O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Memory Dump Analysis Anthology, Volume 1

Book Description

This volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute (DumpAnalysis.org) and Software Diagnostics Library (former Crash Dump Analysis blog, DumpAnalysis.org/blog) written in August 2006 - December 2007. It is useful for: - Software engineers developing and maintaining products on Windows platforms; - Technical support and escalation engineers dealing with complex software issues; - Quality assurance engineers testing software on Windows platforms; - Security researchers, reverse engineers, malware and memory forensics analysts; - Some articles will be of interest to a general Windows user.

Table of Contents

  1. Preface
  2. Acknowledgements
  3. About the Author
  4. PART 1: Crash Dumps for Beginners
    1. Crash Dumps Depicted
    2. Right Crash Dumps
    3. Crashes Explained
    4. Hangs Explained
    5. Symbol Files Explained
    6. Crashes and Hangs Differentiated
    7. Proactive Crash Dumps
  5. PART 2: Professional Crash Dump Analysis
    1. Minidump Analysis
    2. Scripts and WinDbg Commands
    3. Component Identification
    4. Raw Stack Data Analysis
    5. Symbols and Images
    6. Interrupts and Exceptions Explained
    7. Exceptions Ab Initio
    8. X86 Interrupts
    9. X64 Interrupts
    10. Interrupt Frames and Stack Reconstruction
    11. Trap Command on x86
    12. Trap Command on x64
    13. Exceptions in User Mode
    14. How to Distinguish Between 1st and 2nd Chances
    15. Who Calls the Postmortem Debugger?
    16. Inside Vista Error Reporting
    17. Another Look at Page Faults
    18. Bugchecks Depicted
    19. NMI_HARDWARE_FAILURE
    20. IRQL_NOT_LESS_OR_EQUAL
    21. KERNEL_MODE_EXCEPTION_NOT_HANDLED
    22. KMODE_EXCEPTION_NOT_HANDLED
    23. SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
    24. CAFF
    25. CF
    26. Manual Stack Trace Reconstruction
    27. WinDbg Tips and Tricks
    28. Looking for Strings in a Dump
    29. Tracing Win32 API While Debugging a Process
    30. Exported NTDLL and Kernel Structures
    31. Easy List Traversing
    32. Suspending Threads
    33. Heap Stack Traces
    34. Hypertext Commands
    35. Analyzing Hangs Faster
    36. Triple Dereference
    37. Finding a Needle in a Hay
    38. Guessing Stack Trace
    39. Coping with Missing Symbolic Information
    40. Resolving Symbol Messages
    41. The Search for Tags
    42. Old Dumps, New Extensions
    43. Object Names and Waiting Threads
    44. Memory Dumps from Virtual Images
    45. Filtering Processes
    46. WinDbg Scripts
    47. First Encounters
    48. Yet another WinDbg Script
    49. Deadlocks and Critical Sections
    50. Security Problem
    51. Hundreds of Crash Dumps
    52. Parameterized Scripts
    53. Security Issues and Scripts
    54. Raw Stack Dump of All Threads (Process Dump)
    55. Raw Stack Dump of All Threads (Complete Dump)
    56. Case Study
    57. Detecting Loops in Code
    58. Crash Dump Analysis Checklist
    59. Crash Dump Analysis Poster (HTML version)
  6. PART 3: Crash Dump Analysis Patterns
    1. Multiple Exceptions
    2. Dynamic Memory Corruption
    3. False Positive Dump
    4. Lateral Damage
    5. Optimized Code
    6. Invalid Pointer
    7. Inconsistent Dump
    8. Hidden Exception
    9. Deadlock (Critical Sections)
    10. Changed Environment
    11. Incorrect Stack Trace
    12. OMAP Code Optimization
    13. No Component Symbols
    14. Insufficient Memory (Committed Memory)
    15. Spiking Thread
    16. Module Variety
    17. Stack Overflow (Kernel)
    18. Deadlock (Executive Resources)
    19. Insufficient Memory (Handle Leak)
    20. Managed Code Exception
    21. Truncated Dump
    22. Waiting Thread Time
    23. Deadlock (Mixed Objects)
    24. Memory Leak (Process Heap)
    25. Missing Thread
    26. Unknown Component
    27. Memory Leak (.NET Heap)
    28. Double Free (Process Heap)
    29. Double Free (Kernel Pool)
    30. Coincidental Symbolic Information
    31. Stack Trace
    32. Virtualized Process (WOW64)
    33. Stack Trace Collection
    34. Coupled Processes
    35. High Contention
    36. Accidental Lock
    37. Passive Thread (User Space)
    38. Main Thread
    39. Insufficient Memory (Kernel Pool)
    40. Busy System
    41. Historical Information
    42. IRP Distribution Anomaly
    43. Local Buffer Overflow
    44. Passive System Thread (Kernel Space)
    45. Early Crash Dump
    46. Hooked Functions
    47. Custom Exception Handler
    48. Deadlock (LPC)
    49. Special Stack Trace
    50. Manual Dump (Kernel)
    51. Wait Chain (General)
    52. Manual Dump (Process)
    53. Wait Chain (Critical Sections)
  7. PART 4: Crash Dump Analysis AntiPatterns
    1. Alien Component
    2. Zippocricy
    3. Word of Mouth
    4. Wrong Dump
    5. Fooled by Description
    6. Need the crash dump
    7. Be Language
    8. Fooled by Abbreviation
  8. PART 5: A Bit of Science
    1. Memory Dump - A Mathematical Definition
    2. Threads as Braided Strings in Abstract Space
    3. What is Memory Dump Analysis?
    4. Memorillion and Quadrimemorillion
    5. Four Causes of Crash Dumps
    6. Complexity and Memory Dumps
    7. What is a Software Defect?
  9. PART 6: Fun with Crash Dumps
    1. Dump Analysis and Voice Recognition
    2. Sending SMS Messages via Dumps
    3. WinDbg as a Big Calculator
    4. Dumps, Debuggers, and Virtualization
    5. Musical Dumps
    6. Debugging the Debugger
    7. Dump2Wave
    8. Dump Tomography
    9. The Smallest Program
    10. Voices from Process Space
    11. Crash Dump Analysis Card
    12. Listening to Computer Memory
    13. Visualizing Memory Dumps
    14. Visualizing Memory Leaks
    15. Picturing Computer Memory
    16. Unicode Illuminated
    17. Teaching Binary to Decimal Conversion
    18. Crash Dumps and Global Conspiracy
  10. PART 7: WinDbg For GDB Users and Vice Versa
    1. AT&T and Intel Syntax
    2. Installation
    3. Disassembler
    4. Stack Trace (Backtrace)
    5. Local Variables
  11. PART 8: Software Troubleshooting
    1. Four Pillars
    2. Five Golden Rules
    3. Critical Thinking
    4. Troubleshooting as Debugging
  12. PART 9: Citrix
    1. Pooltags
    2. The List of Citrix Services
    3. Reverse Engineering Citrix ThinWire
  13. PART 10: Security
    1. Memory Visualization
    2. WinDbg is Privacy-Aware
    3. Crash Dumps and Security
  14. PART 11: The Origin of Crash Dumps
    1. JIT Service Debugging
    2. Local Crash Dumps in Vista
    3. COM+ Crash Dumps
    4. Correcting Microsoft Article about Userdump.exe
    5. Where did the Crash Dump Come from?
    6. Custom Postmortem Debuggers in Vista
    7. Resurrecting Dr. Watson in Vista
    8. Process Crash - Getting the Dump Manually
    9. Upgrading Dr. Watson
    10. Savedump.exe and Pagefile
    11. Dumping Vista
    12. Dumping Processes without Breaking Them
    13. Userdump.exe on x64
    14. NTSD on x64 Windows
    15. Need a Dump? Common Use Cases
  15. PART 12: Tools
    1. Memory Dump Analysis Using Excel
    2. TestDefaultDebugger.NET
    3. Cons of Symbol Server
    4. StressPrinters: Stressing Printer Autocreation
    5. InstantDump (JIT Process Dumper)
    6. TestDefaultDebugger
    7. DumpAlerts
    8. DumpDepends
    9. Dump Monitor Suite
    10. SystemDump
  16. PART 13: Miscellaneous
    1. What is KiFastSystemCallRet?
    2. Understanding I/O Completion Ports
    3. Symbol File Warnings
    4. Windows Service Crash Dumps in Vista
    5. The Road to Kernel Space
    6. Memory Dump Analysis Interview Questions
    7. Music for Debugging
    8. PDBFinder
    9. When a Process Dies Silently
    10. ASLR: Address Space Layout Randomization
    11. Process and Thread Startup in Vista
    12. Race Conditions on a Uniprocessor Machine
    13. Yet Another Look at Zw* and Nt* Functions
    14. Programmer Universalis
    15. Dr. Watson Logs Analysis
    16. Post-Debugging Complications
    17. The Elements of Crash Dump Analysis Style
    18. Crash Dump Analysis in Visual Studio
    19. 32-bit Stack from 64-bit Dump
    20. Asmpedia
    21. How WINE Can Help in Crash Dump Analysis
    22. Horrors of Debugging Legacy Code
    23. UML and Device Drivers
    24. Statistics: 100% CPU Spread over all Processes
  17. Appendix A
    1. Crash Dump Analysis Portal
  18. Appendix B
    1. Reference Stack Traces
  19. Cover Images