Friday, 13 December 2013

Using !validatelist, !exchain and !mca

This blog post is going to show a few extensions available in WinDbg, which we can use with our debugging. I'm going to cover !validatelist, !exchain and !mca.

!validatelist

Firstly, let's begin with the !validatelist extension, which is used to test corruption within a doubly linked list, and that each entry points to the next entry and the previous entry. These pointers are called flink and blink.

I've used a entry from the _LINKED_LIST data structure found in the _EPROCESS data structure for demonstration purposes.


The _LINKED_LIST data structure can be seen as follows:


Using the !validatelist extension, the doubly linked list is walked along, or more specifically and technically correct; we transverse the linked list. Here we can see there was no problems with the linked list algorithm.

This is useful extension for debugging Stop 0x19's and checking if linked list data structures aren't corrupt.

!exchain

The !exchain extension is used to list all the exception handlers available within the thread's stack. The frame number is shown for each exception handler, personally I found this extension useful for checking what internal undocumented functions are used for.

!mca

The !mca extension is used to display and gather information about the Machine Check Architecture error reporting mechanism.

We can see each MSR Bank for additional reporting of errors found by the CPU, and which errors were found.

Additional Reading:

Machine Check Architecture
A short description of x86 MCA

1 comment: