Memory Analysis Cheat Sheet for Microsoft Windows XP SP2

Change context lm options [m namepattern] [M pathpattern]

Methodology .process [/p [/r]] [eprocess] options:
/p translate PTE f display image full pathname
1. Acquire memory dump
/r also reload user-mode symbols n display image name
2. Identify OS version
o display only loaded modules
3. Build lists of important structures
4. Look for “missing“ objects
Display Memory t display timestamp
5. Look for “odd“ data dx [/p] range
/p range is physical address !thread [-p] [-t] ethread [flags]
Crash Dump ranges: flags:
offset 0x02 display wait states
Use system control panel to set dump type to “full” name[+|-]offset 0x04 display stack trace, use with 0x02
(recommended) or “kernel”. Also set location. Reboot. start end pair of addresses 0x08 display return address and ESP
Lnum repeat implicit size num times 0x10 set process context, improving stack
For PS/2 keyboard: dumps
HKLM\System\CurrentControlSet\Services\i8042prt\ db display bytes and ASCII characters !teb [teb]

Parameters dw display WORD values
Create DWORD value “CrashOnCtrlScroll” dd display DWORD values !chkimg [options] [-mmw logfile logoptions] [module]
Set value to 1 dq display QWORD values options:
dp display pointers (like dd/dq) -as scan all sections
For USB keyboard: da display ASCII characters -ss scan only section name
HKLM\System\CurrentControlSet\Services\kbdhid\ du display UNICODE characters -r scan range from start to end

Parameters -nospec scan also special parts of HAL and kernel
Create DWORD value “CrashOnCtrlScroll” d repeat last display command -d display summary
Set value to 1 -db display hex view of changed locations
Only works on Microsoft Windows Server 2003 -v verbose output
Display Structures -mmw log to file
Press and hold right [CTRL] key, press [SCROLL LOCK] dt [options] [module!]name [field] [address]
twice. options: logoptions:
-a [num] display num array elements v virtual address
Identify OS Version -b display blocks recursively r offset within module
-r num recursively display sub-structures down s symbol
ostest.pl file to num levels (1…9) S section
kern.pl file -p address is a physical address e expected value
python volatools ident -f file -v report overall size and element count w found value
Microsoft Debugger Display Executable Objects !for_each_module "!chkimg @#ModuleName"
URL of symbol server: !process pid|eprocess [flags]
http://msdl.microsoft.com/download/symbols flags: Display other Objects
0x01 display time and priority statistics Generic object information:
General commands 0x02 display threads and events associated !object address
.hh open help file with process !object 0 class
.cls clear screen 0x04 display threads. If bit 0x02 is not set, !object \path
.reload reloads symbols uses single line. If bit 0x02 is set, then
/f force immediate load also displays a stack trace. !handle -1|0|index [flags]
/i ignore version mismatch, implies /f 0x08 display return address and ESP flags:
/v verbose 0x10 set process context, improving stack 0x01 basic handle information
? resolve symbol dumps 0x02 objects
poi(arg) dereference pointer arg 0x04 free handle entries
!peb [peb] 0x10 use kernel handle table
0x20 interpret as thread ID or process ID

Copyright © 2007 by Pär Österberg and Andreas Schuster. All rights reserved. Page 1 Version 1.2.1, 2007-09-20
 Memory Analysis Cheat Sheet for Microsoft Windows XP SP2
!job 0|pid|eprocess [flags] [pid|eprocess] [type] Display PDE and PTE
flags: !pte virtualaddress PoolTools
0x01 show job settings !pte pteaddress
by Andreas Schuster
0x02 show all processes in job !pte literaladress 1
type: Event, Section, File, Port, Directory,
Examine memory pool allocations
SymbolicLink, Mutant, WindowStation, Display information about a Page Frame
Semaphore, Key, Token, Process, !pfn pfn
All PoolTools share a common set of options:
Thread, Desktop, IoCompletion, Timer,
Pool Allocations --help full help
Job, and WaitablePort
Find allocations by tag --usage help about command line options
Memory Usage !poolfind tagstring|0xtagvalue [pool]
Display physical memory usage statistics pool: --dbfile SQLite database to hold case data
!memusage [flags] 0 non-paged pool --dumpfile memory dump in raw (‘dd’) format
flags: 1 paged pool --level num suppress candidates below confidence
0x00 display general information and data from level (0 … 100)
PFN database Display information about a special allocation
0x08 display only general information !pool [address] [flags]
PoolFinder
Build a list of pool allocations
flags:
Display virtual memory usage statistics 0x01 also display content
--3GB assume /3GB boot option
!vm [flags] 0x02 suppress header info for all but the
--checkpage special handling for pagefile.sys
flags: selected pool allocation
--dbcreate file create database file and table
0x01 omit process-specific statistics
--stricttags apply strict checks to pool tags
0x02 include memory management thread Show graphical map of pool utilization
stacks !xpoolmap [pool]
0x04 include terminal server memory usage pool: PoolGrep
0x08 include the page file write log 0 non-paged pool
Search pool allocations for strings
0x10 include working set owner thread stacks 1 paged pool
0x20 include kernel virtual address usage
PTFinder --free search also freed (returned) allocations
--ignorecase case-insensitive search
Display control area of section
by Andreas Schuster
!ca address get address from !memusage output
Hint: insert null bytes in order to search for UCS-2 characters:
Find processes and threads poolgrep … t\000e\000s\000t\000
Convert physical address into virtual address
!ptov pfn PoolDump
--help full help
--usage help about command line options Produce hex dump of pool allocations
Convert virtual address into physical address
!vtop pagedirpfn virtualaddress --free search also freed (returned) allocations
--threads include threads in output (default)
--nothreads suppress threads in output (reduces --nofree ignore freed allocations
List of system PTE --protection select allocations by protection bit
clutter)
!sysptes [flags] (on/off/any, default: any)
--processes include processes in output (default)
flags: --tag select allocation by pool tag
--noprocesses suppress processes in output (hardly
0x01 only free PTE (regular expressions are allowed)
useful)
0x02 free PTE in the global special pool
--3GB assume /3GB boot option
0x04 detailed information about any system PoolView
PTE that are allocated to mapping locked Interpret data in selected pool allocations
--dotfile file produce DOT output for GraphViz
pages
--xmlfile file produce XML output for KnTList
0x08 non-paged pool expansion free PTE --class class select class of objects to view
--list-classes list available classes

Copyright © 2007 by Pär Österberg and Andreas Schuster. All rights reserved. Page 2 Version 1.2.1, 2007-09-20
 Memory Analysis Cheat Sheet for Microsoft Windows XP SP2
IO Object Types Important Structures
Volatility
Id Type Structure
by Aaron Walters and Nick Petroni
Object
1 Adapter _ADAPTER_OBJECT
Contributions by Brendan Dolon-Gavitt. struct _OBJECT_HEADER, 12 elements, 0x20 bytes
2 Controller _CONTROLLER_OBJECT +0x000 PointerCount : Int4B
python volatility ident –f file list open files 3 Device _DEVICE_OBJECT +0x004 HandleCount : Int4B
python volatility datetime –f file date and time of 4 Driver _DRIVER_OBJECT +0x004 NextToFree : Ptr32 to
memory image +0x008 Type : Ptr32 to _OBJECT_TYPE
5 File _FILE_OBJECT +0x00c NameInfoOffset : UChar
python volatility pslist –f file list processes
6 IRP _IRP +0x00d HandleInfoOffset : UChar
python volatility psscan –f file scan for processes
python volatility thrdscan –f file scan for threads 7 Master Adapter +0x00e QuotaInfoOffset : UChar
python volatility dlllist –f file list DLLs +0x00f Flags : UChar
8 Open Packet
python volatility modules –f file list modules +0x010 ObjectCreateInfo : Ptr32
9 Timer _IO_TIMER +0x010 QuotaBlockCharged : Ptr32
python volatility sockets –f file list open sockets
python volatility sockscan –f file scan for open sockets 10 Volume Parameter _VPB +0x014 SecurityDescriptor : Ptr32
python volatility connections –f file list TCP established Block +0x018 Body
connections 11 Error Log
python volatility connscan –f file scan for TCP Information taken from “Undocumented Windows 2000
12 Error Message
connections Secrets” (by Sven B. Schreiber).
13 Device Object _DEVOBJ_EXTENSION
python volatility vadinfo –f file information about every Extension
single VAD - 0x50 _OBJECT_QUOTA_CHARGES (optional)
python volatility vaddump –f file save memory region 18 APC _KAPC - 0x40 _OBJECT_HANDLE_DB ( optional)
into separate files 19 DPC _KDPC - 0x38 _OBJECT_NAME (optional)
python volatility vadwalk –f file produce VAD tree - 0x28 _OBJECT_CREATOR_INFO (optional)
20 Device Queue _KDEVICE_QUEUE - 0x18 _OBJECT_HEADER (mandatory)
Windows IR/CF Tools 21 Event Pair 0x00 object
22 Interrupt _KINTERRUPT
by Harlan Carvey Note: not all structures have to be present, see Flags in
23 Profile
_OBJECT_HEADER:
ostest.pl guess OS version through fingerprinting 0x01 has _OBJECT_CREATE_INFO
of System PID and PageDir address
Pool Types
0x02 created by kernel
Shown are the values as found in memory, not as declared in
kern.pl guess OS version from kernel’s version 0x04 has OBJECT_CREATOR_INFO
the DDK/WDK header files.
resource 0x20 has SECURITY_DESCRIPTOR
0x40 no _OBJECT_HANDLE_DB
Enumerations Pool types > 32 indicate a session pool.
Synchronizable Object
Dispatcher Object Types 0 = free struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
Id Type Structure non-paged pool paged pool +0x000 Type : UChar
0 Notification Event _KEVENT normal 1 2 +0x001 Absolute : UChar
+0x002 Size : UChar
1 Synchronization Event _KEVENT must succeed 3 - +0x003 Inserted : UChar
2 Mutant (Mutex) _KMUTANT cache aligned 5 6 +0x004 SignalState : Int4B
3 Process _KPROCESS cache aligned, +0x008 WaitListHead : struct _LIST_ENTRY
7 -
4 Queue _KQUEUE must succeed
Process
5 Semaphore _KSEMAPHORE Note: Only selected members are shown below.
6 Thread _KTHREAD
8 Notification Timer _KTIMER struct _EPROCESS, 107 elements, 0x260 bytes
+0x000 Header : struct _DISPATCHER_HEADER
9 Synchronization Timer _KTIMER +0x018 DirectoryTableBase : (2 elements) Uint4B

Copyright © 2007 by Pär Österberg and Andreas Schuster. All rights reserved. Page 3 Version 1.2.1, 2007-09-20
 Memory Analysis Cheat Sheet for Microsoft Windows XP SP2
+0x050 ThreadListHead : struct _LIST_ENTRY Device Memory Information
+0x070 CreateTime : _LARGE_INTEGER 0x00 _POOL_HEADER nt!MmPagesSize
+0x078 ExitTime : _LARGE_INTEGER 0x08 _OBJECT_DIRECTORY_ENTRY nt!MmLowestPhysicalPage
+0x084 UniqueProcessId : Ptr32 0x0c _OBJECT_NAME_INFORMATION nt!MmHighestPhysicalPage
+0x088 ActiveProcessLinks : struct _LIST_ENTRY 0x18 _OBJECT_HEADER nt!MmNumberOfPhysicalPages
+0x0c4 ObjectTable : Ptr32 to _HANDLE_TABLE 0x30 _DEVICE_OBJECT nt!MmPfnDatabase
+0x138 SectionObject : Ptr32 0xf4 reserved nt!MmNumberOfPagingFiles
+0x13c SectionBaseAddress : Ptr32 varies _DEVOBJ_EXTENSION
+0x174 ImageFileName : (16 elements) UChar nt!MmPagedPoolStart
+0x1a0 ActiveThreads : Uint4B Some device structures also contain a nt!MmPagedPoolEnd
+0x1b0 Peb : Ptr32 _PEB _OBJECT_QUOTA_CHARGES structure. nt!MmNonPagedPoolStart
+0x1b8 ReadOperationCount : _LARGE_INTEGER nt!MmNonPagedPoolEnd
+0x1c0 WriteOperationCount : _LARGE_INTEGER Driver
+0x1c8 OtherOperationCount : _LARGE_INTEGER 0x00 _POOL_HEADER nt!MmBadPageListHead
+0x1d0 ReadTransferCount : _LARGE_INTEGER 0x08 _OBJECT_DIRECTORY_ENTRY nt!MmFreePageListHead
+0x1d8 WriteTransferCount : _LARGE_INTEGER 0x0c _OBJECT_NAME_INFORMATION nt!MmRomPageListHead
+0x1e0 OtherTransferCount : _LARGE_INTEGER 0x18 _OBJECT_HEADER nt!MmStandbyPageListHead
+0x1f4 SeAuditProcessCreationInfo : Ptr32 0x30 _DRIVER_OBJECT nt!MmZeroedPageListHead
+0x24c ExitStatus : Int4B 0xd8 _DRIVER_EXTENSION
+0x252 SubSystemMinorVersion : UChar Important Object Types
+0x253 SubSystemMajorVersion : UChar File nt!PsJobType Ptr to job _OBJECT_TYPE
0x00 _POOL_HEADER nt!PsProcessType Ptr to process _OBJECT_TYPE
Thread 0x08 _OBJECT_HANDLE_DB nt!PsThreadType Ptr to thread _OBJECT_TYPE
Note: Only selected members are shown below. 0x10 _OBJECT_HEADER
0x28 _FILE_OBJECT nt!PsActiveProcessHead Ptr to _EPROCESS+0x088
struct _ETHREAD, 54 elements, 0x258 bytes nt!PsInitialSystemProcess Ptr to _EPROCESS of System
+0x000 Header : struct _DISPATCHER_HEADER Process nt!PsIdleProcess Ptr to _EPROCESS of Idle
+0x020 Teb : Ptr32 to 0x00 _POOL_HEADER nt!KiIdleProcess _EPROCESS of Idle
+0x1b0 ThreadListEntry : struct _LIST_ENTRY 0x08 _OBJECT_HEADER
+0x1c0 CreateTime : _LARGE_INTEGER 0x20 _EPROCESS nt!PspJobList Ptr to _EJOB-0x010
+0x1c8 ExitTime : _LARGE_INTEGER nt!PspCidTable
+0x1ec Cid : struct _CLIENT_ID Thread nt!PsLoadedModuleList
+0x000 UniqueProcess : Ptr32 to 0x00 _POOL_HEADER
+0x004 UniqueThread : Ptr32 to 0x08 _OBJECT_HEADER Networking
0x20 _ETHREAD ArpInterfaceList
Job AddrObjTable
Note: Only selected members are shown below. Timer AddrObjTableSize
0x00 _POOL_HEADER
struct _EJOB, 45 elements, 0x180 bytes 0x08 _OBJECT_HEADER System Functions
+0x010 JobLinks : struct _LIST_ENTRY 0x20 _ETIMER nt!KeServiceDescriptorTable
+0x018 ProcessListHead : struct _LIST_ENTRY nt!KeServiceDescriptorTableShadow
+0x07c TotalProcesses : Uint4B Symbols
+0x080 ActiveProcesses : Uint4B Helpful Lists
+0x084 TotalTerminatedProcesses : Uint4B System Configuration nt!CmpHiveListHead
nt!KeNumberProcessors nt!HandleTableListHead
Combined Structures nt!KeActiveProcessors nt!ObpKernelHandleTable
nt!KiProcessorBlock nt!KiTimerTableListHead
Note: Additional structures can be inserted before the
nt!ObpRootDirectoryObject
_OBJECT_HEADER. Shown below is the configuration which nt!KeBootTime use !filetime to decode
is most likely to be found. nt!KeBootTimeBias

Copyright © 2007 by Pär Österberg and Andreas Schuster. All rights reserved. Page 4 Version 1.2.1, 2007-09-20
 Memory Analysis Cheat Sheet for Microsoft Windows XP SP2
SQLite
SQLite is the database backend used by PoolTools.

select ::= SELECT [ ALL | DISTINCT ] result

[ FROM table-list ]
[ WHERE expr ]
[ GROUP BY expr ]
[ compound-op select* ]
[ ORDER BY sort-expr-list ]
[ LIMIT integer [(OFFSET | ,) integer ]]
;
result ::= result-column [, result-column]*
result-column ::= * | table-name.* | expr [[AS] string]
table-list ::= table [join-op table join-args]
table ::= table-name [AS alias] | (select) [AS alias]
join-op ::= , | [NATURAL] [LEFT | RIGHT | FULL]
[OUTER | INNER | CROSS] JOIN
join-args ::= [ON expr] [USING (id-list)]
sort-expr-list ::= expr [sort-order] [, expr [sort-order]]*
sort-order ::= [COLLATE collation-name] [ASC | DESC]
compound-op ::= UNION | ALL | INTERSECT | EXCEPT

Copyright © 2007 by Pär Österberg and Andreas Schuster. All rights reserved. Page 5 Version 1.2.1, 2007-09-20