Saturday, 7 December 2013

Having Fun With Pool Allocations - !pooltag, !pool, !poolused and !poolfind

Since the availability of Kernel Memory dumps, I'm now able to demonstrate some of the most useful extensions for examining pool allocations and looking at potential pool leaks and corruption.

Let's begin with the !poolused extension, which I haven't introduced into my blog at all. The !poolused extension is able to provide information about all the current paged and non-paged pool allocations on a system. I've used the 1 bit flag in this example, to maximize the much of information displayed.


The allocation sizes are measured in terms of bytes, and therefore it's best to convert these values into KB or MB for a more useful analysis. The i8042prt.sys driver is only consuming 3.8KB of non-paged pool, with no consumption of paged pool since all of it's allocations have been freed, thus the reason for the Difference field being 0. You may notice some pool tags do not have a description, this is because they are not present in the pooltag.txt file, which you find in this directory path:

C:\Program Files\Windows Kits\ 8.0\ Debuggers\x86/x64\triage\pooltag.txt

We can gather information about a pool tag individually with the !pooltag extension, which will give us a basic description and the driver name of the associated pool tag.


We can use the !poolfind extension to find all the pool allocations and associated pool pages with the specified pool tag. This is useful if you suspect that one driver is causing a possible pool leak or has corrupted a pool page.


The default flag is to search non-paged pool, however, you can add the bit 2 (0x4) to search through paged pool. The * shows the pool pages for that pool tag, and the current and previous pool allocation sizes.

Using the !pool extension, we can look at a specific pool page and it's allocations.



The type of pool is non-paged pool, and the * shows the address of the allocation within the pool page which matches the entered address. The Protected flag is raised, to signify that if the allocation is about to be freed, it is the intentional allocation to be freed. It essentially adds some extra checking.

1 comment: