search in dump file

How can I search the entire kernel dump file for a given pattern,
let’s say a 64-bit pointer?

thanks,

xxxxx@yahoo.com wrote:

How can I search the entire kernel dump file for a given pattern,
let’s say a 64-bit pointer?

The “s” command can search, but if you find it at address 80408080, what
will that tell you?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

!search is the best way to search physical memory for a 64-bit value (though it has the annoyance of always showing partial matches as well).

The only problem with “s” is that it requires a virtual range to search. !search is more convenient because it will search physical memory. It also has the added benefit of attempting to interpret the VA mapping the page (if there is one) as pool. This can be shockingly useful…

For example, we recently had a 0x9A crash that indicated “a driver attempted to free a page that is still locked for I/O”. Given the PFN and assuming that an MDL had it locked, I ran a !search:

kd> !search ebfeb
Searching PFNs in range 00000001 - 000EFF73 for [000EBFEB - 000EBFEB]

Pfn Offset Hit Va Pte



00001A7C 00000574 000EBFEB 8C687574 C0231A1C
8c687550+0x24 : Mdl – Io, Mdls

This gave me the MDL. Assuming that an IRP was pointing to the MDL, I searched for the MDL address:

kd> !search 8c687558
Searching PFNs in range 00000001 - 000EFF73 for [FFFFFFFF8C687558 - FFFFFFFF8C687558]

Pfn Offset Hit Va Pte



000755E2 00000548 8C687558 8DE03548 C023780C
8de03490+0xb8 : FMic – IRP_CTRL structure

And that landed me a FltMgr IRP Control structure, which I could then interpret with !fltkd.irpctrl. Now I knew where the reference to the PFN was coming from (it was us…).

Doesn’t always work out that well, but it can be an effective tool (!search can also take a long time to run, which is useful when you’re stumped and don’t know what else to do :slight_smile: )

-scott
OSR
@OSRDrivers