Memory Dump Analysis Anthology- P14:This is a revised, edited, cross-referenced and thematically organized volume of selected blog posts about crash dump analysis and debugging written in 2006 - 2007 for software engineers developing and maintaining products on Windows platforms, technical support and escalation engineers dealing with complex software issues and general Windows users. | Coincidental Symbolic Information 391 OObledl8 OO72OO65 OObledlc OO5bOO2O OObled2O OO5OOO55 OOb1ed24 OO3aOO44 OObled28 OO43OO5O Application Print DocumentLoad Ox5f OOb1ed2c OO35OO4c OOb1ed3O OO5dOO63 OOb1ed34 OO63OOOO However this is the pure coincidence. The data pattern 00NN00NN clearly be longs to a Unicode string 0 020 du OObledOO OObledOO ocument Loader UPD PCL5c It just happens that 00430050 value can be interpreted as an address that falls into Application module address range and its code section O O2O lm start end module name 00400000 0044d000 Application In the second example the crash dump is from some 3rd-party application called AppSql for which we don t have PDB files. Also we know that is installed as a system wide hook and it had some problems in the past. It is loaded into any address space but is not necessarily used. We want to see if there are traces of it on the problem thread stack. Dumping stack contents shows us the only one reference OO118cbO 373O2f38 OO118cb4 OOOOOOOO OO118cb8 1OOO8eOO myhook notify_me O 22 OO118cbc O14OOOOO OO118ccO OO118abc OO118cc4 O6a129fO OO118cc8 OO118dO4 OO118ccc O2bc57dO OO118cdO O4ba5d74 OO118cd4 OO118d3O OO118cd8 OOOOOO1c OO118cdc OOOOOO1O OO118ceO O75922bc OO118ce4 O4a732eO OO118ce8 O75922bc Please purchase PDF Split-Merge on to remove this watermark 392 PART 3 Crash Dump Analysis Patterns 00118cec 04a732e0 00118cf0 0066a831 AppSql 0 26a831 00118cf4 04a732d0 00118cf8 00118cfc 02c43190 00000001 00118d00 00118d04 0000001c 00118d14 00118d08 0049e180 AppSql 0 9e180 00118d0c 02c43190 00118d10 0000001c 00118d14 00118d34 0 020 Im start end module name 00400000 00ba8000 AppSql 10000000 100e0000 myhook The address 10008e00 looks very round and it might be the set of bit flags and also if we disassemble the code at this address backwards we don t see the usual call instruction that saved that address on the stack 0 000 ub 10008e00 myhook notify_me 0x211 10008de5 81c180000000 add ecx 80h 10008deb