You are previewing Memory Dump Analysis Anthology, Volume 5.
O'Reilly logo
Memory Dump Analysis Anthology, Volume 5

Book Description

Five volumes of cross-disciplinary Anthology (dubbed by the author "The Summa Memorianica") lay the foundation of the scientific discipline of Memoretics (study of computer memory snapshots and their evolution in time) that is also called Memory Dump and Software Trace Analysis. The 5th volume contains revised, edited, cross-referenced, and thematically organized selected blog posts about crash dump, software trace analysis and debugging written in February 2010 - October 2010 for software engineers developing and maintaining products on Windows platforms, quality assurance engineers testing software on Windows platforms, technical support and escalation engineers dealing with complex software issues, and security researchers, malware analysts and reverse engineers. The fifth volume features: - 25 new crash dump analysis patterns - 11 new pattern interaction case studies (including software tracing) - 16 new trace analysis patterns - 7 structural memory patterns - 4 modeling case studies for memory dump analysis patterns - Discussion of 3 common analysis mistakes - Malware analysis case study - Computer independent architecture of crash analysis report service - Expanded coverage of software narratology - Metaphysical and theological implications of memory dump worldview - More pictures of memory space and physicalist art - Classification of memory visualization tools - Memory visualization case studies - Close reading of the stories of Sherlock Holmes: Dr. Watson's observational patterns - Fully cross-referenced with Volume 1, Volume 2, Volume 3, and Volume 4.

Table of Contents

  1. Copyright
  2. Preface
  3. Acknowledgements
  4. 1. Professional Crash Dump Analysis and Debugging
    1. Common Mistakes
      1. Not Double-Checking Symbolic Output
      2. Not Looking Past the First Found Evidence
      3. Not Recognizing Data as UNICODE or ASCII Fragments
    2. Common Questions
      1. What Service Is This?
    3. Complete Stack Traces from x64 System
    4. Software Behavior Patterns
    5. Crash and Hang Analysis Audit Service
    6. Case Study: Extremely Inconsitent Dump and CPU Spike
    7. Raw Stack Dump of All Thread Stacks
    8. Architecture of CARE
  5. 2. Crash Dump Analysis Patterns
    1. Succession of Patterns
    2. Wait Chain (Process Objects)
    3. Coincidental Frames
    4. Fault Context
    5. Coupled Processes (Weak)
    6. Hooked Functions (Kernel Space)
    7. Hardware Activity
    8. Incorrect Symbolic Information
    9. Message Hooks
    10. Blocked Thread (Hardware)
    11. Coupled Machines
    12. High Contention (Processors)
    13. Thread Starvation (Normal Priority)
    14. Coupled Processes (Semantics)
    15. Abridged Dump
    16. Exception Stack Trace
    17. Wait Chain (RPC)
    18. Distrubuted Spike
    19. Instrumentation Information
    20. Template Module
    21. Invalid Exception Information
    22. Shared Buffer Overwrite
    23. Pervasive System
    24. Problem Exception Handler
    25. Deadlock (Self)
    26. Same Vendor
  6. 3. Crash Dump Analysis AntiPatterns
    1. Wild Explanations
  7. 4. Pattern Interaction
    1. Inconsistent Dump, Stack Trace Collection, LPC, Tthread, Process, Executive Resource Wait Chains, Missing Threads and Waiting Thread Time
    2. Fault Context, Wild Code and Hardware Error
    3. Main Thread, Critical Section Wait Chains, Critical Section Deadlock, Stack Trace Collection, Execution Residue, Data Contents Locality, Self-Diagnosis and Not My Version
    4. Strong Process Coupling, Stack Trace Collection, Critical Section Corruption and Wait Chains, Message Box, Self-Diagnosis, Hidden Exception and Dynamic Memory Corruption
    5. IRP Distribution Anomaly, Inconsistent Dump, Execution Residue, Hardware Activity, Coincidental Symbolic Information, Not My Version, Virtualized System
    6. Spiking Thread, Main Thread, Message Hooks, Hooked Functions, Semantic Split, Coincidental Symbolic Information and Not My Version
    7. Stack Trace Collection, Special Process, LPC and Critical Section Wait Chains, Blocked Thread, Coupled Machines, Thread Waiting Time and IRP Distribution Anomaly
    8. ALPC Wait Chains, Missing Threads, Waiting Thread Time and Semantic Process Coupling
    9. Insufficient Kernel Pool Memory, Spiking Thread and Data Contents Locality
    10. Incorrect Stack Trace, Stack Overflow, Early Crash Dump, Nested Exception, Problem Exception Handler and Same Vendor
  8. 5. A Bit of Science and Philosophy
    1. Memory Systems Language
    2. Categories for the Working Software Defect Researcher
      1. Collective Pointer
    3. Notes on Memoidealism
    4. Archaeological Foundations for Memory Analysis
    5. On God and Miracles
    6. Psychoanalysis of Software Troubleshooting and Debugging
    7. Ontological and Epistemological Memoidealism
    8. On Unconscious
    9. Ruminations on Automated Debugging
    10. General Memory Analysis
    11. Notation for Memory and Trace Analysis
    12. Category Theory and Troubleshooting
    13. Software Chorography and Chorology: A Definition
  9. 6. Fun with Crash Dumps
    1. Music for Debugging
      1. Retry, Abort, Escape
    2. Debugging Slang
      1. STUPID
      2. On the Same Page
      3. .SYS
      4. PLOT
      5. Freedom
      6. Free Verse
      7. BCE, BC and CE
      8. HCI
      9. Blog
      10. Inherit a Fortune
    3. Dr. Watson's Observational Patterns
    4. Memory Dumps in Myths
    5. Bus Debugging
    6. Debugging the Debugger (16-bit)
    7. Dr. DebugLove and Nature
    8. Sailing Memory Spaces under an RGB Flag
    9. Don't Name Your Driver a "Missile"
    10. Notepad Debugging
    11. !analyze -vostokov
    12. Contemplating Crash Dumps in Unicode
    13. Memory Dump Analysis Services Cap and T-Shirt
    14. Troubleshooting Poem in Six Stanzas
    15. On the Interpretation of M-Theory
    16. Check the Name of Your Driver in Reverse
  10. 7. Software Trace Analysis
    1. Pattern Interaction
      1. Adjoint Threads, Discontinuity and Time Delta
    2. Basic Software PLOTs
    3. Two Readings of a Software Trace
    4. CDFMarker Tool
    5. The Extended Software Trace
    6. Presenting a Software Story
    7. Adjoint Threading in Process Monitor
  11. 8. Software Trace Analysis Patterns
    1. Significant Event
    2. Time Delta
    3. Adjoint Thread of Activity
    4. Trace Acceleration
    5. Incomplete History
    6. Background and Foreground Components
    7. Defamiliarizing Effect
    8. Anchor Messages
    9. No Trace Metafile
    10. No Activity
    11. Trace Partition
    12. Truncated Trace
    13. Diegetic Messages
    14. False Positive Error
    15. Guest Component
    16. Message Change
    17. Layered Periodization
  12. 9. Models of Software Behaviour
    1. Multiple Exceptions Pattern
    2. Memory Leak (Process Heap) Pattern
    3. Message Hooks Pattern
    4. Modeling C++ Object Corruption
  13. 10. The Origin of Crash Dumps
    1. More on Demystifying First-chance Exceptions
  14. 11. Structural Memory Patterns
    1. Memory Snapshot
    2. Aggregate Snapshot
    3. Snapshot Collection
    4. Memory Region
    5. Region Boundary
    6. Memory Hierarchy
    7. Anchor Region
  15. 12. Memory Visualization
    1. Memory Map Visualization Tools (Revised)
    2. Decomposing Memory Dumps via DumpFilter
    3. Can a Memory Dump be Blue?
    4. Virtual to Physical Memory Mapping
    5. The Memory Visualization Question
  16. 13. Art
    1. Sweet Oil of Memory
    2. Night Sky
    3. Component Trace
    4. Ana-Trace-Log-Lyzer and Closed Session
    5. Computer Memory Gardens
    6. Debugging Venue
    7. Inside a Memory File
    8. Fabric of Memory Dumps
    9. Race Condition in a Kernel Pool
    10. Memory Interfaces
    11. Bleeding Memory
    12. Picture Frame for Memory Dumps
    13. Front Cover Glitch
    14. Chance Exceptions in a Turing Machine
  17. 14. Security and Malware Analysis
    1. Crash Dumps and Password Exposure
    2. Crash Dump Analysis of Defective Malware
  18. 15. Miscellanious
    1. Native Script Debugging
    2. Component Heap
    3. Attached Processes
    4. User/Kernel Diagramming Styles
  19. A. Appendix
    1. Contention Patterns
    2. Raw Stack Analysis Scripts
    3. Crash Dump Analysis Checklist