Memory Dump Analysis Anthology, Volume 4, Revised Edition
Memory Dump Analysis Anthology, Volume 4, Revised Edition
About the Book
This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in July 2009 - January 2010. In addition to various corrections, this major revision updates relevant links and removes obsolete references. Some articles are preserved for historical reasons. Most of the content, especially memory analysis and trace and log analysis pattern languages, is still relevant today and for the foreseeable future. The output of WinDbg commands is also remastered to include color highlighting. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog.
The fourth revised volume features:
- 15 new crash dump analysis patterns
- 13 new pattern interaction case studies
- 10 new trace analysis patterns
- 6 new Debugware patterns and case study
- Workaround patterns
- Updated checklist
- Fully cross-referenced with revised Volumes 1-3
- Memory visualization tutorials
- Memory space art
The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. Trace and log analysis articles may be of interest to users of other platforms.
About the Author
Table of Contents
Preface 17
Acknowledgments 19
About the Author 20
PART 1: Professional Crash Dump Analysis and Debugging 21
Common Mistakes 21
Not Using Checklists 21
Not Paying Attention to All Aspects of Default Analysis 23
Not Paying Attention to Context 26
Raw Stack Dump of WOW64 Process 31
On Space and Mode 35
Registry Corruption: A Case Study 36
Wild Code and Partial Stack Reconstruction 39
Manual Parameter Reconstruction on x64 Windows Systems 42
Counterfactual Debugging 46
Dereference Fixpoints 46
Data Ordering 48
Clean Raw Stack Execution Residue 64
Essential and Derived Properties 71
Software Defect Researcher: A New Profession 74
WinDbg Shortcuts 75
lmu and lmk 75
.opendump 80
Live Kernel Debugging of System Freeze 82
Mode-Independent WinDbg Scripts 91
PART 2: Crash Dump Analysis Patterns 93
Succession of Patterns 93
Ubiquitous Component (User Space) 94
Nested Offender 120
Hunting for a Driver 124
Virtualized System 131
Effect Component 137
Well-Tested Function 144
Mixed Exception 145
Random Object 150
Not My Version (Hardware) 153
Missing Process 154
Platform-Specific Debugger 156
Value Deviation (Stack Trace) 159
CLR Thread 163
Insufficient Memory (Control Blocks) 166
PART 3: Crash Dump Analysis AntiPatterns 167
Habitual Reply 167
PART 4: Pattern Interaction 169
Null Data Pointer, Pass-Through Functions, and Platformorphic Fault 169
Stack Trace Collection, Message Box, Hidden Exception, Nested Offender, Insufficient Memory, C++ Exception, Heap Leak, and Ubiquitous Component 172
Blocked LPC Thread, Coupled Processes, Stack Trace Collection, and Blocked GUI Thread 181
Virtualized Process, Incorrect Stack Trace, Stack Trace Collection, Multiple Exceptions, Optimized Code, and C++ Exception 182
NULL Data Pointer, Stack Trace, Inline Function Optimization, and Platformorphic Fault 189
Stack Trace Collection, Suspended Threads, Not My Version, Special Process, Main Thread, and Blocked LPC Chain Threads 192
Truncated Dump, Stack Trace Collection, Waiting Thread Time, and Wait Chains 200
ALPC Wait Chain, Missing Threads, Message Box, Zombie, and Special Processes 202
Critical Section High Contention and Wait Chains, Blocked Threads and Periodic Error: Memory Dump and Trace Analysis Pattern Cooperation 208
WOW64 Process, NULL Data Pointer, Stack Overflow, Main Thread, Incorrect Stack Trace, Nested Exceptions, Hidden Exception, Manual Dump, Multiple Exceptions, and Virtualized System 211
Statement Current, Coupled Processes, Wait Chain, Spiking Thread, Hidden Exception, Message Box, and Not My Version 223
Stack Trace Collection, Missing Threads, Waiting Thread Time, Critical Section, and LPC Wait Chains 226
Wait Chain, Blocked Thread, Waiting Thread Time, IRP Distribution Anomaly, and Stack Trace Collection 231
PART 5: A Bit of Science and Philosophy 235
Memory Exponentiation (PowerSet) 235
Memory Dump View of Artificial Intelligence 236
Memoidealism as Monistic Aspect Pluralism 237
Memory Dumps as Posets 239
Metaphorical Bijectionism: A Method of Inquiry 241
Notes on Memoidealism 246
Panmemorism 247
Qubic Memory Representation 248
Manifold Memory Space 250
Ars Recordatio 252
Categories for the Working Software Defect Researcher 253
MemD Category 253
Operating Closure of Memory 256
Memoidealism Defined 258
Memuon: A Definition 259
PART 6: Fun with Crash Dumps 261
Music for Debugging 261
THE ALL MIGHTY DEBUGGER 261
Memory Space Music 262
The Duet of Threads 263
The Memory Dump of the Dead 264
Ancient Computations and a Vision of the New Dump 265
The Meaning of DUMP 266
Memory Analysis Ritual 267
The Intelligent Memory Movement 268
Moving towards the Psi Point 269
Experiments on Poor Bugs 270
Exception Processing Of Crash Hypothesis (EPOCH) 271
Debugging Slang 272
SAD Events 272
BoBo Address 273
Mad Day 274
Bug-sistential and Bug-sistentialism 275
Debugging Spy Network 276
Games for Debugging: Go 277
The Tsar of Memory Dump Analysis 278
DNA and RNA of Ruptured Computation 279
BAD0B0B0 Address: Childhood Memories 280
Bugs in Passing 281
Named Process: Vostokov.exe 283
Memory Analysts and Debuggers Day 286
After Volume 3 287
Crash, Core, and Memory Dumps in Science Fiction and Fantasy 288
Reasoning with a Bug 301
PART 7: Software Troubleshooting 303
RADII and SDSD 303
Epistemic Troubleshooting and Debugging 304
RADII Process Illustrated 305
Debugware Patterns 307
Trace Expert 307
Troubleshooting Unit of Work 308
Checklist 309
Supporting Module 310
Span Differentiator 311
Self-Extractor 312
A Case Study 314
Can Software Tweet? 319
The Law of Simple Tools 320
Workaround Patterns 321
Hidden Output 321
Frozen Process 324
Axed Code 325
PART 8: Software Trace Analysis 327
The Tool for Analysis of ETW Traces 327
There ought to be a Planet at that Location! 328
Software Trace: Bird’s Eye View 329
Extending Multithreading to Multibraiding (Adjoint Threading) 330
PART 9: Software Trace Analysis Patterns 335
Statement Density and Current 335
Exception Stack Trace 337
Thread of Activity 339
Discontinuity 341
Missing Component 342
Bifurcation Point 343
Characteristic Message Block 345
Activity Region 348
Vocabulary Index 349
Inter-Correlation 350
PART 10: The Origin of Crash Dumps 353
Full Page Heap Settings on x64 Windows 353
Memory Dumps from Hyper-Virtualized Windows 354
Fiber Bundle of Memory Space 357
On Self Dumps of Secure String API 358
PART 11: Memory Visualization 361
Pictures from Memory Space 361
Large-scale Structure of Memory Space 363
Advanced Memory Visualization 365
3D Memory Visualization 376
Memory Map Visualization Tools 389
PART 12: Art 391
Opcodism: The Art of Opcodes 391
Memory Dump and Minidumps 394
Hot Issues from Physicalist Artist Perspective 395
Memory Dumps from Physicalist Artist Perspective 396
Memory Hot Spot and the Illusion of Fix 397
Shared Section 398
Memory Space Road to the Ultimate Fix 399
Structure and Noise 400
PART 13: Miscellaneous 401
Assembling Code in WinDbg 401
Free Stack Traces 403
Stack Space and Program Database Types 405
The Longest Stack Trace 409
Software Victimology 414
Debugger as a Shut up Application 415
Two Great Windows Software Engineering Magazines 416
Appendix 417
Crash Dump Analysis Checklist 417
Index of WinDbg Commands 421
Cover Images 423
Other books by this author
The Leanpub 45-day 100% Happiness Guarantee
Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms
Do Well. Do Good.
Authors have earned$10,444,831writing, publishing and selling on Leanpub, earning 80% royalties while saving up to 25 million pounds of CO2 and up to 46,000 trees.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers), EPUB (for phones and tablets) and MOBI (for Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them
Top Books
- #1
Continuous Delivery Pipelines
Dave FarleyThis practical handbook provides a step-by-step guide for you to get the best continuous delivery pipeline for your software.
- #2
CCIE SP v5.0
Łukasz Bromirski, Piotr Jablonski, and Nicholas RussoAre you striving to prepare to and pass CCIE SP lab exam? Take the opportunity and get this workbook! With the attached initial cfg files you will prepare yourself for the CCIE SP exam as well as learn SP technologies applicable to all kinds of today modern networks! This workbook covers blueprint topics and provides challenging examples.
- #3
Atomic Kotlin
Bruce Eckel and Svetlana IsakovaFor both beginning and experienced programmers! From the author of the multi-award-winning Thinking in C++ and Thinking in Java and a Kotlin team member comes a book that breaks concepts into small, easy-to-digest "atoms," along with exercises supported by hints and solutions directly inside IntelliJ IDEA! Full support at www.AtomicKotlin.com.
- #4
Ansible for DevOps
Jeff GeerlingAnsible is a simple, but powerful, server and configuration management tool. Learn to use Ansible effectively, whether you manage one server—or thousands.
- #5
Practical FP in Scala: A hands-on approach
Gabriel VolpeA practical book aimed for those familiar with functional programming in Scala who are yet not confident about architecting an application from scratch.
Together, we will develop a purely functional application using the best libraries in the Cats ecosystem, while learning about design patterns and best practices.
- #6
CCIE Service Provider Version 4 Written and Lab Exam Comprehensive Guide
Nicholas RussoThe service provider landscape has changed rapidly over the past several years. Networking vendors are continuing to propose new standards, techniques, and procedures for overcoming new challenges while concurrently reducing costs and delivering new services. Cisco has recently updated the CCIE Service Provider track to reflect these changes; this book represents the author's personal journey in achieving that certification.
- #7
C++20
Rainer GrimmC++20 is the next big C++ standard after C++11. As C++11 did it, C++20 changes the way we program modern C++. This change is, in particular, due to the big four of C++20: ranges, coroutines, concepts, and modules.
- #8
Functional Programming Made Easier
Charles ScalfaniA Functional Programming book from beginner to advanced without skipping a single step along the way.
In my 40 years of programming, I've felt that programming books always let me down, especially Functional Programming books. So, I wrote the book I wish I had 5 years ago.
Functional Programming will never be easy, but it can be easier.
- #9
Introducing EventStorming
Alberto BrandoliniThe deepest tutorial and explanation about EventStorming, straight from the inventor.
- #10
Learning Drupal 9 as a framework
Stef Van LooverenThis course will teach you advanced concepts of drupal 9, Object-oriented PHP and Symfony components. After the course, you’ll be able to build robust and scalable software solutions of many kinds.
- #11
Deep Learning with PyTorch Step-by-Step
Daniel Voigt GodoyIn 2019, I published a PyTorch tutorial on Towards Data Science and I was amazed by the reaction from the readers! Their feedback motivated me to write this book to help beginners start their journey into Deep Learning and PyTorch. I hope you enjoy reading this book as much as I enjoy writing it.
- #12
R Programming for Data Science
Roger D. PengThis book brings the fundamentals of R programming to you, using the same material developed as part of the industry-leading Johns Hopkins Data Science Specialization. The skills taught in this book will lay the foundation for you to begin your journey learning data science. Printed copies of this book are available through Lulu.
- #13
The Hundred-Page Machine Learning Book
Andriy BurkovEverything you really need to know in Machine Learning in a hundred pages.
- #14
C++ Best Practices
Jason TurnerLevel up your C++, get the tools working for you, eliminate common problems, and move on to more exciting things!
- #15
Hands-On Quantum Machine Learning With Python
Frank ZickertYou're interested in quantum computing and machine learning...
But you don't know how to get started? Let me help.
Hands-On Quantum Machine Learning With Python is your comprehensive guide to get started with Quantum Machine Learning - the use of quantum computing for computation of machine learning algorithms.
- #16
Visualise, document and explore your software architecture
Simon BrownA short guide to visualising, documenting and exploring your software architecture.
- #17
Technical leadership and the balance with agility
Simon BrownA developer-friendly, practical and pragmatic guide to lightweight software architecture, technical leadership and the balance with agility.
- #18
Everyday Rails - RSpecによるRailsテスト入門
Junichi Ito (伊藤淳一), AKIMOTO Toshiharu, 魚振江, and Aaron SumnerRSpecを使ってRailsアプリケーションに信頼性の高いテストを書く実践的なアドバイスを提供します。詳細で丁寧な説明は本書のオリジナルコンテンツです。また、説明には実際に動かせるサンプルアプリケーションも使用します。本書は2017年版にアップデートされ、RSpec 3.6やRails 5.1といった新しい環境に対応しています!さあ、自信をもってテストできるようになりましょう!
- #19
The Book of TameFlow
Steve TendonDo you need a high performance enterprise governance approach improving management, execution and delivery while dealing with multiple projects/products, events, stakeholders and teams? Giving you better bottom line results, faster time to market, less work, better predictability, happier employees, and delighted clients? Then learn about TameFlow!
- #20
The Simple Haskell Handbook
Marco SampellegriniA project-driven approach to practical Haskell development. Start from zero lines of code and finish with a working CI Server. Step by step. One type error at a time.
Top Bundles
- #1
CCIE Service Provider Ultimate Study Bundle
2 Books
Piotr Jablonski, Lukasz Bromirski, and Nick Russo have joined forces to deliver the only CCIE Service Provider training resource you'll ever need. This bundle contains a detailed and challenging collection of workbook labs, plus an extensively detailed technical reference guide. All of us have earned the CCIE Service Provider certification... - #2
Software Architecture for Developers: Volumes 1 & 2 - Technical leadership and communication
2 Books
"Software Architecture for Developers" is a practical and pragmatic guide to modern, lightweight software architecture, specifically aimed at developers. You'll learn:The essence of software architecture.Why the software architecture role should include coding, coaching and collaboration.The things that you really need to think about before... - #6
9 Books-Bundle: Shut Up and Code!
9 Books
"Shut up and code." Laughter in the audience. The hacker had just plugged in his notebook and started sharing his screen to present his super-smart Python script. "Shut up and code" The letters written in a white literal coding font on black background was the hackers' home screen background mantra. At the time, I was a first-year computer... - #9
All the Books of The Medical Futurist
6 Books
We put together the most popular books from The Medical Futurist to provide a clear picture about the major trends shaping the future of medicine and healthcare. Digital health technologies, artificial intelligence, the future of 20 medical specialties, big pharma, data privacy, digital health investments and how technology giants such as Amazon... - #10
Development and Deployment of Multiplayer Online Games, Part ARCH. Architecture (Vol. I-III)
3 Books
What's the Big Idea? The idea behind this book is to summarize the body of knowledge that already exists on multiplayer games but is not available in one single place.And quite a fewof the issues discussed within this series (planned as three nine volumes ~300 pages each), while known in the industry, have not been published at all (except for...
