Browse by Tags


Browse by Tags
  • Blog Post: Understanding !PTE, Part2: Flags and Large Pages

    Hello, it's Ryan Mangipano with part two of my PTE series. Today I'll discuss PDE/PTE flags, the TLB, and show you a manual conversion of x86 PAE Large Page Virtual Addresses to Physical. If you haven’t read the first part of this series please find it here . It's a good primer before proceeding. ...
  • Blog Post: Understanding !PTE , Part 1: Let’s get physical

    Hello. It’s Ryan Mangipano again (Ryanman). Today’s blog will be the first in a multi-part post designed to help you understand the output of the !PTE debuger comand along with the basics of hardware Virtual Addressing. To better understand Virtual Addressing, we will use the debugger to manually translate...
  • Blog Post: Part 2: Got Stack? No. We ran out and kv won’t tell me why!

    Hello. It’s Ryan again with the second installment of my stack depletion walkthrough. Part 1 of this blog covered the initial analysis of a kernel memory dump captured due to a Stop 0x7f EXCEPTION_DOUBLE_FAULT. Our initial analysis revealed that kv was not able to provide us with a useful stack backtrace...
  • Blog Post: Part 1: Got Stack? No. We ran out of Kernel Mode Stack and kv won’t tell me why!

    My name is Ryan Mangipano (ryanman) and I am a Sr. Support Escalation Engineer at Microsoft. This two part blog will consist of a complete walkthrough of a bugcheck that occurred due to an overflowed stack condition. What is unique about this situation is the stack backtrace wasn’t being displayed. As...
  • Blog Post: Reversing in Reverse, Part 2: More Linked-List Pool Corruption

    Hello - It's Ryan again with the second installment of my list corruption walkthrough. The previous blog post is here - Reversing in Reverse: Linked-List Pool Corruption, a Complete Walkthrough (Part 1) In part one we walked through the analysis of a memory.dmp collected during a bugcheck caused by...
  • Blog Post: Reversing in Reverse: Linked-List Pool Corruption, a Complete Walkthrough (Part 1)

    My name is Ryan Mangipano (ryanman) and I am a Sr. Support Escalation Engineer at Microsoft. Today’s blog will consist of a complete walkthrough of my recent analysis of a stop 0x50 along with the steps that led me to identify that this crash was caused by pool corruption. In this particular case, I...
  • Blog Post: Easily Resolving an Event Viewer Error using a Process Memory Dump

    My name is Ryan Mangipano ( r yanman) and I am a Sr. Support Escalation Engineer at Microsoft. Today I will be blogging about how I used the SOS .Net Framework debugging extension (and !analyze -v ) to easily troubleshoot a .Net Framework exception. This exception was preventing Event Viewer from displaying...
Page 1 of 1 (7 items)