The Design of Memory Dump Analysis: 7 Steps of Highly Successful Analysts
by Dmitry Vostokov
Memory Dump Analysis Anthology, Volume 7
- Cover Page
- Title Page
- Copyright Page
- Summary of Contents
- Contents
- Preface
- Acknowledgements
- Part 1: Professional Crash Dump Analysis and Debugging
- WinDbg Shortcuts
- Two WinDbg Scripts That Changed the World
- Raw Stack Dump of All Threads (Kernel Space)
- The Design of Memory Dump Analysis: 7 Steps of Highly Successful Analysts
- Postmortem Effects of -g
- Event Owners
- Improbable Occurrence
- Pattern Cooperation
- Page Heap Implementation
- More Common Mistakes in Memory Analysis
- Memory Dump Analysis Best Practices
- Part 2: Crash Dump Analysis Patterns
- FPU Exception
- Hidden Parameter
- Memory Leak (Page Tables)
- Unrecognizable Symbolic Information
- Network Packet Buildup
- Disconnected Network Adapter
- Problem Module
- Empty Stack Trace
- Debugger Bug
- Value References
- Self-Diagnosis (Registry)
- System Object
- Module Variable
- Stack Trace Collection (Predicate)
- Stack Trace Collection (I/O Requests)
- Regular Data
- Translated Exception
- Blocked DPC
- Late Crash Dump
- Blocked Thread (Timeout)
- Punctuated Memory Leak
- Insufficient Memory (Reserved Virtual Memory)
- Coincidental Error Code
- Stored Exception
- Activity Resonance
- Value Adding Process
- Memory Leak (I/O Completion Packets)
- No Current Thread
- Unloaded Module
- Stack Trace Change
- Spike Interval
- Deviant Module
- Hidden Exception (Kernel Space)
- Handled Exception (Kernel Space)
- High Contention (.NET CLR Monitors)
- Frozen Process
- Incomplete Session
- Error Reporting Fault
- First Fault Stack Trace
- Hidden Process
- Disk Packet Buildup
- Deviant Token
- Module Collection
- Handle Leak
- Critical Stack Trace
- Debugger Omission
- Broken Link
- Wait Chain (Pushlocks)
- Insufficient Memory (Session Pool)
- Step Dumps
- Reduced Symbolic Information
- Injected Symbols
- Glued Stack Trace
- Distributed Wait Chain
- Ubiquitous Component (Kernel Space)
- One-Thread Process
- Module Product Process
- Crash Signature Invariant
- Small Values
- Shared Structure
- Wait Chain (CLR Monitors)
- Thread Cluster
- Module Collection (Predicate)
- False Effective Address
- Screwbolt Wait Chain
- Part 3: Core Dump Analysis Patterns (Mac OS X)
- GDB for WinDbg Users
- Stack Trace
- GDB Annoyances: Incomplete Stack Trace
- NULL Pointer (Data)
- Shared Buffer Overwrite
- Multiple Exceptions
- Double Free (Process Heap)
- Dynamic Memory Corruption (Process Heap)
- Spiking Thread
- NULL Pointer (Code)
- Execution Residue
- Coincidental Symbolic Information
- Paratext
- Truncated Dump
- C++ Exception
- Local Buffer Overflow
- Divide by Zero (User Mode)
- Stack Overflow (User Mode)
- Active Thread
- Part 4: Malware Analysis Patterns
- Part 5: A Bit of Science and Philosophy
- On Matter
- Commodities as Memories
- Software as Means of Production
- Notes on Memoidealism
- The Confluence of Computers, Philosophy, and Religion
- Analytic Memory Dump - A Mathematical Definition
- Sorting and Early Greek Philosophers
- General Abnormal Patterns of Structure and Behavior
- On Matter and Substances
- M-Memory
- Ontology of Memoidealism
- Philosophies of Persistence
- Information as Arrow
- Dialectical Triad in Memoidealism
- Part 6: Software Trace Analysis Patterns
- Software Trace Diagrams (STDiagrams)
- Macrofunction
- Linked Messages
- Marked Message
- Trace Frames
- Counter Value
- Message Context
- Error Distribution
- Break-in Activity
- Resume Activity
- Fiber Bundle
- Data Flow
- Empty Trace
- Error Message
- Periodic Message Block
- Visibility Limit
- Relative Density
- Sparse Trace
- Opposition Messages
- Split Trace
- Message Interleave
- Sheaf of Activities
- Indexical Trace
- Abnormal Value
- Dominant Event Sequence
- Pivot Message
- Traces of Individuality
- Indirect Facts
- Hidden Error
- Last Activity
- State and Event
- Dialogue
- Motif
- Exception Stack Trace (Java)
- Correlated Discontinuity
- Piecewise Activity
- Density Distribution
- Factor Group
- Silent Messages
- Shared Point
- Meta Trace
- Data Association
- State Dump
- Message Cover
- Message Set
- Error Thread
- Activity Divergence
- Part 7: Fun with Crash Dumps
- Part 8: Software Narratology
- Software Anti-Narrative
- Software Narratology Helps Fiction Writers
- Narremes in Software Narratology
- Narralog - A Software Trace Modeling Language
- What is a Software Narrative?
- Software Narrative Planes
- Software Narratology Square
- Writing and Validation of Historical Narratives
- Software Trace Analysis Patterns Domain Hierarchy
- Process Monitor as Modeling Tool
- Generalized Software Narrative and Trace
- Unified Computer Diagnostics: Incorporating Hardware Narratology
- Introducing Software Narratology of Things (Software NT)
- Part 9: Software Diagnostics, Troubleshooting and Debugging
- Unified and Generative Debugging
- Software Problem Description Language
- What are Software Trace and Memory Dump Analysis? A One Sentence Definition
- Software Problem Solving Tools as a Service
- Software Problem Description Patterns
- Software Behavior Pattern Prediction
- Patterns of Software Diagnostics
- Highly Effective Diagnostics
- Network Trace Analysis Patterns
- Software Diagnostics Services
- Architecture of Process Memory Dump Capture Done Right
- An Introduction to General Systems Thinking (Book Review)
- Software Diagnostics Institute Logo
- User Interface Problem Analysis Patterns
- Pattern-Based Software Diagnostics
- Software Diagnostics Discipline
- Architecture of memCPU
- Phenomenology of Software Diagnostics: A First Sketch
- Software Diagnostics Report Schemes
- Software Diagnostics Training: Two Approaches
- Software Disruption Patterns
- Static Code Analysis Patterns
- The Structure of Software Problem Solving Organization
- Bridging the Great Divide
- Elementary Software Diagnostics Patterns
- Zero Fault Software Diagnostics
- Agile Software Diagnostics
- ADDR Pattern Catalogue
- Thinking-Based Software Diagnostics
- Memory Acquisition Pattern Catalogue
- Trace Acquisition Pattern Catalogue
- Patterns of Software Diagnostics Architecture
- Detecting and Predicting the Unknown
- Software Diagnostics Metaphors
- Rapid Software Diagnostics Process (RSDP)
- Right First Time Software Diagnosis
- Software Diagnosis Codes
- Vulnerability Analysis Patterns (VAP)
- Part 10: Art and Visualization
- 2012 (Pessimistic)
- 2012 (Optimistic)
- A Bug in a Bag (Collections, Ex-hi-bit 1)
- A Bug Meets a Bug (The Clash of Civilizations)
- A Bug Catcher
- The Second Generation of CARE System (Trademark)
- RawStackGram
- A Memory Window
- Liquid Memory
- Computer Brain
- Computer Evolution
- M Spaces
- Happy Hellowin!
- Pointers in Nature
- Drink Sensibly Before The End Of The World!
- MM=DD=YY
- Process Monitor Log Visualized
- Holes Infinity (HI OS)
- Cyber Vostok Missions
- A Dump Machine
- The Power of Simplicity
- Happy St. Patrick's Screen
- Happy New Year 2014!
- I Love Software Diagnostics
- Puree Windows Cooking
- Political Computicarts
- The Day I Quit
- Hero of Dump Analysis, a Medal for Labor Day
- Diagnosed by Vostokov®™
- Stack Trace Shapes
- The Art of Internals
- Threadinking
- Part 11: Miscellaneous
- Appendix
- Index of WinDbg Commands
- Notes
- Cover Images
The Design of Memory Dump Analysis: 7 Steps of Highly Successful Analysts
We were recently asked to outline a simple approach to proceed after opening a memory dump. So we came up with these 7 steps:
1. !analyze -v [-hang]
2. Exception (Bugcheck): stack trace analysis with d* and lmv
3. !locks
4. !runaway f (!running)
5. Dump all (processes and) thread stack traces [with 32-bit] ~*kv (!process 0 3f)
6. Search for signs/patterns of abnormal behavior (exceptions, wait chains, message boxes [, from your custom checklist4])
7. Narrow analysis down to a specific thread and dump raw stack data if needed [repeat*]
(Commands / options in brackets denote kernel/complete dump variation)
[Notes in square brackets denote additional options, such as x64 specifics, your product details, etc.]
4 http://www.dumpanalysis.org/windows-memory-analysis-checklist
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.