Understanding Pool Corruption Part 3 – Special Pool for Double Frees

In Part 1 and Part 2 of this series we discussed pool corruption and how special pool can be used to identify the cause of such corruption.  In today’s article we will use special pool to catch a double free of pool memory.   A double free of pool will cause a system to blue…

1

The Compiler Did What?

I was recently investigating a crash in an application.  As I researched the issue I found a very old defect in the code that was only recently being exposed by the compiler.   The crash occurred at the below instruction because the ebx register does not hold a valid pointer.   0:001> r eax=d9050cf7 ebx=003078c0…

0

Performance Monitor Averages, the Right Way and the Wrong Way

Performance Monitor (perfmon) is the preferred tool to measure the performance of Windows systems.  The perfmon tool provides an analysis view with a chart and metrics of the Last, Average, Minimum, and Maximum values.   There are scenarios where the line in the chart is the most valuable piece of information, such as a memory…

4

Understanding Pool Corruption Part 2 – Special Pool for Buffer Overruns

In our previous article we discussed pool corruption that occurs when a driver writes too much data in a buffer.  In this article we will discuss how special pool can help identify the driver that writes too much data.   Pool is typically organized to allow multiple drivers to store data in the same page…

1

Understanding Pool Corruption Part 1 – Buffer Overflows

Before we can discuss pool corruption we must understand what pool is.  Pool is kernel mode memory used as a storage space for drivers.  Pool is organized in a similar way to how you might use a notepad when taking notes from a lecture or a book.  Some notes may be 1 line, others may…

8

Debugging a Debugger to Debug a Dump

Recently I came across an instance where my debugger did not do what I wanted.  Rarely do computers disobey me, but this one was unusually stubborn.  There was no other option; I had to bend the debugger to my will.   There are many ways to make a computer program do what you want.  If…

1

Use Caution When Implementing IPC for Performance Counters

  Recently I was working with a developer who had created performance counters that work in Performance Monitor but are never collected in a user defined data collector set.  The customer explained that their counters update named shared memory inside the application which should be read by perfmon or the data collector set.   Putting…

0

Troubleshooting Pool Leaks Part 7 – Windows Performance Toolkit

In Part 1 of this series we identified a pool leak in non paged pool.  In Part 2 and Part 3 of this series we identified what pool tag was leaking.  In Part 5 and Part 6 we got call stacks showing the memory being allocated.  In this article we are going to discuss a…

4

Troubleshooting Pool Leaks Part 6 – Driver Verifier

In part 5 we used poolhittag to get call stacks of pool being allocated and freed.  This information is often essential to identifying the cause of a memory leak; however it is not always feasible to configure a live kernel debug to obtain this information.  Fortunately there are alternative methods to get such call stacks….

0

Troubleshooting Pool Leaks Part 5 – PoolHitTag

In Part 4 we narrowed the source of the leaked pool memory to the specific driver which is allocating it, and we identified where in the driver this allocation was taking place.  However, we did not capture contextual information such as the call stack leading up to this code.  Also, we didn’t capture information about…

0