Kernel Debugging: WinDbg and VMWare
Showing posts with label kernel. Show all posts
Showing posts with label kernel. Show all posts
Wednesday, May 29, 2013
Sunday, April 14, 2013
Kernel Memory Dump Analysis
windbg로 커널 메모리 덤프를 분석해야 할 때...
Kernel memory dumps are located in %systemroot%\MEMORY.DMP
(%systemroot%\minidump)
1. Open the MEMORY.DMP file using Windbg.
(Symbol setting : SRV*c:\[path]*http://msdl.microsoft.com/download/symbols)
2. Enter '!analyze -v' without quotes to get detailed debugging information.
KERNEL_DATA_INPAGE_ERROR (7a)
The requested page of kernel data could not be read in. Typically caused by
a bad block in the paging file or disk controller error. Also see
KERNEL_STACK_INPAGE_ERROR.
...
SYMBOL_NAME: volmgrx!VMX_NOTIFICATION_
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: volmgrx
IMAGE_NAME: volmgrx.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 49e01efd
FAILURE_BUCKET_ID: 0x7a_c000000e_volmgrx!
3. What process was calling volmgrx.sys?
kd> !thread
THREAD 9b75f2b0 Cid 18e4.1754 Teb: 7ffdb000 Win32Thread: ffb9f540 RUNNING on processor 1
IRP List:
872f9290: (0006,01d8) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap 8d405780
Owning Process 8abb30e0 Image: vds.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153296998 Ticks: 0
Context Switch Count 205
UserTime 00:00:00.000
KernelTime 00:00:00.171
Win32 Start Address 0x76c70148
Stack Init 8c315000 Current 8c314978 Base 8c315000 Limit 8c312000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
...
4. Confirm that vds.exe process called the volmgrx.sys...
kd> !process 8abb30e0 0
PROCESS 8abb30e0 SessionId: 0 Cid: 18e4 Peb: 7ffd6000 ParentCid: 0294
DirBase: bff34bc0 ObjectTable: 9a5556f0 HandleCount: 193.
Image: vds.exe
...
Kernel memory dumps are located in %systemroot%\MEMORY.DMP
(%systemroot%\minidump)
1. Open the MEMORY.DMP file using Windbg.
(Symbol setting : SRV*c:\[path]*http://msdl.microsoft.com/download/symbols)
2. Enter '!analyze -v' without quotes to get detailed debugging information.
KERNEL_DATA_INPAGE_ERROR (7a)
The requested page of kernel data could not be read in. Typically caused by
a bad block in the paging file or disk controller error. Also see
KERNEL_STACK_INPAGE_ERROR.
...
SYMBOL_NAME: volmgrx!VMX_NOTIFICATION_
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: volmgrx
IMAGE_NAME: volmgrx.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 49e01efd
FAILURE_BUCKET_ID: 0x7a_c000000e_volmgrx!
3. What process was calling volmgrx.sys?
kd> !thread
THREAD 9b75f2b0 Cid 18e4.1754 Teb: 7ffdb000 Win32Thread: ffb9f540 RUNNING on processor 1
IRP List:
872f9290: (0006,01d8) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap 8d405780
Owning Process 8abb30e0 Image: vds.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153296998 Ticks: 0
Context Switch Count 205
UserTime 00:00:00.000
KernelTime 00:00:00.171
Win32 Start Address 0x76c70148
Stack Init 8c315000 Current 8c314978 Base 8c315000 Limit 8c312000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
...
4. Confirm that vds.exe process called the volmgrx.sys...
kd> !process 8abb30e0 0
PROCESS 8abb30e0 SessionId: 0 Cid: 18e4 Peb: 7ffd6000 ParentCid: 0294
DirBase: bff34bc0 ObjectTable: 9a5556f0 HandleCount: 193.
Image: vds.exe
...
Subscribe to:
Posts (Atom)