How to !list and -t LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks.Flink
Kjell Gunnar
We have:
0:000> dt _LDR_DATA_TABLE_ENTRY
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY
+0x008 InMemoryOrderLinks : _LIST_ENTRY
+0x010 InInitializationOrderLinks : _LIST_ENTRY
I want to follow InMemoryOrderLinks:
0:000> !list -t ntdll!_LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks.Flink -
m 4 -x "dd" -a "l6" 0x251ec0
00251ec0 00251f18 00251e9c 00251f20 00251ea4
00251ed0 00000000 00000000
00251f18 00251fc0 00251ec0 00251fc8 00251ec8
00251f28 00251fd0 00251eac
00251fc0 002520a0 00251f18 002520a8 00251f20
00251fd0 00252248 00251f28
002520a0 002520f8 00251fc0 00252100 00251fc8
002520b0 00252d28 00252b58
It seems that !list is following InLoadOrderLinks.Flink on offset 0
instead of InMemoryOrderLinks on offset 8
What is wrong ?
Thank You
Kjell Gunnar
Scott Noone
Are you trying to follow the list starting from the list head in the PEB or
from an existing loader entry?
-scott
--
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
"Kjell Gunnar" <kten...@hotmail.com> wrote in message
news:36c6fef6-b029-4c05...@j19g2000yqk.googlegroups.com...
Kjell Gunnar
I have some usermode crash dumps with “Missing image name, possible
paged-out or corrupt data.” At the end of the lm And only garbage in
the Unloaded modules: output.
So yes I want to follow all the lists starting from the list head in
the PEB and try to figure the corruption in the module list.
I have :
0:000> dt _PEB_LDR_DATA 0x00251e90
ntdll!_PEB_LDR_DATA
+0x000 Length : 0x28
+0x004 Initialized : 0x1 ''
+0x008 SsHandle : (null)
+0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x251ec0 - 0x254770 ]
+0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x251ec8 -
0x254778 ]
+0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x251f28 -
0x254780 ]
+0x024 EntryInProgress : (null)
And this gives a reasonable meaningful list
!list -x "dt _LDR_DATA_TABLE_ENTRY" 0x251ec0
and terminating by an entry pointing to the list head.
dt ntdll!_LDR_DATA_TABLE_ENTRY 0x251e9c
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x251ec0 - 0x254770 ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x251ec8 - 0x254778 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x251f28 -
0x254780 ]
But can’t figure out how to follow the other lists. (must probably
write a debugger command program)
Any hints tips or other for finding out why windbg and !analyze
complains are very welcome !
I assume that usermode dumps don’t have image names paged out !
Thank you
Kjell Gunnar
On Oct 16, 3:55 pm, "Scott Noone" <sno...@osr.com> wrote:
> > I want to follow InMemoryOrderLinks:
>
> Are you trying to follow the list starting from the list head in the PEB or
> from an existing loader entry?
>
> -scott
>
> --
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.http://www.osronline.com
>
> "Kjell Gunnar" <ktens...@hotmail.com> wrote in message
>
> news:36c6fef6-b029-4c05...@j19g2000yqk.googlegroups.com...
>
>
>
> > Hi
> > We have:
> > 0:000> dt _LDR_DATA_TABLE_ENTRY
> > ntdll!_LDR_DATA_TABLE_ENTRY
> > +0x000 InLoadOrderLinks : _LIST_ENTRY
> > +0x008 InMemoryOrderLinks : _LIST_ENTRY
> > +0x010 InInitializationOrderLinks : _LIST_ENTRY
>
> > I want to follow InMemoryOrderLinks:
>
> > 0:000> !list -t ntdll!_LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks.Flink -
> > m 4 -x "dd" -a "l6" 0x251ec0
> > 00251ec0 00251f18 00251e9c 00251f20 00251ea4
> > 00251ed0 00000000 00000000
>
> > 00251f18 00251fc0 00251ec0 00251fc8 00251ec8
> > 00251f28 00251fd0 00251eac
>
> > 00251fc0 002520a0 00251f18 002520a8 00251f20
> > 00251fd0 00252248 00251f28
>
> > 002520a0 002520f8 00251fc0 00252100 00251fc8
> > 002520b0 00252d28 00252b58
>
> > It seems that !list is following InLoadOrderLinks.Flink on offset 0
> > instead of InMemoryOrderLinks on offset 8
> > What is wrong ?
> > Thank You
> > Kjell Gunnar- Hide quoted text -
>
> - Show quoted text -
Scott Noone
>debugger command program)
The lists point off to the same structures, they just link them in different
order. If you look at the list entries you'll see three list entry
structures:
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x261f18 - 0x261e9c ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x261f20 - 0x261ea4 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
These correspond to the three list heads in the PEB:
+0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x251ec0 - 0x254770 ]
+0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x251ec8 - 0x254778 ]
+0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x251f28 -
0x254780 ]
So, the InMemoryOrderModuleList list head points off to
_LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks. When you follow that list you need
to subtract the offset of the InMemoryOrderLinks field to get the base of
the structure again. It's standard linked list stuff, see the documentation
on the CONTAINING_RECORD macro.
You can script this by using the C++ evaluator. Something like:
!list -x "dt ntdll!_LDR_DATA_TABLE_ENTRY @@(#CONTAINING_RECORD(@$extret,
ntdll!_LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks))" <InMemoryOrderModuleList
address>
But, again, these are the same structures as the list you followed, so
they're not going to give you any new information.
-scott
--
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
"Kjell Gunnar" <kten...@hotmail.com> wrote in message
news:60d4406d-10d4-43ab...@11g2000yqp.googlegroups.com...
Kjell Gunnar
> subtract the offset of the InMemoryOrderLinks field to get the base
Yep I I see your point, and also I see that the !list does its job.
Both
!list -t ntdll!_LDR_DATA_TABLE_ENTRY.InLoadOrderLinks.Flink -x "dt
ntdll!_LDR_DATA_TABLE_ENTRY " poi( $peb + 0xc) + 0xc
!list -t ntdll!_LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks.Flink -x "dt
ntdll!_LDR_DATA_TABLE_ENTRY " poi( $peb + 0xc) + 0xc
Shows sensible output now, and all image names.
Problem now is to figure out what’s wrong with the module list.
How can I examine the Unloaded modules ?
Kjell Gunnar
> > - Show quoted text -- Hide quoted text -