ProcDump v3.04 – a cautionary MiniPlus update

ProcDump v3.04 has been released. The release just contains a tiny (edge case) sanity check I wrote in the MiniPlus stack traversal code.  Specifically, it caters for the case where esp/rsp is not within the stack base and stack limit.  In this highly unlikely scenario, ProcDump -mp now iterates between the stack limit and the…


David Solomon Memory Management talks

These David Solomon talks on Memory Management (circa 2005) used to be on TechNet Spotlight but got pulled last year. I’ve found a repost of them here:  


IDebugDataSpaces2::QueryVirtual doesn’t act the same as VirtualQuery

One of my debugger extensions commands uses IDebugDataSpaces2::QueryVirtual to iterate through the target’s address space to find particular size allocations (regions that are used for the TEB if you must know).  The code was working fine but on x64 dumps, I found that it was running quite slow. Looking in to it, I found out…


StackBase and StackLimit offsets

To save a symbol lookup in a debugger extension, here are the hardcodes to use for StackBase and StackLimit. User Mode 32bit 0:000> dt nt!_TEB.Stack* ntdll!_TEB +0x000 NtTib :   +0x004 StackBase : Ptr Void   +0x008 StackLimit : Ptr Void User Mode 64bit 0:000> dt nt!_TEB NtTib.Stack* ntdll!_TEB +0x000 NtTib :   +0x008 StackBase…