Memory Dump Analysis Anthology

Transcription

1 Memory Dump Analysis Anthology Volume 6 Dmitry Vostokov Software Diagnostics Institute OpenTask

2 2 Published by OpenTask, Republic of Ireland Copyright 2013 by Dmitry Vostokov Copyright 2015 by Software Diagnostics Institute All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior written permission of the publisher. You must not circulate this book in any other binding or cover, and you must impose the same condition on any acquirer. OpenTask books are available through booksellers and distributors worldwide. For further information or comments send requests to press@opentask.com. Product and company names mentioned in this book may be trademarks of their owners. A CIP catalog record for this book is available from the British Library. ISBN-13: (Paperback) ISBN-13: (Hardback) First printing, 2013 Revision 2 (July 2015)

3 3 Summary of Contents Preface Acknowledgements PART 1: Professional Crash Dump Analysis and Debugging PART 2: Crash Dump Analysis Patterns PART 3: Pattern Interaction PART 4: Unified and Generative Debugging PART 5: A Bit of Science and Philosophy PART 6: Fun with Crash Dumps PART 7: A Bit of Religion PART 8: Software Trace Analysis PART 9: Software Trace Analysis Patterns PART 10: Software Troubleshooting and Debugging PART 11: Software Victimology PART 12: Art PART 13: Miscellaneous PART 14: Intelligence Analysis Appendix Index of WinDbg Commands About the Author

4 4 Cover Images

5 5 Contents Preface Acknowledgements PART 1: Professional Crash Dump Analysis and Debugging Memory Dump Analysis Best Practices Windows Debugging Expert System WinDbg Extension Common Mistakes Not Comparing to Reference Debugger Output From Bugchecks to Patterns Raw Stack from Laterally Damaged Memory Dumps WinDbg Tips and Tricks: Getting the Bottom of a Stack Trace PART 2: Crash Dump Analysis Patterns Divide by Zero (Kernel Mode) Fat Process Dump Blocked Queue Crash Signature Invalid Parameter (Process Heap) Hooking Level Embedded Comments Well-Tested Module... 48

6 6 String Parameter Environment Hint Dual Stack Trace Blocking Module Wait Chain (Window Messaging) Wait Chain (Named Pipes) Top Module Dialog Box Technology-Specific Subtrace (COM Interface Invocation) Livelock Semantic Structure (PID.TID) Instrumentation Side Effect Directing Module Stack Overflow (Software Implementation) Data Correlation Truncated Stack Trace Least Common Frame Self-Diagnosis (Kernel Mode) Technology-Specific Subtrace (Dynamic Memory) Module Hint... 92

7 7 Custom Exception Handler (Kernel Space) No Data Types Cloud Environment Version-Specific Extension Multiple Exceptions (Managed Space) Blocking File Quiet Dump Pleiades Thread Age Unsynchronized Dumps Coupled Modules Managed Stack Trace Problem Vocabulary Activation Context Stack Trace Set Special Thread (.NET CLR) Dynamic Memory Corruption (Managed Heap) Stack Trace Collection (Managed Space) Duplicate Extension Deadlock (Managed Space)

8 8 Caller-n-Callee Handled Exception (User Space) Handled Exception (.NET CLR) Execution Residue (Managed Space) Annotated Disassembly (JIT.NET code) Wait Chain (Mutex Objects) Inline Function Optimization (Managed Code) Technology-Specific Subtrace (JIT.NET Code) Double IRP Completion PART 3: Pattern Interaction Main Thread, Self-Diagnosis, Window Message Chain, Blocking Module, Ubiquitous Component, Dual Stack Trace, Pipe Wait Chain and Coupled Machines Abridged Dump, Embedded Comment, Spiking Thread, Incorrect Stack Trace and Top Module Stack Trace Collection, Message Box, Self-Diagnosis, Version-Specific Extension, Managed Stack Trace and Managed Code Exception PART 4: Unified and Generative Debugging A Periodic Table of Software Defects Analysis, Architectural, Design, Implementation and Usage Debugging Patterns Generative Debugging Metadefect Template Library PART 5: A Bit of Science and Philosophy

9 9 On Memory Perspectives Orbifold Memory Space Notes on Memoidealism M->analysis Memiosphere On Memory-Time vs. Space-Time The Will to Be Memorized The Trinity of Memory Worldview Uses of Memoretics Crossdisciplinary Memoretics as Interdisciplinary Science Private Property on Memory Spaces Coarse vs. Fine Grained DNA of Software Behavior PART 6: Fun with Crash Dumps Music for Debugging Binary Threads Out of Memory and Losing My Data (Comment Impact) Navigating the Long List Debugging Joke Memory Dump Barcodes MessageBox at Dublin Zoo

10 10 CDB for Kids Snow Spike Residue Second Snowfall Spike in Dublin MMXI Happy New Year and Decade of Debugging 0 7DB - 0 7E4! Do Security Professionals Dream? Debugging Slang Golden Bug Beer Time Finger Exercise Resolution Rush The Window of Opportunity Dump Pre-analysis Tapping Having Fun Adult Debugging Second Eye Abscess Finction

11 11 Mad OS and other Publishing Blunders The Ultimate Debugger s Desk Memceptions: Flags and Handles are Everywhere! Computer Memory Monsters On President s Daily Briefs (PDBs) The First Evidence for Process Resurrection Vacuum Pages WinDbg Command on Certificate Pleasing WinDbg SOS Extension Airport Terminal Services Incident Philosophical Self-Interview PART 7: A Bit of Religion Memory Creates God Morality and Memorianity On Natural Theology PART 8: Software Trace Analysis Pattern Interaction Basic Facts, Periodic Error, and Defamiliarizing Effect Close and Deconstructive Readings of a Software Trace Software Tracing Best Practices

12 12 No Longer Seeing Nothing: The Advantage of Patterns PART 9: Software Trace Analysis Patterns Focus of Tracing Event Sequence Order Implementation Discourse News Value Master Trace Gossip Impossible Trace Glued Activity Message Invariant UI Message Original Message PART 10: Software Troubleshooting and Debugging Debugware Patterns System Description Snapshot Debugging in 2021: Trends for the Next Decade The Way of Philip Marlowe: Abductive Reasoning for Troubleshooting and Debugging Workaround Patterns Fake API

13 13 User Interface Problem Analysis Patterns Message Box PART 11: Software Victimology Function Activity Theory PART 12: Art No E-numbers Software Product Sticker Paleo-debugging: Excavated Minidump Stack Trace Art Debugger s Dream Defect in Defect Memorianity Cross Memioart: The New Art Form Clouded Cloud Traces What Is To Be Done? PART 13: Miscellaneous GI Index of Memory Dump Analysis The New School of Debugging TestWER Tool to Test Windows Error Reporting Moving to ARM

14 14 The New School of Debugging: What s New A.C.P. Root Cause Analysis Methodology TestWAER Tool to Test Windows Azure Error Reporting PART 14: Intelligence Analysis Intelligence Analysis Patterns The Birth of Memory Intelligence Agency Appendix Memory Analysis as a Service Stack Overflow Patterns NET / CLR / Managed Space Patterns Stack Trace Patterns Symbol Patterns Analysis Compass Software Trace Analysis Checklist Crash Dump Analysis Checklist Index of WinDbg Commands About the Author Cover Images