Memory Dump Analysis Anthology, Volume 4, Revised Edition
Memory Dump Analysis Anthology, Volume 4, Revised Edition
About the Book
This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in July 2009 - January 2010. In addition to various corrections, this major revision updates relevant links and removes obsolete references. Some articles are preserved for historical reasons. Most of the content, especially memory analysis and trace and log analysis pattern languages, is still relevant today and for the foreseeable future. The output of WinDbg commands is also remastered to include color highlighting. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog.
The fourth revised volume features:
- 15 new crash dump analysis patterns
- 13 new pattern interaction case studies
- 10 new trace analysis patterns
- 6 new Debugware patterns and case study
- Workaround patterns
- Updated checklist
- Fully cross-referenced with revised Volumes 1-3
- Memory visualization tutorials
- Memory space art
The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. Trace and log analysis articles may be of interest to users of other platforms.
Bundles that include this book
Table of Contents
Preface 17
Acknowledgments 19
About the Author 20
PART 1: Professional Crash Dump Analysis and Debugging 21
Common Mistakes 21
Not Using Checklists 21
Not Paying Attention to All Aspects of Default Analysis 23
Not Paying Attention to Context 26
Raw Stack Dump of WOW64 Process 31
On Space and Mode 35
Registry Corruption: A Case Study 36
Wild Code and Partial Stack Reconstruction 39
Manual Parameter Reconstruction on x64 Windows Systems 42
Counterfactual Debugging 46
Dereference Fixpoints 46
Data Ordering 48
Clean Raw Stack Execution Residue 64
Essential and Derived Properties 71
Software Defect Researcher: A New Profession 74
WinDbg Shortcuts 75
lmu and lmk 75
.opendump 80
Live Kernel Debugging of System Freeze 82
Mode-Independent WinDbg Scripts 91
PART 2: Crash Dump Analysis Patterns 93
Succession of Patterns 93
Ubiquitous Component (User Space) 94
Nested Offender 120
Hunting for a Driver 124
Virtualized System 131
Effect Component 137
Well-Tested Function 144
Mixed Exception 145
Random Object 150
Not My Version (Hardware) 153
Missing Process 154
Platform-Specific Debugger 156
Value Deviation (Stack Trace) 159
CLR Thread 163
Insufficient Memory (Control Blocks) 166
PART 3: Crash Dump Analysis AntiPatterns 167
Habitual Reply 167
PART 4: Pattern Interaction 169
Null Data Pointer, Pass-Through Functions, and Platformorphic Fault 169
Stack Trace Collection, Message Box, Hidden Exception, Nested Offender, Insufficient Memory, C++ Exception, Heap Leak, and Ubiquitous Component 172
Blocked LPC Thread, Coupled Processes, Stack Trace Collection, and Blocked GUI Thread 181
Virtualized Process, Incorrect Stack Trace, Stack Trace Collection, Multiple Exceptions, Optimized Code, and C++ Exception 182
NULL Data Pointer, Stack Trace, Inline Function Optimization, and Platformorphic Fault 189
Stack Trace Collection, Suspended Threads, Not My Version, Special Process, Main Thread, and Blocked LPC Chain Threads 192
Truncated Dump, Stack Trace Collection, Waiting Thread Time, and Wait Chains 200
ALPC Wait Chain, Missing Threads, Message Box, Zombie, and Special Processes 202
Critical Section High Contention and Wait Chains, Blocked Threads and Periodic Error: Memory Dump and Trace Analysis Pattern Cooperation 208
WOW64 Process, NULL Data Pointer, Stack Overflow, Main Thread, Incorrect Stack Trace, Nested Exceptions, Hidden Exception, Manual Dump, Multiple Exceptions, and Virtualized System 211
Statement Current, Coupled Processes, Wait Chain, Spiking Thread, Hidden Exception, Message Box, and Not My Version 223
Stack Trace Collection, Missing Threads, Waiting Thread Time, Critical Section, and LPC Wait Chains 226
Wait Chain, Blocked Thread, Waiting Thread Time, IRP Distribution Anomaly, and Stack Trace Collection 231
PART 5: A Bit of Science and Philosophy 235
Memory Exponentiation (PowerSet) 235
Memory Dump View of Artificial Intelligence 236
Memoidealism as Monistic Aspect Pluralism 237
Memory Dumps as Posets 239
Metaphorical Bijectionism: A Method of Inquiry 241
Notes on Memoidealism 246
Panmemorism 247
Qubic Memory Representation 248
Manifold Memory Space 250
Ars Recordatio 252
Categories for the Working Software Defect Researcher 253
MemD Category 253
Operating Closure of Memory 256
Memoidealism Defined 258
Memuon: A Definition 259
PART 6: Fun with Crash Dumps 261
Music for Debugging 261
THE ALL MIGHTY DEBUGGER 261
Memory Space Music 262
The Duet of Threads 263
The Memory Dump of the Dead 264
Ancient Computations and a Vision of the New Dump 265
The Meaning of DUMP 266
Memory Analysis Ritual 267
The Intelligent Memory Movement 268
Moving towards the Psi Point 269
Experiments on Poor Bugs 270
Exception Processing Of Crash Hypothesis (EPOCH) 271
Debugging Slang 272
SAD Events 272
BoBo Address 273
Mad Day 274
Bug-sistential and Bug-sistentialism 275
Debugging Spy Network 276
Games for Debugging: Go 277
The Tsar of Memory Dump Analysis 278
DNA and RNA of Ruptured Computation 279
BAD0B0B0 Address: Childhood Memories 280
Bugs in Passing 281
Named Process: Vostokov.exe 283
Memory Analysts and Debuggers Day 286
After Volume 3 287
Crash, Core, and Memory Dumps in Science Fiction and Fantasy 288
Reasoning with a Bug 301
PART 7: Software Troubleshooting 303
RADII and SDSD 303
Epistemic Troubleshooting and Debugging 304
RADII Process Illustrated 305
Debugware Patterns 307
Trace Expert 307
Troubleshooting Unit of Work 308
Checklist 309
Supporting Module 310
Span Differentiator 311
Self-Extractor 312
A Case Study 314
Can Software Tweet? 319
The Law of Simple Tools 320
Workaround Patterns 321
Hidden Output 321
Frozen Process 324
Axed Code 325
PART 8: Software Trace Analysis 327
The Tool for Analysis of ETW Traces 327
There ought to be a Planet at that Location! 328
Software Trace: Bird’s Eye View 329
Extending Multithreading to Multibraiding (Adjoint Threading) 330
PART 9: Software Trace Analysis Patterns 335
Statement Density and Current 335
Exception Stack Trace 337
Thread of Activity 339
Discontinuity 341
Missing Component 342
Bifurcation Point 343
Characteristic Message Block 345
Activity Region 348
Vocabulary Index 349
Inter-Correlation 350
PART 10: The Origin of Crash Dumps 353
Full Page Heap Settings on x64 Windows 353
Memory Dumps from Hyper-Virtualized Windows 354
Fiber Bundle of Memory Space 357
On Self Dumps of Secure String API 358
PART 11: Memory Visualization 361
Pictures from Memory Space 361
Large-scale Structure of Memory Space 363
Advanced Memory Visualization 365
3D Memory Visualization 376
Memory Map Visualization Tools 389
PART 12: Art 391
Opcodism: The Art of Opcodes 391
Memory Dump and Minidumps 394
Hot Issues from Physicalist Artist Perspective 395
Memory Dumps from Physicalist Artist Perspective 396
Memory Hot Spot and the Illusion of Fix 397
Shared Section 398
Memory Space Road to the Ultimate Fix 399
Structure and Noise 400
PART 13: Miscellaneous 401
Assembling Code in WinDbg 401
Free Stack Traces 403
Stack Space and Program Database Types 405
The Longest Stack Trace 409
Software Victimology 414
Debugger as a Shut up Application 415
Two Great Windows Software Engineering Magazines 416
Appendix 417
Crash Dump Analysis Checklist 417
Index of WinDbg Commands 421
Cover Images 423
Other books by this author
The Leanpub 60-day 100% Happiness Guarantee
Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms
Do Well. Do Good.
Authors have earned$11,577,045writing, publishing and selling on Leanpub, earning 80% royalties while saving up to 25 million pounds of CO2 and up to 46,000 trees.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers), EPUB (for phones and tablets) and MOBI (for Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them
Top Books
Recipes for Decoupling
Matthias NobackSignalR on .NET 6 - the Complete Guide
Fiodar SazanavetsLearn everything there is to learn about SignalR and how to integrate it with the latest .NET 6 and C# 10 features. Learn how to connect any type of client to SignalR, including plain WebSocket client. Learn how to build interactive applications that can communicate with each other in real time without making excessive calls.
The BDD Books - Discovery (Japanese Edition)
Gáspár Nagy, Seb Rose, and Yuya Kazamaウクライナ難民を支援 - 2022年5月末まで延長!
この本の売り上げの50%は、 https://unicef.hu/veszhelyzet-ukrajnaban と https://int.depaulcharity.org/fundraising-for-depaul-ukraine/ に寄付されます。
本書籍は、振る舞い駆動開発(Behavior Driven Development, BDD)や受け入れテスト駆動開発(Acceptance Test-Driven Development, ATDD)の発見フェーズを最大限に活用する方法を提供します。
The easiest way to learn design patterns
Fiodar SazanavetsLearn design patterns in the easiest way possible. You will no longer have to brute-force your way through each one of them while trying to figure out how it works. The book provides a unique methodology that will make your understanding of design patterns stick. It can also be used as a reference book where you can find design patterns in seconds.
Agile Testing Condensed Japanese Edition
Yuya Kazama, Janet Gregory, and Lisa CrispinJanet GregoryとLisa Crispinによる2019年9月発行の書籍『Agile Testing Condensed』の日本語翻訳版です。アジャイルにおいてどのような考えでテストを行うべきなのか簡潔に書かれています!
OpenIntro Statistics
David Diez, Christopher Barr, Mine Cetinkaya-Rundel, and OpenIntroA complete foundation for Statistics, also serving as a foundation for Data Science.
Leanpub revenue supports OpenIntro (US-based nonprofit) so we can provide free desk copies to teachers interested in using OpenIntro Statistics in the classroom and expand the project to support free textbooks in other subjects.
More resources: openintro.org.
Tech Giants in Healthcare
Dr. Bertalan MeskoThis comprehensive guide, Tech Giants in Healthcare, clarifies how and why big tech companies step into healthcare, and breaks it down from one market player to the other in what direction they are going, what tools they are using and what horizons they have in front of them.
Functional event-driven architecture: Powered by Scala 3
Gabriel VolpeExplore the event-driven architecture (EDA) in a purely functional way, mainly powered by Fs2 streams in Scala 3!
Leverage your functional programming skills by designing and writing stateless microservices that scale, powered by stateful message brokers.
CCIE Service Provider Version 4 Written and Lab Exam Comprehensive Guide
Nicholas RussoThe service provider landscape has changed rapidly over the past several years. Networking vendors are continuing to propose new standards, techniques, and procedures for overcoming new challenges while concurrently reducing costs and delivering new services. Cisco has recently updated the CCIE Service Provider track to reflect these changes; this book represents the author's personal journey in achieving that certification.
Ansible for DevOps
Jeff GeerlingAnsible is a simple, but powerful, server and configuration management tool. Learn to use Ansible effectively, whether you manage one server—or thousands.
Top Bundles
- #1
All the Books of The Medical Futurist
6 Books
We put together the most popular books from The Medical Futurist to provide a clear picture about the major trends shaping the future of medicine and healthcare. Digital health technologies, artificial intelligence, the future of 20 medical specialties, big pharma, data privacy, digital health investments and how technology giants such as Amazon... - #2
Practical FP in Scala + Functional event-driven architecture
2 Books
Practical FP in Scala (A hands-on approach) & Functional event-driven architecture, aka FEDA, (Powered by Scala 3), together as a bundle! The content of PFP in Scala is a requirement to understand FEDA so why not take advantage of this bundle!? - #3
Software Architecture for Developers: Volumes 1 & 2 - Technical leadership and communication
2 Books
"Software Architecture for Developers" is a practical and pragmatic guide to modern, lightweight software architecture, specifically aimed at developers. You'll learn:The essence of software architecture.Why the software architecture role should include coding, coaching and collaboration.The things that you really need to think about before... - #4
CCIE Service Provider Ultimate Study Bundle
2 Books
Piotr Jablonski, Lukasz Bromirski, and Nick Russo have joined forces to deliver the only CCIE Service Provider training resource you'll ever need. This bundle contains a detailed and challenging collection of workbook labs, plus an extensively detailed technical reference guide. All of us have earned the CCIE Service Provider certification... - #6
Pattern-Oriented Memory Forensics and Malware Detection
2 Books
This training bundle for security engineers and researchers, malware and memory forensics analysts includes two accelerated training courses for Windows memory dump analysis using WinDbg. It is also useful for technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible... - #8
Modern C++ Collection
3 Books
Get All about Modern C++C++ Standard Library, including C++20Concurrency with Modern C++, including C++20C++20Each book has about 200 complete code examples. Updates are included. When I update one of the books, you immediately get the updated bundle. You can expect significant updates to each new C++ standard (C++23, C++26, .. ) and also...