Leanpub Header

Skip to main content
Go to Leanpub.comLeanpub

Memory Dump Analysis Anthology, Volume 2, Revised Edition

Dmitry Vostokov

This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in January - September 2008. This major revision contains corrections and WinDbg output color highlighting.

The author is letting you choose the price you pay for this book!

Pick Your Price...
PDF
EPUB
465
Pages
About

About

About the Book

This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in January - September 2008. In addition to various corrections, this major revision updates relevant links and removes obsolete references. Some articles are preserved for historical reasons. Most of the content, especially memory analysis pattern language, is still relevant today and for the foreseeable future. The output of WinDbg commands is also remastered to include color highlighting. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog.

Compared to the first revised volume, the second revised volume features:

  • 44 more crash dump analysis patterns
  • Pattern interaction and case studies
  • Fully cross-referenced with Volume 1
  • New appendixes

The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts.

Share this book

Categories

.NETC and C++TestingComputer HardwareResiliencyComputer SecuritySoftware ArchitectureSoftware EngineeringComputer ScienceDevOpsDigital ForensicsOperating System DevelopmentSoftware

Feedback

Email the author

Price

Pick Your Price...

Minimum price

$20.00

$20.00

You pay

$20.00

Author earns

$16.00
$

All prices are in US $. You can pay in US $ or in your local currency when you check out.

EU customers: prices exclude VAT, which is added during checkout.

...Or Buy With Credits!

Number of credits (Minimum 2)

2
The author will earn $24.00 from your purchase!
You can get credits monthly with a Reader Membership

Author

About the Author

Dmitry Vostokov

Dmitry Vostokov is an internationally recognized expert, speaker, educator, scientist, inventor, and author. He founded the pattern-oriented software diagnostics, forensics, and prognostics discipline (Systematic Software Diagnostics) and Software Diagnostics Institute. Vostokov has also authored over 50 books on software diagnostics, anomaly detection and analysis, software and memory forensics, root cause analysis and problem solving, memory dump analysis, debugging, software trace and log analysis, reverse engineering, and malware analysis. He has over 30 years of experience in software architecture, design, development, and maintenance in various industries, including leadership, technical, and people management roles. Dmitry founded OpenTask Iterative and Incremental Publishing and Software Diagnostics Technology and Services (former Memory Dump Analysis Services). In his spare time, he explores Software Narratology and Quantum Software Diagnostics. His interest areas are theoretical software diagnostics and its mathematical and computer science foundations, application of formal logic, semiotics, artificial intelligence, machine learning, and data mining to diagnostics and anomaly detection, software diagnostics engineering and diagnostics-driven development, diagnostics workflow and interaction. Recent interest areas also include functional programming, cloud native computing, monitoring, observability, visualization, security, automation, applications of category theory to software diagnostics, development and big data, and diagnostics of artificial intelligence.

Leanpub Podcast

Episode 213

An Interview with Dmitry Vostokov

Contents

Table of Contents

Preface 15

Acknowledgments 17

About the Author 18

PART 1: Crash Dumps for Beginners 19

The Time of the Crash 19

Stack Trace 20

EasyDbg 22

Citrix Symbol Server 27

PART 2: Professional Crash Dump Analysis 29

WinDbg Scripts 29

Introduction for C/C++ Users 29

Generating File Name for .dump Command 37

All at Once: Postmortem Logs and Dump Files 38

Common Mistakes 39

Not Looking at Full Stack Traces 39

Not Seeing Semantic and Pragmatic Inconsistencies 41

Pattern Interaction 43

Heuristic Stack Trace 43

Multiple Patterns 50

Exception and Deadlock 55

Heap and Spike 59

Hooksware 63

Heap and Early Crash Dump 65

WinDbg Shortcuts 67

WinDbg as a Binary Editor 67

Command Autocompletion 70

!envvar 71

.quit_lock 72

.dumpcab 73

.f+, .f- 74

.exptr 75

WinDbg as a Simple PE Viewer 76

.sound_notify 79

Signaled Objects 80

Memory Search Revisited 87

WDF and PNP BSOD: Case Study 95

Exploring NDIS Extension 105

The Hunt for the Debugger 109

Complete Dump: User Space Critical Sections 115

Microsoft DLL Help Database 116

What Does This Function Do? 118

What Was This Process Doing? 119

STL and WinDbg 122

WinDbg Cheat Sheet 125

How Old Is Your Application or System? 126

Demystifying First-chance Exceptions 129

.NET Managed Code Analysis in Complete Memory Dumps 131

Who Opened That File? 134

In Search of Lost CID 136

Large Heap Allocations 137

First-order and Second-order Memory Leaks 140

Hooked Modules 145

PART 3: Crash Dump Analysis Patterns 147

Wait Chain (Executive Resources) 147

Corrupt Dump 151

Dispatch Level Spin 154

No Process Dumps 157

No System Dumps 158

Insufficient Memory (PTE) 159

Suspended Thread 161

Special Process 164

Frame Pointer Omission 169

False Function Parameters 173

Message Box 177

Self-Dump 181

Blocked Thread (Software) 184

Zombie Processes 196

Wild Pointer 202

Dynamic Memory Corruption (Kernel Pool) 204

Insufficient Memory (Module Fragmentation) 210

Wild Code 219

Hardware Error 221

Handle Limit (GDI, Kernel Space) 226

Missing Component (General) 233

NULL Pointer (Code) 237

Execution Residue (Unmanaged Space) 239

Optimized VM Layout 267

Invalid Handle (General) 269

Overaged System 273

Thread Starvation (Realtime Priority) 274

Stack Overflow (User Mode) 279

Missing Component (Static Linkage, User Mode) 283

Duplicated Module 294

Not My Version (Software) 299

Data Contents Locality 300

Nested Exceptions (Unmanaged Code) 305

Nested Exceptions (Managed Code) 310

Affine Thread 314

Self-Diagnosis (User Mode) 318

Waiting Thread Time (User Dumps) 319

Inline Function Optimization (Unmanaged Code) 322

Critical Section Corruption 324

Lost Opportunity 332

Young System 335

Last Error Collection 337

Hidden Module 339

High Contention (Critical Sections) 341

PART 4: Crash Dump Analysis AntiPatterns 343

Debugging Architects 343

Symbolless Analysis 344

Myopic Troubleshooting and Debugging 345

PART 5: A Bit of Science 347

Memoretics 347

Memory Analysis 348

Memoidealism 349

Memiotics 350

PART 6: Fun with Crash Dumps 351

Music for Debugging 351

The Glory of Debugging 351

Memory Analysis Album 352

Biography of a Bug 354

Visual Computer Memories 355

The First Defect 356

The Songs for Remote Debugging 357

Thinking Out of the Box 358

Crash Dumps and Science Fiction 359

Colorimetric Computer Memory Dating 360

On CSI Abbreviation 362

The First Memory Dump Book 363

On SOS Abbreviation 365

Software Exceptions: a Paranormal View 366

Bug Entanglement (Bugtanglement) 367

The Standard Model of Debugging 368

Physics of Debugging 369

Can Computers Debug? 371

PART 7: Data Recovery 375

With the Help of Memory Dump Analysis 375

PART 8: Software Troubleshooting 377

Troubleshooter’s Block 377

Causal Models 378

Object-Oriented Debugging and Troubleshooting 379

Component-Based Debugging and Troubleshooting 380

Domain-Driven Debugging and Troubleshooting 381

Myths and Facts about Software Support 382

Ceteris Paribus in Comparative Troubleshooting 383

Dancing in Software Support Environment 384

PARTS: Problem Solving Power of Thought 385

The Hidden Tomb in Pyramid of Software Change 386

Tracing 387

CDF Traces: Analyzing Process Launch Sequence 387

ETW Tracing Tools 389

Lean Tracing 390

DebugWare Patterns 391

API Query 391

Tool Façade 392

Configuration Wrapper 393

Dual Interface 394

Tool Chain 395

Tool Box 396

PART 9: Security 397

Data Hiding in Crash Dumps 397

Hardening Dump Security: Beware of PEB Data 400

PART 10: The Origin of Crash Dumps 401

Memory Dumps from Xen-virtualized Windows 401

Bugchecks: SYSTEM_SERVICE_EXCEPTION 402

Bugcheck Callbacks 406

Application Verifier on x64 Platforms 413

Who Saved the Dump File? 414

ADPlus in 21 Seconds and 13 Steps 416

PART 11: Miscellaneous 425

Three Main Ideas of Debugging 425

Pseudo-corrupt Memory Dumps 426

Win32 Exception Frequencies 427

Bugcheck Frequencies 429

Time Travel Debugging 440

I/O and Memory Priority in Vista 441

Appendix A 443

Crash Dump File Examples 443

Appendix B 445

WinDbg.Org: WinDbg Quick Links 445

Appendix C 447

Dump2Wave Source Code 447

Appendix D 451

Dump2Picture Source Code 451

Appendix E 455

Crash Dump Analysis Checklist 455

CMDTREE.TXT 458

Appendix F 459

Index of WinDbg Commands 460

Cover Images 463

Get the free sample chapters

Click the buttons to get the free sample in PDF or EPUB, or read the sample online here

Download Sample PDFDownload Sample EPUB

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $14 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub