You are previewing Memory Dump Analysis Anthology, Volume 4.
O'Reilly logo
Memory Dump Analysis Anthology, Volume 4

Book Description

This is a revised, edited, cross-referenced and thematically organized volume of selected DumpAnalysis.org blog posts about crash dump analysis and debugging written in July 2009 - January 2010 for software engineers developing and maintaining products on Windows platforms, quality assurance engineers testing software on Windows platforms, technical support and escalation engineers dealing with complex software issues, and security researchers, malware analysts and reverse engineers. The fourth volume features: - 15 new crash dump analysis patterns - 13 new pattern interaction case studies - 10 new trace analysis patterns - 6 new Debugware patterns and case study - Workaround patterns - Updated checklist - Fully cross-referenced with Volume 1, Volume 2 and Volume 3 - Memory visualization tutorials - Memory space art

Table of Contents

  1. Copyright
  2. Preface
  3. Acknowledgements
  4. 1. Professional Crash Dump Analysis and Debugging
    1. Common Mistakes
      1. Not Using Checklists
      2. Not Paying Attention to All Aspects of Default Analysis
      3. Not Paying Attention to Context
    2. Raw Stack Dump of WOW64 Process
    3. On Space and Mode
    4. Registry Corruption: A Case Study
    5. Wild Code and Partial Stack Reconstruction
    6. Manual Parameter Reconstruction on ×64 Windows Systems
    7. Counterfactual Debugging
      1. Dereference Fixpoints
      2. Data Ordering
    8. Clean Raw Stack Execution Residue
    9. Essential and Derived Properties
    10. Software Defect Researcher: A New Profession
    11. WinDbg Shortcuts
      1. lmu and lmk
      2. .opendump
    12. Live Kernel Debugging of System Freeze
    13. Mode-Independent WinDbg Scripts
  5. 2. Crash Dump Analysis Patterns
    1. Succession of Patterns
    2. Ubiquitous Component
    3. Nested Offender
    4. Hunting for a Driver
    5. Virtualized System
    6. Effect Component
    7. Well-Tested Function
    8. Mixed Exception
    9. Random Object
    10. Not My Version (Hardware)
    11. Missing Process
    12. Platform-Specific Debugger
    13. Value Deviation (Stack Trace)
    14. CLR Thread
    15. Insufficient Memory (Control Blocks)
  6. 3. Crash Dump Analysis AntiPatterns
    1. Habitual Reply
  7. 4. Pattern Interaction
    1. Null Data Pointer, Pass-Through Functions and Platformorphic Fault
    2. Stack Trace Collection, Message Box, Hidden Exception, Nested Offender, Insufficient Memory, C++ Exception, Heap Leak and Ubiquitous Component
    3. Blocked LPC Thread, Coupled Processes, Stack Trace Collection and Blocked GUI Thread
    4. Virtualized Process, Incorrect Stack Trace, Stack Trace Collection, Multiple Exceptions, Optimized Code and C++ Exception
    5. WOW64 Process, NULL Data Pointer, Stack Overflow, Main Thread, Incorrect Stack Trace, Nested Exceptions, Hidden Exception, Manual Dump, Multiple Exceptions and Virtualized System
    6. NULL Data Pointer, Stack Trace, Inline Function Optimization and Platformorphic Fault
    7. Stack Trace Collection, Suspended Threads, Not My Version, Special Process, Main Thread and Blocked LPC Chain Threads
    8. Truncated Dump, Stack Trace Collection, Waiting Thread Time and Wait Chains
    9. ALPC Wait Chain, Missing Threads, Message Box, Zombie and Special Processes
    10. Critical Section High Contention and Wait Chains, Blocked Threads and Periodic Error: Memory Dump and Trace Analysis Pattern Cooperation
    11. Statement Current, Coupled Processes, Wait Chain, Spiking Thread, Hidden Exception, Message Box and Not My Version
    12. Stack Trace Collection, Missing Threads, Waiting Time, Critical Section and LPC Wait Chains
    13. Wait Chain, Blocked Thread, Waiting Thread Time, IRP Distribution Anomaly and Stack Trace Collection
  8. 5. A Bit of Science and Philosophy
    1. Memory Exponentiation (PowerSet)
    2. Memory Dump View of Artificial Intelligence
    3. Memoidealism as Monistic Aspect Pluralism
    4. Memory Dumps as Posets
    5. Metaphorical Bijectionism: A Method of Inquiry
    6. Notes on Memoidealism
    7. Panmemorism
    8. Cubic Memory Representation
    9. Manifold Memory Space
    10. Ars Recordatio
    11. Categories for the Working Software Defect Researcher
      1. MemD Category
      2. Operating Closure of Memory
    12. Memoidealism Defined
    13. Memuon: A Definition
  9. 6. Fun with Crash Dumps
    1. Music for Debugging
      1. THE ALL MIGHTY DEBUGGER
      2. Memory Space Music
      3. The Duet of Threads
      4. The Memory Dump of the Dead
      5. Ancient Computations and a Vision of the New Dump
    2. The Meaning of DUMP
    3. Memory Analysis Ritual
    4. The Intelligent Memory Movement
    5. Moving towards the Psi Point
    6. Experiments on Poor Bugs
    7. Exception Processing Of Crash Hypothesis (EPOCH)
    8. Debugging Slang
      1. SAD Events
      2. BoBo Address
      3. Mad Day
      4. Bug-sistential and Bug-sistentialism
    9. Debugging Spy Network
    10. Games for Debugging: Go
    11. The Tsar of Memory Dump Analysis
    12. DNA and RNA of Ruptured Computation
    13. BAD0B0B0 Address: Childhood Memories
    14. Bugs in Passing
    15. Named Process: Vostokov.exe
    16. Memory Analysts and Debuggers Day
    17. After Volume 3
    18. Crash, Core and Memory Dumps in Science Fiction and Fantasy
    19. Reasoning with a Bug
  10. 7. Software Troubleshooting
    1. RADII and SDSD
    2. Epistemic Troubleshooting and Debugging
    3. RADII Process Illustrated
    4. Debugware Patterns
      1. Trace Expert
      2. Troubleshooting Unit of Work
      3. Checklist
      4. Supporting Module
      5. Span Differentiator
      6. Self Extractor
      7. A Case Study
    5. Can Software Tweet?
    6. The Law of Simple Tools
    7. Workaround Patterns
      1. Hidden Output
      2. Frozen Process
      3. Axed Code
  11. 8. Software Trace Analysis
    1. CDFAnalyzer for Analysis of CDF (ETW) Traces
    2. There ought to be a Planet at that Location!
    3. Software Trace: Bird's Eye View
    4. Extending Multithreading to Multibraiding (Adjoint Threading)
  12. 9. Software Trace Analysis Patterns
    1. Statement Density and Current
    2. Exception Stack Trace
    3. Thread of Activity
    4. Discontinuity
    5. Missing Component
    6. Bifurcation Point
    7. Characteristic Message Block
    8. Activity Region
    9. Vocabulary Index
    10. Inter-Correlation
  13. 10. The Origin of Crash Dumps
    1. Full Page Heap Settings on x64 Windows
    2. Memory Dumps from Hyper-Virtualized Windows
    3. Fiber Bundle of Memory Space
    4. On Self Dumps of Secure String API
  14. 11. Memory Visualization
    1. Pictures from Memory Space
    2. Large-scale Structure of Memory Space
    3. Advanced Memory Visualization
    4. 3D Memory Visualization
    5. Memory Map Visualization Tools
  15. 12. Art
    1. Opcodism: The Art of Opcodes
    2. Memory Dump and Minidumps
    3. Hot Issues from Physicalist Artist Perspective
    4. Memory Dumps from Physicalist Artist Perspective
    5. Memory Hot Spot and The Illusion of Fix
    6. Shared Section
    7. Memory Space Road to the Ultimate Fix
    8. Structure and Noise
  16. 13. Miscellanious
    1. Assembling Code in WinDbg
    2. Free Stack Traces
    3. Stack Space and Program Database Types
    4. The Longest Stack Trace
    5. Software Victimology
    6. Debugger as a Shut Up Application
    7. 2 Great Windows Software Engineering Magazines
  17. A.
    1. Crash Dump Analysis Checklist