Hi, let's say I'm inspecting a process and found this:
THREAD ffffd6097211a700 Cid 0edc.0f40 Teb: 000000551979e000 Win32Thread: ffffd6095dbc7080 WAIT: (WrUserRequest) UserMode Non-Alertable ffffd60971c08f80 QueueObject Not impersonating DeviceMap ffffbf085d2e0fb0 Owning Process ffffd60971c66540 Image: sihost.exe Attached Process N/A Image: N/A Wait Start TickCount 333686 Ticks: 18333 (0:00:04:46.453) Context Switch Count 130 IdealProcessor: 1 UserTime 00:00:00.015 KernelTime 00:00:00.093 Win32 Start Address combase!CRpcThreadCache::RpcWorkerThreadEntry (0x00007ffb2f187870) Stack Init ffff86047ae1bc90 Current ffff86047ae1b250 Base ffff86047ae1c000 Limit ffff86047ae16000 Call 0000000000000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident.
!thread ffffd6097211a700 Unable to get field ReservedForNtRpc of type TEB at 0xffffd6097211a700
I try, without success things like:
.pagein /f /p ffffd60971c66540 ffff86047ae16000
using kernel and user mode stack area addresses (the latter obtained in TEB) but pages are not loaded after the
Is there some OS settings I'm forgetting to check or some extra task I'm missing?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Writing WDF Drivers||13 April 2020||OSR Seminar Space & ONLINE|
|Developing Minifilters||20 Apr 2020||OSR Seminar Space & ONLINE|
|Internals & Software Drivers||TBD||Dulles, VA|