNinja Description: RtlSetProcessIsCritical is an undocumented API that was added in Windows XP. It is a light wrapper around NtSetInformationProcess with the ProcessBreakOnTermination information class. When this flag is enabled on a process, it causes a bugcheck to be raised when the pr ...

Ramblings++ - blog.cypherjb.com · 1 reference

83 days ago by snoone

You might occasionally have seen this error when opening a crash dump file: WARNING: Process directory table base doesn't match CR3 What does it mean and why does it happen? The answer to what it means lies in virtual memory. The page directory table is the term used for the base ...

Analyze -v - analyze-v.com

84 days ago by snoone

Driver Verifier has been updated in Win7 and several new checks have been added. One of the more interesting checks is the check for accessing user mode handles for kernel mode access. So, for example, take a handle from a user mode application and call ObReferenceObjectByHandle specifying KernelMod ...

Analyze -v - analyze-v.com