Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Read an embedded resource

AlbertAlbert Member - All Emails Posts: 502

I have seen many dumps where the output of lm is like so:

0: kd> lmDvmMyDrv
Browse full module list
start end module name
fffff802f67e00000 fffff802f67fc000 MyDrv T (private pdb symbols) C:\ProgramData\Dbg\sym\MyDrv.pdb\1E8296A5E1ABCD66E9DC9C86CACDFE1\MyDrv.pdb
Loaded symbol image file: MyDrv.sys
Image path: \??\C:\TestBin\MyDrv.sys
Image name: MyDrv.sys
Browse all global symbols functions data
Timestamp: ***** Invalid (F7D8FE12)
CheckSum: 0001B845
ImageSize: 0001C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.

Is it possible to parse the embedded resource inside the binary of the crash dump to dig out the version_info?

Comments

  • Pavel_APavel_A Member Posts: 2,781
    edited October 2020

    Yes, possible and has been discussed in this list long ago. Stamped as "undocumented hack" and rejected ;)

    Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.

    A good question. This part of the PE header should stay and remain untouched.

    -- pa

  • AlbertAlbert Member - All Emails Posts: 502

    @Pavel_A said:
    Yes, possible and has been discussed in this list long ago. Stamped as "undocumented hack" and rejected ;)

    If you still find that link, please share, desperate times need desperate measures

  • Pavel_APavel_A Member Posts: 2,781

    Albert,

    I don't remember that a ready code or recipe was posted.
    You'll need to find the PE header of the (driver) module and parse the resource directory.
    Low level equivalent of https://docs.microsoft.com/en-us/windows/win32/menurc/enumerating-resources
    Something like this ...
    https://doxygen.reactos.org/dd/df8/dll_2ntdll_2rtl_2libsupp_8c.html#acf86b1403421d035fc01e3dab69cee84

    -- pa

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,450

    @Albert said:
    I have seen many dumps where the output of lm is like so:

    0: kd> lmDvmMyDrv
    Browse full module list
    start end module name
    fffff802f67e00000 fffff802f67fc000 MyDrv T (private pdb symbols) C:\ProgramData\Dbg\sym\MyDrv.pdb\1E8296A5E1ABCD66E9DC9C86CACDFE1\MyDrv.pdb
    Loaded symbol image file: MyDrv.sys
    Image path: \??\C:\TestBin\MyDrv.sys
    Image name: MyDrv.sys
    Browse all global symbols functions data
    Timestamp: ***** Invalid (F7D8FE12)
    CheckSum: 0001B845
    ImageSize: 0001C000
    Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:

    Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.

    Is it possible to parse the embedded resource inside the binary of the crash dump to dig out the version_info?

    Is this a minidump? If yes you need to provide your own copy of the executable as it's not stored in the dump. See Setting Executable Image Path:

    https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-symbol-and-source-paths-in-windbg#executable-image-path

    -scott
    OSR

  • AlbertAlbert Member - All Emails Posts: 502

    @Scott_Noone_(OSR) said:

    @Albert said:
    I have seen many dumps where the output of lm is like so:

    0: kd> lmDvmMyDrv
    Browse full module list
    start end module name
    fffff802f67e00000 fffff802f67fc000 MyDrv T (private pdb symbols) C:\ProgramData\Dbg\sym\MyDrv.pdb\1E8296A5E1ABCD66E9DC9C86CACDFE1\MyDrv.pdb
    Loaded symbol image file: MyDrv.sys
    Image path: \??\C:\TestBin\MyDrv.sys
    Image name: MyDrv.sys
    Browse all global symbols functions data
    Timestamp: ***** Invalid (F7D8FE12)
    CheckSum: 0001B845
    ImageSize: 0001C000
    Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:

    Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.

    Is it possible to parse the embedded resource inside the binary of the crash dump to dig out the version_info?

    Is this a minidump? If yes you need to provide your own copy of the executable as it's not stored in the dump. See Setting Executable Image Path:

    https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-symbol-and-source-paths-in-windbg#executable-image-path

    Yes this is a minidump. @Scott_Noone_(OSR) if this is a frequently changing driver image, how do i determine the correct symbol and exe version?

  • Pavel_APavel_A Member Posts: 2,781

    Even in a minidump, why windbg shows some content from the PC header (partial pdb path, checksum) but the timestamp is invalid?
    If it were valid, this would be almost perfect for the goal.

    -- pa

  • Pavel_APavel_A Member Posts: 2,781

    from the PC header

    Correction: from PE header.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,972

    The obvious answer is that some of the header information is copied into system tables, and some is not.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,450

    Yes this is a minidump. @Scott_Noone_(OSR) if this is a frequently changing driver image, how do i determine the correct symbol and exe version?

    You can index executable files along with PDBs using SymStore.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging 15 November 2021 Live, Online