Memory Dump Analysis Anthology, Volume 1, Revised Edition
Memory Dump Analysis Anthology, Volume 1, Revised Edition
About the Book
This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in August 2006 - December 2007. This major revision updates tool information and links with ones relevant for Windows 10 and removes obsolete references. Some articles are preserved for historical reasons, and some are updated to reflect the debugger engine changes. The output of WinDbg commands is also remastered to include color highlighting. Most of the content, especially memory analysis pattern language, is still relevant today and for the foreseeable future. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog.
The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts.
About the Author
Bundles that include this book
Table of Contents
Preface 19
Acknowledgments 21
About the Author 23
PART 1: Crash Dumps for Beginners 25
Crash Dumps Depicted 25
Right Crash Dumps 26
Crashes Explained 28
Hangs Explained 31
Symbol Files Explained 34
Crashes and Hangs Differentiated 36
Proactive Crash Dumps 39
PART 2: Professional Crash Dump Analysis 43
Minidump Analysis 43
Scripts and WinDbg Commands 43
Component Identification 46
Raw Stack Data Analysis 53
Symbols and Images 63
Interrupts and Exceptions Explained 68
Exceptions Ab Initio 68
X86 Interrupts 69
X64 Interrupts 76
Interrupt Frames and Stack Reconstruction 83
Trap Command on x86 92
Trap Command on x64 100
Exceptions in User Mode 104
How to Distinguish Between 1st and 2nd Chances 109
Who Calls the Postmortem Debugger? 113
Inside Vista Error Reporting 117
Another Look at Page Faults 132
Bugchecks Depicted 135
NMI_HARDWARE_FAILURE 135
IRQL_NOT_LESS_OR_EQUAL 136
KERNEL_MODE_EXCEPTION_NOT_HANDLED 141
KMODE_EXCEPTION_NOT_HANDLED 143
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED 144
CAFF 150
CF 152
Manual Stack Trace Reconstruction 157
WinDbg Tips and Tricks 167
Looking for Strings in a Dump 167
Tracing Win32 API While Debugging a Process 168
Exported NTDLL and Kernel Structures 170
Easy List Traversing 178
Suspending Threads 181
Heap Stack Traces 182
Hypertext Commands 183
Analyzing Hangs Faster 187
Triple Dereference 188
Finding a Needle in a Hay 191
Guessing Stack Trace 193
Coping with Missing Symbolic Information 199
Resolving Symbol Messages 204
The Search for Tags 206
Old Dumps, New Extensions 212
Object Names and Waiting Threads 214
Memory Dumps from Virtual Images 219
Filtering Processes 220
WinDbg Scripts 221
First Encounters 221
Yet another WinDbg Script 222
Deadlocks and Critical Sections 223
Security Problem 224
Hundreds of Crash Dumps 227
Parameterized Scripts 229
Security Issues and Scripts 230
Raw Stack Dump of All Threads (Process Dump) 231
Raw Stack Dump of All Threads (Complete Dump) 236
Case Study 241
Detecting Loops in Code 244
Crash Dump Analysis Checklist 251
Crash Dump Analysis Poster (HTML version) 254
PART 3: Crash Dump Analysis Patterns 255
Multiple Exceptions 255
Dynamic Memory Corruption 257
False Positive Dump 259
Lateral Damage 264
Optimized Code 265
Invalid Pointer 267
Inconsistent Dump 269
Hidden Exception (User Space) 271
Deadlock (Critical Sections) 276
Changed Environment 283
Incorrect Stack Trace 288
OMAP Code Optimization 294
No Component Symbols 298
Insufficient Memory (Committed Memory) 302
Spiking Thread 305
Module Variety 310
Stack Overflow (Kernel Mode) 314
Deadlock (Executive Resources) 323
Insufficient Memory (Handle Leak) 327
Managed Code Exception 331
Truncated Dump 340
Waiting Thread Time (Kernel Dumps) 343
Deadlock (Mixed Objects, User Space) 348
Memory Leak (Process Heap) 356
Missing Thread 362
Unknown Component 367
Memory Leak (.NET Heap) 371
Double Free (Process Heap) 378
Double Free (Kernel Pool) 387
Coincidental Symbolic Information 390
Stack Trace 395
Virtualized Process (WOW64) 400
Stack Trace Collection (Unmanaged Space) 409
Coupled Processes (Strong) 419
High Contention (Executive Resources) 421
Accidental Lock 423
Passive Thread (User Space) 430
Main Thread 437
Insufficient Memory (Kernel Pool) 441
Busy System 449
Historical Information 458
Object Distribution Anomaly (IRP) 459
Local Buffer Overflow 461
Passive System Thread (Kernel Space) 462
Early Crash Dump 466
Hooked Functions (User Space) 469
Custom Exception Handler (User Space) 471
Deadlock (LPC) 474
Special Stack Trace 479
Manual Dump (Kernel) 480
Wait Chain (General) 482
Manual Dump (Process) 487
Wait Chain (Critical Sections) 490
PART 4: Crash Dump Analysis AntiPatterns 493
Alien Component 493
Zippocricy 494
Word of Mouth 495
Wrong Dump 496
Fooled by Description 497
Need the Crash Dump 498
Be Language 499
Fooled by Abbreviation 500
PART 5: A Bit of Science 501
Memory Dump - A Mathematical Definition 501
Threads as Braided Strings in Abstract Space 503
What is Memory Dump Analysis? 506
Memorillion and Quadrimemorillion 507
Four Causes of Crash Dumps 508
Complexity and Memory Dumps 510
What is a Software Defect? 511
PART 6: Fun with Crash Dumps 513
Dump Analysis and Voice Recognition 513
Sending SMS Messages via Dumps 514
WinDbg as a Big Calculator 515
Dumps, Debuggers, and Virtualization 516
Musical Dumps 518
Debugging the Debugger 519
Musical Dumps: Dump2Wave 521
Dump Tomography 522
The Smallest Program 523
Voices from Process Space 526
Crash Dump Analysis Card 528
Listening to Computer Memory 529
Visualizing Memory Dumps 532
Visualizing Memory Leaks 544
Picturing Computer Memory 556
Unicode Illuminated 559
Teaching Binary to Decimal Conversion 560
Crash Dumps and Global Conspiracy 561
PART 7: WinDbg For GDB Users and Vice Versa 563
AT&T and Intel Syntax 563
Installation 565
Disassembler 568
Stack Trace (Backtrace) 573
Local Variables 581
PART 8: Software Troubleshooting 589
Four Pillars 589
Five Golden Rules 590
Critical Thinking 591
Troubleshooting as Debugging 592
PART 9: Reversing and Reconstruction 593
Pooltags 593
The List of Services 594
Reverse Engineering Component Dependencies 596
PART 10: Security 599
Memory Visualization 599
WinDbg is Privacy-Aware 600
Crash Dumps and Security 604
PART 11: The Origin of Crash Dumps 605
JIT Service Debugging 605
Local Crash Dumps in Vista 606
COM+ Crash Dumps 607
Correcting Microsoft Article about Userdump.exe 612
Where did the Crash Dump Come from? 616
Custom Postmortem Debuggers in Vista 618
Resurrecting Dr. Watson in Vista 621
Process Crash - Getting the Dump Manually 624
Upgrading Dr. Watson 627
Savedump.exe and Pagefile 628
Dumping Vista 629
Dumping Processes without Breaking Them 631
Userdump.exe on x64 632
NTSD on x64 Windows 633
Need a Dump? Common Use Cases 634
PART 12: Tools 635
Memory Dump Analysis Using Excel 635
TestDefaultDebugger.NET 636
Cons of Symbol Server 637
StressPrinters: Stressing Printer Autocreation 638
InstantDump (JIT Process Dumper) 639
TestDefaultDebugger 641
DumpAlerts 643
DumpDepends 644
Dump Monitor Suite 645
SystemDump 646
PART 13: Miscellaneous 649
What is KiFastSystemCallRet? 649
Understanding I/O Completion Ports 653
Symbol File Warnings 656
Windows Service Crash Dumps in Vista 658
The Road to Kernel Space 664
Memory Dump Analysis Interview Questions 665
Music for Debugging 666
PDBFinder 667
When a Process Dies Silently 668
ASLR: Address Space Layout Randomization 673
Process and Thread Startup in Vista 678
Race Conditions on a Uniprocessor Machine 680
Yet Another Look at Zw* and Nt* Functions 683
Programmer Universalis 686
Dr. Watson Logs Analysis 687
Post-Debugging Complications 690
The Elements of Crash Dump Analysis Style 691
Crash Dump Analysis in Visual Studio 692
32-bit Stack from 64-bit Dump 694
Asmpedia 695
How WINE Can Help in Crash Dump Analysis 696
Horrors of Debugging Legacy Code 697
UML and Device Drivers 699
Statistics: 100% CPU Spread over all Processes 702
Appendix 703
Crash Dump Analysis Portal 703
Reference Stack Traces 706
Index of WinDbg Commands 707
Cover Images 711
Other books by this author
The Leanpub 45-day 100% Happiness Guarantee
Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms
Do Well. Do Good.
Authors have earned$10,909,613writing, publishing and selling on Leanpub, earning 80% royalties while saving up to 25 million pounds of CO2 and up to 46,000 trees.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers), EPUB (for phones and tablets) and MOBI (for Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them
Top Books
- #1
Learning Algorithms Through Programming and Puzzle Solving
Alexander S. Kulikov and Pavel PevznerThis book powers our MicroMasters program on edX and specialization on Coursera, one of the ten most popular computer science courses on Coursera. Over half a million students have tried to solve many programming challenges and algorithmic puzzles described in this book. We invite you to join them! See the webpage of the book for more details.
- #2
入門 日本語自然言語処理
Masato Hagiwara and Paul O'Leary McCann日本語テキストを処理したい全てのプログラマ・エンジニアの方へ。分かち書きなどの基本から、自然言語生成などの最新の話題までをカバー。動かして学べるコードや、参照文献も付いています。言語学や機械学習の知識が無くても問題ありません。
- #3
Functional Programming Made Easier
Charles ScalfaniA Functional Programming book from beginner to advanced without skipping a single step along the way.
In my 40 years of programming, I've felt that programming books always let me down, especially Functional Programming books. So, I wrote the book I wish I had 5 years ago.
Functional Programming will never be easy, but it can be easier.
- #4
Cloud Strategy
Gregor Hohpe“Strategy is the difference between making a wish and making it come true.” A successful migration to the cloud can transform your organization, but it shouldn’t be driven by wishes. This book tells you how to develop a sound strategy guided by frameworks and decision models without being overly abstract nor getting lost in product details.
- #5
Ansible for DevOps
Jeff GeerlingAnsible is a simple, but powerful, server and configuration management tool. Learn to use Ansible effectively, whether you manage one server—or thousands.
- #6
OpenIntro Statistics
David Diez, Christopher Barr, Mine Cetinkaya-Rundel, and OpenIntroA complete foundation for Statistics, also serving as a foundation for Data Science.
Leanpub revenue supports OpenIntro (US-based nonprofit) so we can provide free desk copies to teachers interested in using OpenIntro Statistics in the classroom and expand the project to support free textbooks in other subjects.
More resources: openintro.org.
- #7
Scrum Product Ownership - Navigating the Forest AND the Trees, 3'rd Edition
Robert GalenIn 2009, I published Scrum Product Ownership - Ed. 1. Then the 2'nd Ed. in 2013. This is the 3'rd edition, celebrating the 10th anniversary of the original book. It's evolved from a beginners guide to be a more balanced reference for beginners, practitioner, and expert Product Owners.
- #8
Functional event-driven architecture: Powered by Scala 3
Gabriel VolpeExplore the event-driven architecture (EDA) in a purely functional way, mainly powered by Fs2 streams in Scala 3!
Leverage your functional programming skills by designing and writing stateless microservices that scale, powered by stateful message brokers.
- #9
Introducing EventStorming
Alberto BrandoliniThe deepest tutorial and explanation about EventStorming, straight from the inventor.
- #10
Agile Testing Condensed Japanese Edition
Yuya Kazama, Janet Gregory, and Lisa CrispinJanet GregoryとLisa Crispinによる2019年9月発行の書籍『Agile Testing Condensed』の日本語翻訳版です。アジャイルにおいてどのような考えでテストを行うべきなのか簡潔に書かれています!
Top Bundles
- #1
Software Architecture for Developers: Volumes 1 & 2 - Technical leadership and communication
2 Books
"Software Architecture for Developers" is a practical and pragmatic guide to modern, lightweight software architecture, specifically aimed at developers. You'll learn:The essence of software architecture.Why the software architecture role should include coding, coaching and collaboration.The things that you really need to think about before... - #2
The Indie Python Extravaganza
5 Books
The Indie Python Extravaganza! A collection of books that will help you to improve your knowledge of the Python programming language one page at a time. Join four indie authors in a journey from the basics of Python to the structure of production-ready systems, going through the core features of the language, some intermediate projects and a... - #3
CCIE Service Provider Ultimate Study Bundle
2 Books
Piotr Jablonski, Lukasz Bromirski, and Nick Russo have joined forces to deliver the only CCIE Service Provider training resource you'll ever need. This bundle contains a detailed and challenging collection of workbook labs, plus an extensively detailed technical reference guide. All of us have earned the CCIE Service Provider certification... - #4
Modern C++ Collection
3 Books
Get All about Modern C++C++ Standard Library, including C++20Concurrency with Modern C++, including C++20C++20Each book has about 200 complete code examples. Updates are included. When I update one of the books, you immediately get the updated bundle. You can expect significant updates to each new C++ standard (C++23, C++26, .. ) and also... - #6
Abandon Your Job - Leaving the Rat Race with Python
8 Books
Now, get all the great Python and Freelancing books from finxter.com in one single bundle!Coffee Break Python - All Python BasicsCoffee Break Python Workbook - Practice the basics of PythonCoffee Break Python Mastery Workouts - Practice advanced Python conceptsCoffee Break Python Slicing - All about SlicingCoffee Break Python NumPy - Get started... - #7
10 Books Bundle - A New Career in Tech 🚀
10 Books
Do you want to create yourself a new and profitable skillset - in one year or less? Do you want to position yourself on the right side of change finally? Do you want to work from home and set your own work schedule while choosing fun and interesting coding projects? Software developers and freelance developersearn six figuresin the US, according... - #8
The Python Craftsman
3 Books
The Python Craftsman series comprises The Python Apprentice, The Python Journeyman, and The Python Master. The first book is primarily suitable for for programmers with some experience of programming in another language. If you don't have any experience with programming this book may be a bit daunting. You'll be learning not just a programming... - #10
Pattern-Oriented Memory Forensics and Malware Detection
2 Books
This training bundle for security engineers and researchers, malware and memory forensics analysts includes two accelerated training courses for Windows memory dump analysis using WinDbg. It is also useful for technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible...
