these are generic opinions take it with a pinch of salt
the tags Allocated By ExAllo variants normally ends up in the ranges
that are defined by
KernelSpaceUsagePagedPool
KernelSpaceUsageNonPagedPoolExpansion
KernelSpaceUsageNonPagedPool
i am not sure you can find the allocations in module ranges unless
you are looking for a static tag already available in binary
as to answer your query you can use .printf in !for_each_module you
need a space between each @# and need to escape all double quotes and
multiple commands are seperated by semicolons
lkd> !for_each_module ".printf " @#ModuleIndex : @#Base @#End
@#ModuleName \n\n"; s -a @#Base @#End "what" ; .echo \n "
00 : 00d10000 00e51000 dbghelp_d10000
01 : 00ea0000 00ed6000 kext
02 : 01000000 01097000 windbg
03 : 010a0000 01365000 xpsp2res 0118ca4a 77 68 61 74 20 73 74
72-65 6e 67 74 68 20 73 65 what strength se
04 : 01400000 016f9000 ext 01403799 77 68 61 74 20 79 6f 75-20 77
65 72 65 20 64 6f what you were do
01405728 77 68 61 74 20 68 61 70-70 65 6e 65 64 2e 20 20 what happened.
0140ac50 77 68 61 74 20 74 68 65-73 65 0a 74 72 61 70 73 what these.traps
0140b232 77 68 61 74 20 74 68 65-0a 70 72 6f 62 6c 65 6d what the.problem
0140f6c4 77 68 61 74 65 76 65 72-20 69 6e 66 6f 72 6d 61 whatever informa
01418a04 77 68 61 74 20 69 74 20-73 68 6f 75 6c 64 20 62 what it should b
01421c0b 77 68 61 74 20 79 6f 75-20 77 6f 75 6c 64 20 73 what you would s
01424474 77 68 61 74 0a 09 77 61-73 20 65 78 70 65 63 74 what…was expect
0142645d 77 68 61 74 20 6c 65 61-64 20 74 6f 20 74 68 69 what lead to thi
On 8/22/14, Marion Bond wrote:
> Note that although likely, it is not assured that corruption was caused by a
> module that actually allocated with that tag. Any KM module can access any
> KM address and arbitrary bugs can access arbitrary data or addresses with
> spectacular effects.
>
>
> In general, start by assuming that your own driver is responsible unless you
> have strong evidence to the contrary.
>
>
>
>
>
>
> Sent from Surface Pro
>
>
>
>
>
> From: Bedanto
> Sent: Thursday, August 21, 2014 9:33 AM
> To: Windows System Software Devs Interest List
>
>
>
>
>
> All,
>
>
>
> I am trying to debug a memory corruption ase. I have been able to
> successfully identify the pool of memory which is corrupting the system. I
> am trying to run the debugger
>
>
>
>
> !for_each_module s-a @#Base @#End “Tag1”
>
>
>
>
>
> to search for the tag string literal. But the output is a lot of modules
> since the striang seems to be used in a lot of images (Tag1 is a placeholder
> string I gave, it is not he actual tag nme).
>
>
>
>
> so how can I from this point, find out the exact binary (out of all these)
> which is probably causing the bad allocation?
>
>
>
>
> also how do I print the module name also with the above command? I am
> unable to use teh #ModuleName properly here.
>
>
>
>
>
>
>
> thanks
>
>
>
>
> Bedanto
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other
> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer