Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Can't resolve symbols for user-mode modules in a full kernel memory crash dump

wc2023wc2023 Member Posts: 38

I'm trying to analyze a full memory kernel crash dump. When I check the stack with the k command (or knL) I get user mode portion of the stack without any symbols - see bottom 2 lines:

kd> knL
  *** Stack trace for last set context - .thread/.cxr resets it
# Child-SP          RetAddr               Call Site
00 (Inline Function) --------`--------     nt!RtlFailFast+0x4
01 (Inline Function) --------`--------     nt!FatalListEntryError+0x4
02 (Inline Function) --------`--------     nt!InsertHeadList+0x9c
03 ffffdb07`68450830 fffff800`378396ec     nt!MiManageSubsectionView+0x128
04 ffffdb07`68450880 fffff800`375fde0c     nt!MiDeleteVad+0x4a4
...........
10 ffffdb07`68450bd0 fffff800`374a06a0     win32k!NtDCompositionSynchronize+0x44
11 ffffdb07`68450bf0 fffff800`374a02a4     nt!KiSystemServiceCopyEnd+0x38
12 ffffdb07`68450c60 00007fff`ed8583d4     nt!KiSystemServiceExit
13 00000000`045be2a0 00007fff`e8056064     0x00007fff`ed8583d4
14 00000000`045be2a0 00000000`00000000     0x00007fff`e8056064

By experience, I know that there should be ntdll.dll. so when I do:

.reload /f ntdll.dll

I get:
Unable to load image C:\windows\SYSTEM32\ntdll.dll, Win32 error code 0x2

which means, file not found.

What am I doing wrong there?

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,678

    User mode stuff can be paged out even in a full memory dump so it's not always possible.

    What does !sym noisy/.reload say?

    -scott
    OSR

  • wc2023wc2023 Member Posts: 38

    For ntdll.dll pretty much "path not found" for all search locations. and then "mismatched timestamp" and "image header does not match memory image header" for C:\Windows\System32\ntdll.dll

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,678

    If you have the ntdll.dll from the target system you can try copying it to the host and pointing your executable path to it. Or try getting it from the symbol server: .exepath srv* ; .reload

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online