I just wondered if it is possible for a logic analyser to trap an access
with this data to an address that matches the profile, and generate a system
interrupt so the relevant code can be dumped before proceeding? Maybe just a
custom FPGA?
Mike
----- Original Message -----
From: Scott Noone
Newsgroups: ntdev
To: Windows System Software Devs Interest List
Sent: Wednesday, December 02, 2015 3:33 AM
Subject: Re:[ntdev] Memory Corruption Mystery: Any Ideas?
Definitely! It might end up being more than one, I think it could
practically
be a book at this point
-scott
OSR
@OSRDrivers
“Andrey Bazhan” wrote in message news:xxxxx@ntdev…
Yeah, sometimes you wish it was 24 * 2 in a day :). By the way, this is very
interesting case and it would be really cool if you could write a blog post
about it.
“Scott Noone” wrote in message news:xxxxx@ntdev…
We searched for the sequence in the “suspect” driver list (NIC, video, etc.)
using IDA Pro, though it was a long shot. We found various instances of it,
though just through static analysis it was impossible to say if it was even
related. Not enough hours in the day to do a complete reversing job on every
driver
-scott
OSR
@OSRDrivers
“Andrey Bazhan” wrote in message news:xxxxx@ntdev…
Have you tried to narrow down the culprit by running
!for_each_module “.echo @#ModuleName; s-b @#Base @#End D8 0F 00 00”
wrote in message news:xxxxx@ntdev…
I discounted this as being a RAM problem due to the consistency and the
pattern and the bad offset. It really “feels” like a device (or possibly
driver) writing a control/status value where it shouldn’t. That being said,
I’m happy still guessing…Would this type of corruption be consistent with
a RAM issue in your opinion?
Thanks!
-scott
OSR
@OSRDrivers
NTDEV is sponsored by OSR
Visit the list online at:
http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</http:></http:>