About the Author 7
Introduction 8
What’s New 9
Prerequisites 10
Training Goals 11
Training Principles 12
Coverage (Part 1) 13
Fundamentals 14
Process Space (x64, ARM64) 15
Application/Process/Module 16
Process Virtual Space (x64, ARM64) 17
Process Memory Dump (x64, ARM64) 18
Process Space (x86) 19
Application/Process/Module (x86) 20
Process Memory Dump (x86) 21
Process Virtual Space (WOW64) 22
Process Memory Dump (WOW64) 23
Process Threads 24
Thread Stack Raw Data 25
Thread Stack Trace 26
Thread Stack Trace (no PDB) 27
Exceptions (Access Violation) 28
Exception (Runtime) 29
Pattern-Oriented Diagnostic Analysis 30
Review of x64 Disassembly 31
x64 CPU Registers 32
x64 Instructions and Registers 33
x64 Stack Addressing 34
x64 Memory Cell Sizes 35
x64 Memory Load Instructions 36
x64 Memory Store Instructions 37
x64 Flow Instructions 38
x64 Windows API Parameters 39
Review of ARM64 Disassembly 40
A64 CPU Registers 41
A64 Instructions and Registers 42
A64 Stack Addressing 43
A64 Memory Load Instructions 44
A64 Memory Store Instructions 45
A64 Flow Instructions 46
A64 Windows API Parameters 47
Practical Exercises 48
Links 49
Exercise 0 50
Process Memory Dumps 57
Types of WinDbg Command 58
Exercise P1 59
Exercise P2 71
Exercise P3 73
Exercise P4 85
Exercise P5 95
Exercise P6 101
Exercise P7 112
Exercise P8 127
Mechanisms (Invalid Pointer) 141
Mechanisms (Active Thread) 142
Exercise P9 143
Deadlock 154
Mechanisms (Deadlock) 155
Exercise P10 156
Mechanisms (Heap Corruption) 166
Mechanisms (Stack Corruption) 167
Mechanisms (Stack Overflow) 168
Exercise P11 169
Exercise P12 181
Exercise P13 198
Exercise P14 218
Mechanisms (Memory Leak) 236
Parameters and Locals 237
Symbol Types 238
Exercise P15 239
Exercise P16 244
Exercise P17 252
Exercise P18 264
Exercise P19 275
Exercise P20 290
Exercise P21 293
Exercise P22 297
Exercise P23 308
Exercise P24 316
Exercise P25 324
Windows Internals 335
Collection Methods 337
Process Dump Generation 338
Pattern Links 339
Pattern Classification 340
Pattern Case Studies 341
Additional Resources 342
Further Training Courses 344
Application Source Code 346
AppA 346
AppK 348
AppL 349
AppL2 350
AppM 351
AppN 352
AppO 354
AppP 356
AppR2 358
AppS 359
AppQ 361
AppT 366
ServiceA 368
Rusty 371
Selected Q&A 372
Added in Version 5.5 372
From Earlier Versions 383
Additional Materials 409
Triple Dereference 409
Large Heap Allocations 412


