Using !validatelist, !exchain and !mca

This blog post is going to show a few extensions available in WinDbg, which we can use with our debugging. I’m going to cover !validatelist, !exchain and !mca.

!validatelist

Firstly, let’s begin with the !validatelist extension, which is used to test corruption within a doubly linked list, and that each entry points to the next entry and the previous entry. These pointers are called flink and blink.

I’ve used a entry from the _LINKED_LIST data structure found in the _EPROCESS data structure for demonstration purposes.

The _LINKED_LIST data structure can be seen as follows:


Using the !validatelist extension, the doubly linked list is walked along, or more specifically and technically correct; we transverse the linked list. Here we can see there was no problems with the linked list algorithm.

This is useful extension for debugging Stop 0x19’s and checking if linked list data structures aren’t corrupt.

!exchain

The !exchain extension is used to list all the exception handlers available within the thread’s stack. The frame number is shown for each exception handler, personally I found this extension useful for checking what internal undocumented functions are used for.

!mca

The !mca extension is used to display and gather information about the Machine Check Architecture error reporting mechanism.

We can see each MSR Bank for additional reporting of errors found by the CPU, and which errors were found.

Additional Reading:

Machine Check Architecture
A short description of x86 MCA

Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in WinDbg. Bookmark the permalink.

One Response to Using !validatelist, !exchain and !mca

  1. VnSpl0it says:

    Great, Thanks !

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s