Memory Dump Analysis Anthology, Volume 2, Revised Edition
Minimum price
Suggested price

Memory Dump Analysis Anthology, Volume 2, Revised Edition

About the Book

This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in January - September 2008. In addition to various corrections, this major revision updates relevant links and removes obsolete references. Some articles are preserved for historical reasons. Most of the content, especially memory analysis pattern language, is still relevant today and for the foreseeable future. The output of WinDbg commands is also remastered to include color highlighting. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog.

Compared to the first revised volume, the second revised volume features:

  • 44 more crash dump analysis patterns
  • Pattern interaction and case studies
  • Fully cross-referenced with Volume 1
  • New appendixes

The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts.

  • Share this book

  • Categories

    • .NET
    • C and C++
    • Testing
    • Computer Hardware
    • Resiliency
    • Computer Security
    • Software Architecture
    • Software Engineering
    • Computer Science
  • Feedback

    Email the Author(s)

About the Author

Dmitry Vostokov
Dmitry Vostokov

Dmitry Vostokov is an internationally recognized expert, speaker, educator, scientist, inventor, and author. He is the founder of pattern-oriented software diagnostics, forensics, and prognostics discipline (Systematic Software Diagnostics), and Software Diagnostics Institute. Vostokov has also authored more than 50 books on software diagnostics, anomaly detection and analysis, software and memory forensics, root cause analysis and problem solving, memory dump analysis, debugging, software trace and log analysis, reverse engineering and malware analysis. He has more than 25 years of experience in software architecture, design, development and maintenance in a variety of industries including leadership, technical and people management roles. Dmitry also founded Syndromatix,, BriteTrace, DiaThings, Logtellect, OpenTask Iterative and Incremental Publishing, Software Diagnostics Technology and Services (former Memory Dump Analysis Services), and Software Prognostics. In his spare time, he presents various topics on Debugging TV and explores Software Narratology, its further development as Narratology of Things and Diagnostics of Things (DoT), Software Pathology, and Quantum Software Diagnostics. His current areas of interest are theoretical software diagnostics and its mathematical and computer science foundations, application of formal logic, artificial intelligence, machine learning and data mining to diagnostics and anomaly detection, software diagnostics engineering and diagnostics-driven development, diagnostics workflow and interaction. Recent interest areas also include cloud native computing, security, automation, functional programming, applications of category theory to software diagnostics, development and big data, and diagnostics of artificial intelligence.

Dmitry Vostokov

Episode 213

Bundles that include this book

Bought separately
Bundle Price

Table of Contents

Preface 15

Acknowledgments 17

About the Author 18

PART 1: Crash Dumps for Beginners 19

The Time of the Crash 19

Stack Trace 20

EasyDbg 22

Citrix Symbol Server 27

PART 2: Professional Crash Dump Analysis 29

WinDbg Scripts 29

Introduction for C/C++ Users 29

Generating File Name for .dump Command 37

All at Once: Postmortem Logs and Dump Files 38

Common Mistakes 39

Not Looking at Full Stack Traces 39

Not Seeing Semantic and Pragmatic Inconsistencies 41

Pattern Interaction 43

Heuristic Stack Trace 43

Multiple Patterns 50

Exception and Deadlock 55

Heap and Spike 59

Hooksware 63

Heap and Early Crash Dump 65

WinDbg Shortcuts 67

WinDbg as a Binary Editor 67

Command Autocompletion 70

!envvar 71

.quit_lock 72

.dumpcab 73

.f+, .f- 74

.exptr 75

WinDbg as a Simple PE Viewer 76

.sound_notify 79

Signaled Objects 80

Memory Search Revisited 87

WDF and PNP BSOD: Case Study 95

Exploring NDIS Extension 105

The Hunt for the Debugger 109

Complete Dump: User Space Critical Sections 115

Microsoft DLL Help Database 116

What Does This Function Do? 118

What Was This Process Doing? 119

STL and WinDbg 122

WinDbg Cheat Sheet 125

How Old Is Your Application or System? 126

Demystifying First-chance Exceptions 129

.NET Managed Code Analysis in Complete Memory Dumps 131

Who Opened That File? 134

In Search of Lost CID 136

Large Heap Allocations 137

First-order and Second-order Memory Leaks 140

Hooked Modules 145

PART 3: Crash Dump Analysis Patterns 147

Wait Chain (Executive Resources) 147

Corrupt Dump 151

Dispatch Level Spin 154

No Process Dumps 157

No System Dumps 158

Insufficient Memory (PTE) 159

Suspended Thread 161

Special Process 164

Frame Pointer Omission 169

False Function Parameters 173

Message Box 177

Self-Dump 181

Blocked Thread (Software) 184

Zombie Processes 196

Wild Pointer 202

Dynamic Memory Corruption (Kernel Pool) 204

Insufficient Memory (Module Fragmentation) 210

Wild Code 219

Hardware Error 221

Handle Limit (GDI, Kernel Space) 226

Missing Component (General) 233

NULL Pointer (Code) 237

Execution Residue (Unmanaged Space) 239

Optimized VM Layout 267

Invalid Handle (General) 269

Overaged System 273

Thread Starvation (Realtime Priority) 274

Stack Overflow (User Mode) 279

Missing Component (Static Linkage, User Mode) 283

Duplicated Module 294

Not My Version (Software) 299

Data Contents Locality 300

Nested Exceptions (Unmanaged Code) 305

Nested Exceptions (Managed Code) 310

Affine Thread 314

Self-Diagnosis (User Mode) 318

Waiting Thread Time (User Dumps) 319

Inline Function Optimization (Unmanaged Code) 322

Critical Section Corruption 324

Lost Opportunity 332

Young System 335

Last Error Collection 337

Hidden Module 339

High Contention (Critical Sections) 341

PART 4: Crash Dump Analysis AntiPatterns 343

Debugging Architects 343

Symbolless Analysis 344

Myopic Troubleshooting and Debugging 345

PART 5: A Bit of Science 347

Memoretics 347

Memory Analysis 348

Memoidealism 349

Memiotics 350

PART 6: Fun with Crash Dumps 351

Music for Debugging 351

The Glory of Debugging 351

Memory Analysis Album 352

Biography of a Bug 354

Visual Computer Memories 355

The First Defect 356

The Songs for Remote Debugging 357

Thinking Out of the Box 358

Crash Dumps and Science Fiction 359

Colorimetric Computer Memory Dating 360

On CSI Abbreviation 362

The First Memory Dump Book 363

On SOS Abbreviation 365

Software Exceptions: a Paranormal View 366

Bug Entanglement (Bugtanglement) 367

The Standard Model of Debugging 368

Physics of Debugging 369

Can Computers Debug? 371

PART 7: Data Recovery 375

With the Help of Memory Dump Analysis 375

PART 8: Software Troubleshooting 377

Troubleshooter’s Block 377

Causal Models 378

Object-Oriented Debugging and Troubleshooting 379

Component-Based Debugging and Troubleshooting 380

Domain-Driven Debugging and Troubleshooting 381

Myths and Facts about Software Support 382

Ceteris Paribus in Comparative Troubleshooting 383

Dancing in Software Support Environment 384

PARTS: Problem Solving Power of Thought 385

The Hidden Tomb in Pyramid of Software Change 386

Tracing 387

CDF Traces: Analyzing Process Launch Sequence 387

ETW Tracing Tools 389

Lean Tracing 390

DebugWare Patterns 391

API Query 391

Tool Façade 392

Configuration Wrapper 393

Dual Interface 394

Tool Chain 395

Tool Box 396

PART 9: Security 397

Data Hiding in Crash Dumps 397

Hardening Dump Security: Beware of PEB Data 400

PART 10: The Origin of Crash Dumps 401

Memory Dumps from Xen-virtualized Windows 401


Bugcheck Callbacks 406

Application Verifier on x64 Platforms 413

Who Saved the Dump File? 414

ADPlus in 21 Seconds and 13 Steps 416

PART 11: Miscellaneous 425

Three Main Ideas of Debugging 425

Pseudo-corrupt Memory Dumps 426

Win32 Exception Frequencies 427

Bugcheck Frequencies 429

Time Travel Debugging 440

I/O and Memory Priority in Vista 441

Appendix A 443

Crash Dump File Examples 443

Appendix B 445

WinDbg.Org: WinDbg Quick Links 445

Appendix C 447

Dump2Wave Source Code 447

Appendix D 451

Dump2Picture Source Code 451

Appendix E 455

Crash Dump Analysis Checklist 455


Appendix F 459

Index of WinDbg Commands 460

Cover Images 463

The Leanpub 60-day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms

80% Royalties. Earn $16 on a $20 book.

We pay 80% royalties. That's not a typo: you earn $16 on a $20 sale. If we sell 5000 non-refunded copies of your book or course for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earnedover $12 millionwriting, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub