You are previewing Memory Dump Analysis Anthology, Volume 7.
O'Reilly logo
Memory Dump Analysis Anthology, Volume 7

Book Description

Contains revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute (DumpAnalysis.org + TraceAnalysis.org) and Software Diagnostics Library (former Crash Dump Analysis blog, DumpAnalysis.org/blog) about software diagnostics, debugging, crash dump analysis, software trace and log analysis, malware analysis and memory forensics written in November 2011 - May 2014 for software engineers developing and maintaining products on Windows (WinDbg) and Mac OS X (GDB) platforms, quality assurance engineers testing software, technical support and escalation engineers dealing with complex software issues, security researchers, malware analysts, reverse engineers, and memory forensics analysts. The seventh volume features: - 66 new crash dump analysis patterns - 46 new software log and trace analysis patterns - 18 core memory dump analysis patterns for Mac OS X and GDB - 10 malware analysis patterns - Additional unified debugging pattern - Additional user interface problem analysis pattern - Additional pattern classification including memory and log acquisition patterns - Additional .NET memory analysis patterns - Introduction to software problem description patterns - Introduction to software diagnostics patterns - Introduction to general abnormal structure and behavior patterns - Introduction to software disruption patterns - Introduction to static code analysis patterns - Introduction to network trace analysis patterns - Introduction to software diagnostics report schemes - Introduction to elementary software diagnostics patterns - Introduction to patterns of software diagnostics architecture - Introduction to patterns of disassembly, reconstruction and reversing - Introduction to vulnerability analysis patterns - Fully cross-referenced with Volume 1, Volume 2, Volume 3, Volume 4, Volume 5, and Volume 6

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Summary of Contents
  5. Contents
  6. Preface
  7. Acknowledgements
  8. Part 1: Professional Crash Dump Analysis and Debugging
    1. WinDbg Shortcuts
    2. Two WinDbg Scripts That Changed the World
    3. Raw Stack Dump of All Threads (Kernel Space)
    4. The Design of Memory Dump Analysis: 7 Steps of Highly Successful Analysts
    5. Postmortem Effects of -g
    6. Event Owners
    7. Improbable Occurrence
    8. Pattern Cooperation
    9. Page Heap Implementation
    10. More Common Mistakes in Memory Analysis
    11. Memory Dump Analysis Best Practices
  9. Part 2: Crash Dump Analysis Patterns
    1. FPU Exception
    2. Hidden Parameter
    3. Memory Leak (Page Tables)
    4. Unrecognizable Symbolic Information
    5. Network Packet Buildup
    6. Disconnected Network Adapter
    7. Problem Module
    8. Empty Stack Trace
    9. Debugger Bug
    10. Value References
    11. Self-Diagnosis (Registry)
    12. System Object
    13. Module Variable
    14. Stack Trace Collection (Predicate)
    15. Stack Trace Collection (I/O Requests)
    16. Regular Data
    17. Translated Exception
    18. Blocked DPC
    19. Late Crash Dump
    20. Blocked Thread (Timeout)
    21. Punctuated Memory Leak
    22. Insufficient Memory (Reserved Virtual Memory)
    23. Coincidental Error Code
    24. Stored Exception
    25. Activity Resonance
    26. Value Adding Process
    27. Memory Leak (I/O Completion Packets)
    28. No Current Thread
    29. Unloaded Module
    30. Stack Trace Change
    31. Spike Interval
    32. Deviant Module
    33. Hidden Exception (Kernel Space)
    34. Handled Exception (Kernel Space)
    35. High Contention (.NET CLR Monitors)
    36. Frozen Process
    37. Incomplete Session
    38. Error Reporting Fault
    39. First Fault Stack Trace
    40. Hidden Process
    41. Disk Packet Buildup
    42. Deviant Token
    43. Module Collection
    44. Handle Leak
    45. Critical Stack Trace
    46. Debugger Omission
    47. Broken Link
    48. Wait Chain (Pushlocks)
    49. Insufficient Memory (Session Pool)
    50. Step Dumps
    51. Reduced Symbolic Information
    52. Injected Symbols
    53. Glued Stack Trace
    54. Distributed Wait Chain
    55. Ubiquitous Component (Kernel Space)
    56. One-Thread Process
    57. Module Product Process
    58. Crash Signature Invariant
    59. Small Values
    60. Shared Structure
    61. Wait Chain (CLR Monitors)
    62. Thread Cluster
    63. Module Collection (Predicate)
    64. False Effective Address
    65. Screwbolt Wait Chain
  10. Part 3: Core Dump Analysis Patterns (Mac OS X)
    1. GDB for WinDbg Users
    2. Stack Trace
    3. GDB Annoyances: Incomplete Stack Trace
    4. NULL Pointer (Data)
    5. Shared Buffer Overwrite
    6. Multiple Exceptions
    7. Double Free (Process Heap)
    8. Dynamic Memory Corruption (Process Heap)
    9. Spiking Thread
    10. NULL Pointer (Code)
    11. Execution Residue
    12. Coincidental Symbolic Information
    13. Paratext
    14. Truncated Dump
    15. C++ Exception
    16. Local Buffer Overflow
    17. Divide by Zero (User Mode)
    18. Stack Overflow (User Mode)
    19. Active Thread
  11. Part 4: Malware Analysis Patterns
    1. Malware: A Definition
    2. Fake Module
    3. RIP Stack Trace
    4. Driver Device Collection
    5. Pre-Obfuscation Residue
    6. Packed Code
    7. Raw Pointer
    8. Out-of-Module Pointer
    9. Patched Code
    10. String Hint
    11. Namespace
  12. Part 5: A Bit of Science and Philosophy
    1. On Matter
    2. Commodities as Memories
    3. Software as Means of Production
    4. Notes on Memoidealism
    5. The Confluence of Computers, Philosophy, and Religion
    6. Analytic Memory Dump - A Mathematical Definition
    7. Sorting and Early Greek Philosophers
    8. General Abnormal Patterns of Structure and Behavior
    9. On Matter and Substances
    10. M-Memory
    11. Ontology of Memoidealism
    12. Philosophies of Persistence
    13. Information as Arrow
    14. Dialectical Triad in Memoidealism
  13. Part 6: Software Trace Analysis Patterns
    1. Software Trace Diagrams (STDiagrams)
    2. Macrofunction
    3. Linked Messages
    4. Marked Message
    5. Trace Frames
    6. Counter Value
    7. Message Context
    8. Error Distribution
    9. Break-in Activity
    10. Resume Activity
    11. Fiber Bundle
    12. Data Flow
    13. Empty Trace
    14. Error Message
    15. Periodic Message Block
    16. Visibility Limit
    17. Relative Density
    18. Sparse Trace
    19. Opposition Messages
    20. Split Trace
    21. Message Interleave
    22. Sheaf of Activities
    23. Indexical Trace
    24. Abnormal Value
    25. Dominant Event Sequence
    26. Pivot Message
    27. Traces of Individuality
    28. Indirect Facts
    29. Hidden Error
    30. Last Activity
    31. State and Event
    32. Dialogue
    33. Motif
    34. Exception Stack Trace (Java)
    35. Correlated Discontinuity
    36. Piecewise Activity
    37. Density Distribution
    38. Factor Group
    39. Silent Messages
    40. Shared Point
    41. Meta Trace
    42. Data Association
    43. State Dump
    44. Message Cover
    45. Message Set
    46. Error Thread
    47. Activity Divergence
  14. Part 7: Fun with Crash Dumps
    1. Debugging Slang
    2. New Year Eve Debugging
    3. Happy New Spiking Year of Software Trace Analysis
    4. Happy New Year (from Windows 8)
    5. Music for Debugging
    6. Fiction for Debugging
    7. Pilgrimage to Harvard University
    8. Welcome to Ki* and Ke*
    9. I Memory Dump
    10. A Blue Screen Watch
    11. Poetry
    12. Surfaces in Nature
  15. Part 8: Software Narratology
    1. Software Anti-Narrative
    2. Software Narratology Helps Fiction Writers
    3. Narremes in Software Narratology
    4. Narralog - A Software Trace Modeling Language
    5. What is a Software Narrative?
    6. Software Narrative Planes
    7. Software Narratology Square
    8. Writing and Validation of Historical Narratives
    9. Software Trace Analysis Patterns Domain Hierarchy
    10. Process Monitor as Modeling Tool
    11. Generalized Software Narrative and Trace
    12. Unified Computer Diagnostics: Incorporating Hardware Narratology
    13. Introducing Software Narratology of Things (Software NT)
  16. Part 9: Software Diagnostics, Troubleshooting and Debugging
    1. Unified and Generative Debugging
    2. Software Problem Description Language
    3. What are Software Trace and Memory Dump Analysis? A One Sentence Definition
    4. Software Problem Solving Tools as a Service
    5. Software Problem Description Patterns
    6. Software Behavior Pattern Prediction
    7. Patterns of Software Diagnostics
    8. Highly Effective Diagnostics
    9. Network Trace Analysis Patterns
    10. Software Diagnostics Services
    11. Architecture of Process Memory Dump Capture Done Right
    12. An Introduction to General Systems Thinking (Book Review)
    13. Software Diagnostics Institute Logo
    14. User Interface Problem Analysis Patterns
    15. Pattern-Based Software Diagnostics
    16. Software Diagnostics Discipline
    17. Architecture of memCPU
    18. Phenomenology of Software Diagnostics: A First Sketch
    19. Software Diagnostics Report Schemes
    20. Software Diagnostics Training: Two Approaches
    21. Software Disruption Patterns
    22. Static Code Analysis Patterns
    23. The Structure of Software Problem Solving Organization
    24. Bridging the Great Divide
    25. Elementary Software Diagnostics Patterns
    26. Zero Fault Software Diagnostics
    27. Agile Software Diagnostics
    28. ADDR Pattern Catalogue
    29. Thinking-Based Software Diagnostics
    30. Memory Acquisition Pattern Catalogue
    31. Trace Acquisition Pattern Catalogue
    32. Patterns of Software Diagnostics Architecture
    33. Detecting and Predicting the Unknown
    34. Software Diagnostics Metaphors
    35. Rapid Software Diagnostics Process (RSDP)
    36. Right First Time Software Diagnosis
    37. Software Diagnosis Codes
    38. Vulnerability Analysis Patterns (VAP)
  17. Part 10: Art and Visualization
    1. 2012 (Pessimistic)
    2. 2012 (Optimistic)
    3. A Bug in a Bag (Collections, Ex-hi-bit 1)
    4. A Bug Meets a Bug (The Clash of Civilizations)
    5. A Bug Catcher
    6. The Second Generation of CARE System (Trademark)
    7. RawStackGram
    8. A Memory Window
    9. Liquid Memory
    10. Computer Brain
    11. Computer Evolution
    12. M Spaces
    13. Happy Hellowin!
    14. Pointers in Nature
    15. Drink Sensibly Before The End Of The World!
    16. MM=DD=YY
    17. Process Monitor Log Visualized
    18. Holes Infinity (HI OS)
    19. Cyber Vostok Missions
    20. A Dump Machine
    21. The Power of Simplicity
    22. Happy St. Patrick's Screen
    23. Happy New Year 2014!
    24. I Love Software Diagnostics
    25. Puree Windows Cooking
    26. Political Computicarts
    27. The Day I Quit
    28. Hero of Dump Analysis, a Medal for Labor Day
    29. Diagnosed by Vostokov®™
    30. Stack Trace Shapes
    31. The Art of Internals
    32. Threadinking
  18. Part 11: Miscellaneous
    1. C and C++ Programming Books That Made a Great Impression on the Author
    2. Outside
    3. After Debugging
    4. Crash Dumps, Acquisitions and Layoffs
    5. Cadaver Worm: An Exercise in Malware Fiction
    6. WinDbg as UNICODE to ASCII Converter
  19. Appendix
    1. Falsity and Coincidence Patterns
    2. Process Patterns
    3. Thread Patterns
    4. Optimization Patterns
    5. Exception Patterns
    6. Module Patterns
    7. RPC, LPC and ALPC Patterns and Case Studies
    8. ERESOURCE Patterns and Case Studies
    9. Meta-Memory Dump Patterns
    10. Crash Dump Analysis Checklist
  20. Index of WinDbg Commands
  21. Notes
  22. Cover Images