Accelerated Windows Memory Dump Analysis, Sixth Edition, Part 1, Process User Space
Accelerated Windows Memory Dump Analysis, Sixth Edition, Part 1, Process User Space
Training Course Transcript and WinDbg Practice Exercises with Notes
About the Book
This book is a full-color transcript of Software Diagnostics Services training sessions with 22 step-by-step exercises, notes, source code of specially created modeling applications, and more than 70 questions and answers. Covers more than 50 crash dump analysis patterns from x86 and x64 process memory dumps. Learn how to analyze application and service crashes and freezes, navigate through process user space, and diagnose heap corruption, memory and handle leaks, CPU spikes, blocked threads, deadlocks, wait chains, and many more patterns of abnormal software behavior with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve. Prerequisites: Basic Windows troubleshooting. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers and quality assurance engineers, and site reliability engineers. The 6th edition was fully reworked for the latest WinDbg version and includes additional Windows 11 memory dumps, relevant x64 assembly language review, and a Rust memory dump analysis example.
About the Author
Bundles that include this book
Table of Contents
About the Author 5
Presentation Slides and Transcript 7
Review of x64 Disassembly 35
Practice Exercises 47
Exercise 0: Download, set up, and verify your WinDbg or Debugging Tools for Windows installation, or Docker Debugging Tools for Windows image 52
Exercise P1: Analysis of a normal application process dump (64-bit wordpad) 66
Exercise P2: Analysis of a normal application process dump (32-bit wordpad) 77
Exercise P3: Analysis of a normal application process dump (64-bit Microsoft Edge) 80
Exercise P4: Analysis of an application process dump (64-bit AppK, no symbols) 91
Exercise P5: Analysis of an application process dump (64-bit AppK, with application symbols) 101
Exercise P6: Analysis of an application process dump (AppL, 64-bit) 106
Exercise P7: Analysis of an application process dump (AppL2, 64-bit) 116
Exercise P8: Analysis of an application process dump (AppM, 64-bit) 130
Exercise P9: Analysis of an application process dump (AppN, 64-bit) 140
Exercise P10: Analysis of an application process dump (AppO, 64-bit) 150
Exercise P11: Analysis of an application process dump (AppP, 64-bit) 159
Exercise P12: Analysis of an application process dump (AppR2, 64-bit) 171
Exercise P13: Analysis of an application process dump (AppA, WOW64) 185
Exercise P14: Analysis of an application process dump (AppS, 64-bit) 204
Exercise P15: Analysis of an application process dump (notepad, 32-bit) 224
Exercise P16: Analysis of an application process dump (notepad, 64-bit) 229
Exercise P17: Analysis of an application process dump (AppQ, 32-bit) 237
Exercise P18: Analysis of an application process dump (AppQ, 64-bit) 249
Exercise P19: Analysis of an application process dump (AppT, 64-bit) 259
Exercise P20: Analysis of a service process dump (ServiceA, 64-bit) 274
Exercise P21: Analysis of a Rust process dump (Rusty, 64-bit) 277
Application Source Code 287
AppA 289
AppK 291
AppL 292
AppL2 293
AppM 294
AppN 295
AppO 296
AppP 298
AppR2 299
AppS 300
AppQ 302
AppT 306
ServiceA 308
Rusty 311
Selected Q&A 313
Triple Dereference 349
Large Heap Allocations 352
Other books by this author
The Leanpub 60 Day 100% Happiness Guarantee
Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.
You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!
So, there's no reason not to click the Add to Cart button, is there?
See full terms...
Earn $8 on a $10 Purchase, and $16 on a $20 Purchase
We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.
(Yes, some authors have already earned much more than that on Leanpub.)
In fact, authors have earnedover $14 millionwriting, publishing and selling on Leanpub.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them
