Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Read an embedded resource

AlbertAlbert Member - All Emails Posts: 449

I have seen many dumps where the output of lm is like so:

0: kd> lmDvmMyDrv
Browse full module list
start end module name
fffff802f67e00000 fffff802f67fc000 MyDrv T (private pdb symbols) C:\ProgramData\Dbg\sym\MyDrv.pdb\1E8296A5E1ABCD66E9DC9C86CACDFE1\MyDrv.pdb
Loaded symbol image file: MyDrv.sys
Image path: \??\C:\TestBin\MyDrv.sys
Image name: MyDrv.sys
Browse all global symbols functions data
Timestamp: ***** Invalid (F7D8FE12)
CheckSum: 0001B845
ImageSize: 0001C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.

Is it possible to parse the embedded resource inside the binary of the crash dump to dig out the version_info?

Comments

  • Pavel_APavel_A Member Posts: 2,738
    edited October 17

    Yes, possible and has been discussed in this list long ago. Stamped as "undocumented hack" and rejected ;)

    Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.

    A good question. This part of the PE header should stay and remain untouched.

    -- pa

  • AlbertAlbert Member - All Emails Posts: 449

    @Pavel_A said:
    Yes, possible and has been discussed in this list long ago. Stamped as "undocumented hack" and rejected ;)

    If you still find that link, please share, desperate times need desperate measures

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE