I have seen many dumps where the output of lm is like so:
0: kd> lmDvmMyDrv
Browse full module list
start end module name
fffff802f67e00000 fffff802f67fc000 MyDrv T (private pdb symbols) C:\ProgramData\Dbg\sym\MyDrv.pdb\1E8296A5E1ABCD66E9DC9C86CACDFE1\MyDrv.pdb
Loaded symbol image file: MyDrv.sys
Image path: ??\C:\TestBin\MyDrv.sys
Image name: MyDrv.sys
Browse all global symbols functions data
Timestamp: ***** Invalid (F7D8FE12)
CheckSum: 0001B845
ImageSize: 0001C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.
Is it possible to parse the embedded resource inside the binary of the crash dump to dig out the version_info?
Yes, possible and has been discussed in this list long ago. Stamped as “undocumented hack” and rejected
Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.
A good question. This part of the PE header should stay and remain untouched.
@Albert said:
I have seen many dumps where the output of lm is like so:
0: kd> lmDvmMyDrv
Browse full module list
start end module name
fffff802f67e00000 fffff802f67fc000 MyDrv T (private pdb symbols) C:\ProgramData\Dbg\sym\MyDrv.pdb\1E8296A5E1ABCD66E9DC9C86CACDFE1\MyDrv.pdb
Loaded symbol image file: MyDrv.sys
Image path: ??\C:\TestBin\MyDrv.sys
Image name: MyDrv.sys
Browse all global symbols functions data
Timestamp: ***** Invalid (F7D8FE12)
CheckSum: 0001B845
ImageSize: 0001C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.
Is it possible to parse the embedded resource inside the binary of the crash dump to dig out the version_info?
Is this a minidump? If yes you need to provide your own copy of the executable as it’s not stored in the dump. See Setting Executable Image Path:
@Albert said:
I have seen many dumps where the output of lm is like so:
0: kd> lmDvmMyDrv
Browse full module list
start end module name
fffff802f67e00000 fffff802f67fc000 MyDrv T (private pdb symbols) C:\ProgramData\Dbg\sym\MyDrv.pdb\1E8296A5E1ABCD66E9DC9C86CACDFE1\MyDrv.pdb
Loaded symbol image file: MyDrv.sys
Image path: ??\C:\TestBin\MyDrv.sys
Image name: MyDrv.sys
Browse all global symbols functions data
Timestamp: ***** Invalid (F7D8FE12)
CheckSum: 0001B845
ImageSize: 0001C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.
Is it possible to parse the embedded resource inside the binary of the crash dump to dig out the version_info?
Is this a minidump? If yes you need to provide your own copy of the executable as it’s not stored in the dump. See Setting Executable Image Path:
Even in a minidump, why windbg shows some content from the PC header (partial pdb path, checksum) but the timestamp is invalid?
If it were valid, this would be almost perfect for the goal.