Memory Dump Analysis Anthology, Volume 4, Revised Edition
Memory Dump Analysis Anthology, Volume 4, Revised Edition
About the Book
This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in July 2009 - January 2010. In addition to various corrections, this major revision updates relevant links and removes obsolete references. Some articles are preserved for historical reasons. Most of the content, especially memory analysis and trace and log analysis pattern languages, is still relevant today and for the foreseeable future. The output of WinDbg commands is also remastered to include color highlighting. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog.
The fourth revised volume features:
- 15 new crash dump analysis patterns
- 13 new pattern interaction case studies
- 10 new trace analysis patterns
- 6 new Debugware patterns and case study
- Workaround patterns
- Updated checklist
- Fully cross-referenced with revised Volumes 1-3
- Memory visualization tutorials
- Memory space art
The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. Trace and log analysis articles may be of interest to users of other platforms.
About the Author
Bundles that include this book
Table of Contents
Preface 17
Acknowledgments 19
About the Author 20
PART 1: Professional Crash Dump Analysis and Debugging 21
Common Mistakes 21
Not Using Checklists 21
Not Paying Attention to All Aspects of Default Analysis 23
Not Paying Attention to Context 26
Raw Stack Dump of WOW64 Process 31
On Space and Mode 35
Registry Corruption: A Case Study 36
Wild Code and Partial Stack Reconstruction 39
Manual Parameter Reconstruction on x64 Windows Systems 42
Counterfactual Debugging 46
Dereference Fixpoints 46
Data Ordering 48
Clean Raw Stack Execution Residue 64
Essential and Derived Properties 71
Software Defect Researcher: A New Profession 74
WinDbg Shortcuts 75
lmu and lmk 75
.opendump 80
Live Kernel Debugging of System Freeze 82
Mode-Independent WinDbg Scripts 91
PART 2: Crash Dump Analysis Patterns 93
Succession of Patterns 93
Ubiquitous Component (User Space) 94
Nested Offender 120
Hunting for a Driver 124
Virtualized System 131
Effect Component 137
Well-Tested Function 144
Mixed Exception 145
Random Object 150
Not My Version (Hardware) 153
Missing Process 154
Platform-Specific Debugger 156
Value Deviation (Stack Trace) 159
CLR Thread 163
Insufficient Memory (Control Blocks) 166
PART 3: Crash Dump Analysis AntiPatterns 167
Habitual Reply 167
PART 4: Pattern Interaction 169
Null Data Pointer, Pass-Through Functions, and Platformorphic Fault 169
Stack Trace Collection, Message Box, Hidden Exception, Nested Offender, Insufficient Memory, C++ Exception, Heap Leak, and Ubiquitous Component 172
Blocked LPC Thread, Coupled Processes, Stack Trace Collection, and Blocked GUI Thread 181
Virtualized Process, Incorrect Stack Trace, Stack Trace Collection, Multiple Exceptions, Optimized Code, and C++ Exception 182
NULL Data Pointer, Stack Trace, Inline Function Optimization, and Platformorphic Fault 189
Stack Trace Collection, Suspended Threads, Not My Version, Special Process, Main Thread, and Blocked LPC Chain Threads 192
Truncated Dump, Stack Trace Collection, Waiting Thread Time, and Wait Chains 200
ALPC Wait Chain, Missing Threads, Message Box, Zombie, and Special Processes 202
Critical Section High Contention and Wait Chains, Blocked Threads and Periodic Error: Memory Dump and Trace Analysis Pattern Cooperation 208
WOW64 Process, NULL Data Pointer, Stack Overflow, Main Thread, Incorrect Stack Trace, Nested Exceptions, Hidden Exception, Manual Dump, Multiple Exceptions, and Virtualized System 211
Statement Current, Coupled Processes, Wait Chain, Spiking Thread, Hidden Exception, Message Box, and Not My Version 223
Stack Trace Collection, Missing Threads, Waiting Thread Time, Critical Section, and LPC Wait Chains 226
Wait Chain, Blocked Thread, Waiting Thread Time, IRP Distribution Anomaly, and Stack Trace Collection 231
PART 5: A Bit of Science and Philosophy 235
Memory Exponentiation (PowerSet) 235
Memory Dump View of Artificial Intelligence 236
Memoidealism as Monistic Aspect Pluralism 237
Memory Dumps as Posets 239
Metaphorical Bijectionism: A Method of Inquiry 241
Notes on Memoidealism 246
Panmemorism 247
Qubic Memory Representation 248
Manifold Memory Space 250
Ars Recordatio 252
Categories for the Working Software Defect Researcher 253
MemD Category 253
Operating Closure of Memory 256
Memoidealism Defined 258
Memuon: A Definition 259
PART 6: Fun with Crash Dumps 261
Music for Debugging 261
THE ALL MIGHTY DEBUGGER 261
Memory Space Music 262
The Duet of Threads 263
The Memory Dump of the Dead 264
Ancient Computations and a Vision of the New Dump 265
The Meaning of DUMP 266
Memory Analysis Ritual 267
The Intelligent Memory Movement 268
Moving towards the Psi Point 269
Experiments on Poor Bugs 270
Exception Processing Of Crash Hypothesis (EPOCH) 271
Debugging Slang 272
SAD Events 272
BoBo Address 273
Mad Day 274
Bug-sistential and Bug-sistentialism 275
Debugging Spy Network 276
Games for Debugging: Go 277
The Tsar of Memory Dump Analysis 278
DNA and RNA of Ruptured Computation 279
BAD0B0B0 Address: Childhood Memories 280
Bugs in Passing 281
Named Process: Vostokov.exe 283
Memory Analysts and Debuggers Day 286
After Volume 3 287
Crash, Core, and Memory Dumps in Science Fiction and Fantasy 288
Reasoning with a Bug 301
PART 7: Software Troubleshooting 303
RADII and SDSD 303
Epistemic Troubleshooting and Debugging 304
RADII Process Illustrated 305
Debugware Patterns 307
Trace Expert 307
Troubleshooting Unit of Work 308
Checklist 309
Supporting Module 310
Span Differentiator 311
Self-Extractor 312
A Case Study 314
Can Software Tweet? 319
The Law of Simple Tools 320
Workaround Patterns 321
Hidden Output 321
Frozen Process 324
Axed Code 325
PART 8: Software Trace Analysis 327
The Tool for Analysis of ETW Traces 327
There ought to be a Planet at that Location! 328
Software Trace: Bird’s Eye View 329
Extending Multithreading to Multibraiding (Adjoint Threading) 330
PART 9: Software Trace Analysis Patterns 335
Statement Density and Current 335
Exception Stack Trace 337
Thread of Activity 339
Discontinuity 341
Missing Component 342
Bifurcation Point 343
Characteristic Message Block 345
Activity Region 348
Vocabulary Index 349
Inter-Correlation 350
PART 10: The Origin of Crash Dumps 353
Full Page Heap Settings on x64 Windows 353
Memory Dumps from Hyper-Virtualized Windows 354
Fiber Bundle of Memory Space 357
On Self Dumps of Secure String API 358
PART 11: Memory Visualization 361
Pictures from Memory Space 361
Large-scale Structure of Memory Space 363
Advanced Memory Visualization 365
3D Memory Visualization 376
Memory Map Visualization Tools 389
PART 12: Art 391
Opcodism: The Art of Opcodes 391
Memory Dump and Minidumps 394
Hot Issues from Physicalist Artist Perspective 395
Memory Dumps from Physicalist Artist Perspective 396
Memory Hot Spot and the Illusion of Fix 397
Shared Section 398
Memory Space Road to the Ultimate Fix 399
Structure and Noise 400
PART 13: Miscellaneous 401
Assembling Code in WinDbg 401
Free Stack Traces 403
Stack Space and Program Database Types 405
The Longest Stack Trace 409
Software Victimology 414
Debugger as a Shut up Application 415
Two Great Windows Software Engineering Magazines 416
Appendix 417
Crash Dump Analysis Checklist 417
Index of WinDbg Commands 421
Cover Images 423
Other books by this author
The Leanpub 45-day 100% Happiness Guarantee
Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms
Do Well. Do Good.
Authors have earned$10,909,613writing, publishing and selling on Leanpub, earning 80% royalties while saving up to 25 million pounds of CO2 and up to 46,000 trees.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers), EPUB (for phones and tablets) and MOBI (for Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them
Top Books
- #1
Learning Algorithms Through Programming and Puzzle Solving
Alexander S. Kulikov and Pavel PevznerThis book powers our MicroMasters program on edX and specialization on Coursera, one of the ten most popular computer science courses on Coursera. Over half a million students have tried to solve many programming challenges and algorithmic puzzles described in this book. We invite you to join them! See the webpage of the book for more details.
- #2
入門 日本語自然言語処理
Masato Hagiwara and Paul O'Leary McCann日本語テキストを処理したい全てのプログラマ・エンジニアの方へ。分かち書きなどの基本から、自然言語生成などの最新の話題までをカバー。動かして学べるコードや、参照文献も付いています。言語学や機械学習の知識が無くても問題ありません。
- #3
Functional Programming Made Easier
Charles ScalfaniA Functional Programming book from beginner to advanced without skipping a single step along the way.
In my 40 years of programming, I've felt that programming books always let me down, especially Functional Programming books. So, I wrote the book I wish I had 5 years ago.
Functional Programming will never be easy, but it can be easier.
- #4
Cloud Strategy
Gregor Hohpe“Strategy is the difference between making a wish and making it come true.” A successful migration to the cloud can transform your organization, but it shouldn’t be driven by wishes. This book tells you how to develop a sound strategy guided by frameworks and decision models without being overly abstract nor getting lost in product details.
- #5
Ansible for DevOps
Jeff GeerlingAnsible is a simple, but powerful, server and configuration management tool. Learn to use Ansible effectively, whether you manage one server—or thousands.
- #6
OpenIntro Statistics
David Diez, Christopher Barr, Mine Cetinkaya-Rundel, and OpenIntroA complete foundation for Statistics, also serving as a foundation for Data Science.
Leanpub revenue supports OpenIntro (US-based nonprofit) so we can provide free desk copies to teachers interested in using OpenIntro Statistics in the classroom and expand the project to support free textbooks in other subjects.
More resources: openintro.org.
- #7
Scrum Product Ownership - Navigating the Forest AND the Trees, 3'rd Edition
Robert GalenIn 2009, I published Scrum Product Ownership - Ed. 1. Then the 2'nd Ed. in 2013. This is the 3'rd edition, celebrating the 10th anniversary of the original book. It's evolved from a beginners guide to be a more balanced reference for beginners, practitioner, and expert Product Owners.
- #8
Functional event-driven architecture: Powered by Scala 3
Gabriel VolpeExplore the event-driven architecture (EDA) in a purely functional way, mainly powered by Fs2 streams in Scala 3!
Leverage your functional programming skills by designing and writing stateless microservices that scale, powered by stateful message brokers.
- #9
Introducing EventStorming
Alberto BrandoliniThe deepest tutorial and explanation about EventStorming, straight from the inventor.
- #10
Agile Testing Condensed Japanese Edition
Yuya Kazama, Janet Gregory, and Lisa CrispinJanet GregoryとLisa Crispinによる2019年9月発行の書籍『Agile Testing Condensed』の日本語翻訳版です。アジャイルにおいてどのような考えでテストを行うべきなのか簡潔に書かれています!
Top Bundles
- #1
Software Architecture for Developers: Volumes 1 & 2 - Technical leadership and communication
2 Books
"Software Architecture for Developers" is a practical and pragmatic guide to modern, lightweight software architecture, specifically aimed at developers. You'll learn:The essence of software architecture.Why the software architecture role should include coding, coaching and collaboration.The things that you really need to think about before... - #2
The Indie Python Extravaganza
5 Books
The Indie Python Extravaganza! A collection of books that will help you to improve your knowledge of the Python programming language one page at a time. Join four indie authors in a journey from the basics of Python to the structure of production-ready systems, going through the core features of the language, some intermediate projects and a... - #3
CCIE Service Provider Ultimate Study Bundle
2 Books
Piotr Jablonski, Lukasz Bromirski, and Nick Russo have joined forces to deliver the only CCIE Service Provider training resource you'll ever need. This bundle contains a detailed and challenging collection of workbook labs, plus an extensively detailed technical reference guide. All of us have earned the CCIE Service Provider certification... - #4
Modern C++ Collection
3 Books
Get All about Modern C++C++ Standard Library, including C++20Concurrency with Modern C++, including C++20C++20Each book has about 200 complete code examples. Updates are included. When I update one of the books, you immediately get the updated bundle. You can expect significant updates to each new C++ standard (C++23, C++26, .. ) and also... - #6
Abandon Your Job - Leaving the Rat Race with Python
8 Books
Now, get all the great Python and Freelancing books from finxter.com in one single bundle!Coffee Break Python - All Python BasicsCoffee Break Python Workbook - Practice the basics of PythonCoffee Break Python Mastery Workouts - Practice advanced Python conceptsCoffee Break Python Slicing - All about SlicingCoffee Break Python NumPy - Get started... - #7
10 Books Bundle - A New Career in Tech 🚀
10 Books
Do you want to create yourself a new and profitable skillset - in one year or less? Do you want to position yourself on the right side of change finally? Do you want to work from home and set your own work schedule while choosing fun and interesting coding projects? Software developers and freelance developersearn six figuresin the US, according... - #8
The Python Craftsman
3 Books
The Python Craftsman series comprises The Python Apprentice, The Python Journeyman, and The Python Master. The first book is primarily suitable for for programmers with some experience of programming in another language. If you don't have any experience with programming this book may be a bit daunting. You'll be learning not just a programming... - #10
Pattern-Oriented Memory Forensics and Malware Detection
2 Books
This training bundle for security engineers and researchers, malware and memory forensics analysts includes two accelerated training courses for Windows memory dump analysis using WinDbg. It is also useful for technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible...
