Hiddenmscorsvw

WindowsMemoryDumpAnalysisDmitryVostokovSoftwareDiagnosticsServicesVersion2.
0PrerequisitesBasicWindowstroubleshootingWinDbgCommandsWeusetheseboxestointroduceWinDbgcommandsusedinpracticeexercises2013SoftwareDiagnosticsServicesTrainingGoalsReviewfundamentalsLearnhowtoanalyzeprocessdumpsLearnhowtoanalyzekerneldumpsLearnhowtoanalyzecompletedumps2013SoftwareDiagnosticsServicesTrainingPrinciplesTalkonlyaboutwhatIcanshowLotsofpicturesLotsofexamplesOriginalcontentandexamples2013SoftwareDiagnosticsServicesScheduleSummaryDay1AnalysisFundamentals(1hour)ProcessMemoryDumps(1hour)Day2ProcessMemoryDumps(2hours)Day3KernelMemoryDumps(2hours)Day4CompleteMemoryDumps(2hours)RemainingProcessMemoryDumps2013SoftwareDiagnosticsServicesPart1:Fundamentals2013SoftwareDiagnosticsServicesProcessSpace(x86)KernelSpaceUserSpaceFFFFFFFF800000007FFFFFFF000000002013SoftwareDiagnosticsServicesProcessSpace(x64)2013SoftwareDiagnosticsServicesKernelSpaceUserSpaceFFFFFFFF`FFFFFFFFFFFFF800`00000000000007FF`FFFFFFFF00000000`00000000Application/Process/Module2013SoftwareDiagnosticsServicesKernelSpaceUserSpace(PID102)FFFFFFFF800000007FFFFFFF00000000Notepad.
exeNotepaduser32.
dlluser32OSKernel/Driver/Module2013SoftwareDiagnosticsServicesKernelSpaceUserSpaceFFFFFFFF800000007FFFFFFF00000000Driver.
sysDriverNtoskrnl.
exentProcessVirtualSpace00000000.
.
.
FFFFFFFF2013SoftwareDiagnosticsServicesUserSpace(PID102)FFFFFFFF800000007FFFFFFF00000000Notepaduser32KernelSpaceDriverntProcessMemoryDumpWinDbgCommandslmvcommandlistsmodulesandtheirdescription2013SoftwareDiagnosticsServicesUserSpace(PID102)FFFFFFFF800000007FFFFFFF00000000Notepaduser32Notepad.
exe.
102.
dmpKernelSpaceDriverntKernelMemoryDumpWinDbgCommandslmvcommandlistsmodulesandtheirdescription2013SoftwareDiagnosticsServicesUserSpace(PID102)FFFFFFFF800000007FFFFFFF00000000Notepaduser32MEMORY.
DMPKernelSpaceDriverntCompleteMemoryDumpWinDbgCommands.
processswitchesbetweenprocessvirtualspaces(kernelspacepartremainsthesame)2013SoftwareDiagnosticsServicesKernelSpaceFFFFFFFF800000007FFFFFFF00000000DriverntMEMORY.
DMPUserSpace(PID102)Notepaduser32UserSpace(PID204)Calcuser32ProcessThreadsWinDbgCommandsProcessdumps:~sswitchesbetweenthreadsKernel/Completedumps:~sswitchesbetweenprocessors.
threadswitchesbetweenthreads2013SoftwareDiagnosticsServicesUserSpace(PID306)ApplicationAuser32ntdllKernelSpaceDriverntTID204TID102SystemThreadsWinDbgCommandsKernel/Completedumps:~sswitchesbetweenprocessors.
threadswitchesbetweenthreads2013SoftwareDiagnosticsServicesKernelSpaceDriverntTID306UserSpace(PID306)ApplicationAuser32ntdllThreadStackRawDataWinDbgCommandsProcessdumps:!
tebKerneldumps:!
threadCompletedumps:!
tebforuserspace!
threadforkernelspaceData:dc/dps/dpp/dpa/dpu2013SoftwareDiagnosticsServicesUserSpace(PID306)ApplicationAuser32ntdllKernelSpaceDriverntTID204TID102KernelStackforTID102KernelStackforTID204UserStackforTID204UserStackforTID102ThreadStackTraceWinDbgCommands0:000>kModule!
FunctionDModule!
FunctionC+130Module!
FunctionB+220Module!
FunctionA+110UserStackforTID102Module!
FunctionAModule!
FunctionBModule!
FunctionCSavesreturnaddressModule!
FunctionA+110SavesreturnaddressModule!
FunctionB+220Module!
FunctionDSavesreturnaddressModule!
FunctionC+130ResumesfromaddressModule!
FunctionA+110ResumesfromaddressModule!
FunctionB+220ResumesfromaddressModule!
FunctionC+130FunctionA(){.
.
.
FunctionB();.
.
.
}FunctionB(){.
.
.
FunctionC();.
.
.
}FunctionC(){.
.
.
FunctionD();.
.
.
}ReturnaddressModule!
FunctionC+130ReturnaddressModule!
FunctionB+220ReturnaddressModule!
FunctionA+1102013SoftwareDiagnosticsServicesThreadStackTrace(noPDB)WinDbgCommands0:000>kModule+0Module+43130Module+32220Module+22110UserStackforTID102Module+22000Module+32000Module+43000SavesreturnaddressModule+22110SavesreturnaddressModule+32220Module+54000SavesreturnaddressModule+43130ResumesfromaddressModule+22110ResumesfromaddressModule+32220ResumesfromaddressModule+43130FunctionA(){.
.
.
FunctionB();.
.
.
}FunctionB(){.
.
.
FunctionC();.
.
.
}FunctionC(){.
.
.
FunctionD();.
.
.
}ReturnaddressModule+43130ReturnaddressModule+32220ReturnaddressModule+22110NosymbolsforModuleSymbolfileModule.
pdbFunctionA22000-23000FunctionB32000-33000FunctionC43000–44000FunctionD54000-550002013SoftwareDiagnosticsServicesExceptions(AccessViolation)WinDbgCommandsaddress=Setexceptioncontext(processdump):.
cxrSettrapcontext(kernel/completedump):.
trapCheckaddress:!
pte2013SoftwareDiagnosticsServicesUserSpace(PID306)UserSpace(PID306)ApplicationAuser32ntdllModuleATID204UserStackforTID102UserStackforTID204TID102MinvalidmemoryaccessM00000000NULLpointerExceptions(Runtime)2013SoftwareDiagnosticsServicesUserSpace(PID306)UserSpace(PID306)ApplicationAuser32ntdllModuleATID204UserStackforTID102UserStackforTID204TID102MthrowserrorPattern-DrivenAnalysisInformationCollection(Scripts)InformationExtraction(Checklists)ProblemIdentification(Patterns)ProblemResolutionTroubleshootingSuggestionsDebuggingStrategyPattern:acommonrecurrentidentifiableproblemtogetherwithasetofrecommendationsandpossiblesolutionstoapplyinaspecificcontextPatterns:http://www.
dumpanalysis.
org/blog/index.
php/crash-dump-analysis-patterns/Checklist:http://www.
dumpanalysis.
org/windows-memory-analysis-checklist2013SoftwareDiagnosticsServicesPart2:PracticeExercises2013SoftwareDiagnosticsServicesLinksMemoryDumps:NotavailableinpreviewversionExerciseTranscripts:Notavailableinpreviewversion2013SoftwareDiagnosticsServicesExercise0Goal:InstallDebuggingToolsforWindowsandlearnhowtosetupsymbolscorrectlyPatterns:IncorrectStackTrace2013SoftwareDiagnosticsServicesProcessMemoryDumpsExercisesP1-P162013SoftwareDiagnosticsServicesExerciseP1Goal:Learnhowtoseedumpfiletypeandversion,getastacktrace,checkitscorrectness,performdefaultanalysis,listmodules,checktheirversioninformation,checkprocessenvironmentPatterns:ManualDump;StackTrace;NotMyVersion;EnvironmentHint2013SoftwareDiagnosticsServicesExerciseP2Goal:Learnhowtoliststacktraces,checktheircorrectness,performdefaultanalysis,listmodules,checktheirversioninformation,checkprocessenvironment;dumpmoduledataPatterns:ManualDump;StackTrace;NotMyVersion;EnvironmentHint;UnknownComponent2013SoftwareDiagnosticsServicesExerciseP3Goal:Learnhowtoliststacktraces,checktheircorrectness,performdefaultanalysis,listmodules,checktheirversioninformation,checkthreadageandCPUconsumptionPatterns:StackTraceCollection2013SoftwareDiagnosticsServicesExerciseP4Goal:LearntorecognizeexceptionsinprocessmemorydumpsandgettheircontextPatterns:ExceptionThread;MultipleExceptions;NULLPointer2013SoftwareDiagnosticsServicesExerciseP5Goal:Learnhowtoloadapplicationsymbols,recognizeexceptionsinprocessmemorydumpsandgettheircontextPatterns:ExceptionThread;MultipleExceptions;NULLPointer2013SoftwareDiagnosticsServicesExerciseP6Goal:LearnhowtorecognizeheapcorruptionPatterns:ExceptionThread;DynamicMemoryCorruption2013SoftwareDiagnosticsServicesExerciseP7Goal:LearnhowtorecognizeheapcorruptionandcheckerrorandstatuscodesPatterns:ExceptionThread;DynamicMemoryCorruption2013SoftwareDiagnosticsServicesExerciseP8Goal:LearnhowtorecognizeCPUspikes,invalidpointersanddisassemblecodePatterns:ExceptionThread;WildCode;CPUSpike;MutipleExceptions;NULLCodePointer;InvalidPointer2013SoftwareDiagnosticsServicesExerciseP9Goal:Learnhowtorecognizecriticalsectionwaitsanddeadlocks,dumprawstackdataandseehiddenexceptionsPatterns:WaitChain;Deadlock;HiddenException2013SoftwareDiagnosticsServicesDeadlockCriticalSection000000013fd7ef08CriticalSection000000013fd7eee0Thread2Thread2(owns)Thread1Thread1(owns)Thread2(waiting)Thread1(waiting)2013SoftwareDiagnosticsServicesExerciseP10Goal:Learnhowtorecognizeapplicationheapproblems,bufferandstackoverflowpatternsandanalyzerawstackdataPatterns:DoubleFree;LocalBufferOverflow;StackOverflow2013SoftwareDiagnosticsServicesExerciseP11Goal:Learnhowtoanalyzevariouspatterns,rawstacksandexecutionresiduePatterns:DividebyZero;C++Exception;MultipleExceptions;ExecutionResidue2013SoftwareDiagnosticsServicesExerciseP12Goal:Learnhowtoloadthecorrect.
NETWinDbgextensionandanalyzemanagedspacePatterns:CLRThread;Version-SpecificExtension;ManagedCodeException;ManagedStackTrace2013SoftwareDiagnosticsServicesExerciseP13Goal:Learnhowtoanalyze32-processsavedasa64-bitprocessmemorydumpPatterns:VirtualizedProcess;MessageBox;ExecutionResidue2013SoftwareDiagnosticsServicesExerciseP14Goal:LearnhowtoanalyzeprocessmemoryleaksPatterns:SpikingThread;ThreadAge;MemoryLeak(processheap)2013SoftwareDiagnosticsServicesParametersandLocalsDebuggingTVFramesepisode0x182013SoftwareDiagnosticsServicesSymbolTypesExportedandimportednamesFunctionandvariablenamesDatatypes2013SoftwareDiagnosticsServicesEXEDLLExerciseP15Goal:Learnhowtonavigatefunctionparametersincasesofreducedsymbolicinformationin32-bitprocessmemorydumpsPatterns:ReducedSymbolicInformation2013SoftwareDiagnosticsServicesExerciseP16Goal:Learnhowtonavigatefunctionparametersinx64processmemorydumpsPatterns:FalseFunctionParameters,InjectedSymbols2013SoftwareDiagnosticsServicesPatternLinksSpikingThreadCLRThreadC++ExceptionCriticalSectionDeadlockDividebyZeroDoubleFreeHeapCorruptionExceptionStackTraceExecutionResidueHiddenExceptionInvalidPointerLocalBufferOverflowManualDumpManagedCodeExceptionManagedStackTraceMultipleExceptionsNotMyVersionNULLDataPointerNULLCodePointerStackTraceStackTraceCollectionStackOverflowEnvironmentHintWildCodeUnknownComponentWaitChainVirtualizedProcessMessageBoxVersion-SpecificExtensionMemoryLeakFalseFunctionParametersInjectedSymbolsReducedSymbolicInformation2013SoftwareDiagnosticsServicesKernelMemoryDumpsExercisesK1-K52013SoftwareDiagnosticsServicesExerciseK1Goal:Learnhowtogetvariousinformationrelatedtohardware,system,sessions,processes,threadsandmodulesPatterns:InvalidPointer;VirtualizedSystem;StackTraceCollection2013SoftwareDiagnosticsServicesExerciseK2Goal:LearnhowtocheckandcomparekernelpoolusagePatterns:ManualDump;InsufficientMemory(kernelpool)2013SoftwareDiagnosticsServicesExerciseK3Goal:LearnhowtorecognizepoolcorruptionandcheckpooldataPatterns:DynamicMemoryCorruption(kernelpool);ExecutionResidue2013SoftwareDiagnosticsServicesExerciseK4Goal:LearnhowtocheckhookedorinvalidcodeandkernelrawstackPatterns:NullPointer;HookedFunctions(kernelspace);ExecutionResidue;CoincidentalSymbolicInformation2013SoftwareDiagnosticsServicesExerciseK5Goal:LearnhowtocheckI/OrequestsPatterns:BlockingFile2013SoftwareDiagnosticsServicesPatternLinksManualDumpInvalidPointerVirtualizedSystemStackTraceCollectionInsufficientMemoryDynamicMemoryCorruptionExecutionResidueNullPointerHookedFunctionsCoincidentalSymbolicInformationBlockingFile2013SoftwareDiagnosticsServicesAdditionalPatternLinksERESOURCEpatternsandcasestudies2013SoftwareDiagnosticsServicesCompleteMemoryDumpsExercisesC1-C22013SoftwareDiagnosticsServicesMemorySpacesCompletememory==PhysicalmemoryWealwaysseethecurrentprocessspaceContextswitchWinDbgCommandsswitchingtoadifferentprocesscontext:.
process/r/p2013SoftwareDiagnosticsServicesUserSpacecurrentprocessA(NotMyFault.
exe)KernelSpacecurrentprocessA(NotMyFault.
exe)UserSpacecurrentprocessB(svchost.
exe)KernelSpacecurrentprocessA(NotMyFault.
exe)MajorChallengesMultipleprocesses(userspaces)toexamineUserspaceviewneedstobecorrectwhenweexamineanotherthreadUserSpaceWinDbgCommandsdumpallstacktraces:!
process03f2013SoftwareDiagnosticsServicesCommonCommands.
logopenOpensalogfiletosaveallsubsequentoutputViewcommandsDumpeverythingorselectedprocessesandthreads(contextchangesautomatically)SwitchcommandsSwitchtoaspecificprocessorthreadforafine-grainanalysis2013SoftwareDiagnosticsServicesViewCommands!
process03fListsallprocesses(includingtimes,environment,modules)andtheirthreadstacktraces!
process01fThesameasthepreviouscommandbutwithoutPEBinformation(moresecure)!
process3for!
process1fThesameasthepreviouscommandsbutonlyforanindividualprocess!
thread1fShowsthreadinformationandstacktrace!
thread16Thesameasthepreviouscommandbutshowsthefirst3parametersforeveryfunction2013SoftwareDiagnosticsServicesSwitchCommands.
process/r/pSwitchestoaspecifiedprocess.
Itscontextbecomescurrent.
Reloadssymbolfilesforuserspace.
Nowwecanusecommandslike!
cs0:kd>.
process/r/pfffffa80044d8b30Implicitprocessisnowfffffa80`044d8b30LoadingUserSymbols.
threadSwitchestoaspecifiedthread.
AssumesthecurrentprocesscontextNowwecanusecommandslikek*.
thread/r/pThesameasthepreviouscommandbutmakesthethreadprocesscontextcurrentandreloadssymbolfilesforuserspace:0:kd>.
thread/r/pfffffa80051b7060Implicitthreadisnowfffffa80`051b7060Implicitprocessisnowfffffa80`044d8b30LoadingUserSymbols2013SoftwareDiagnosticsServicesExerciseC1Goal:Learnhowtogetvariousinformationrelatedtoprocesses,threadsandmodulesPatterns:StackTraceCollection2013SoftwareDiagnosticsServicesExample:BlockedThreadTHREADfffffa800451db60Cid07f4.
0b8cTeb:000007fffffd6000Win32Thread:fffff900c27c0c30WAIT:(WrUserRequest)UserModeNon-Alertablefffffa8004e501e0SynchronizationEventNotimpersonatingDeviceMapfffff8a001e84c00OwningProcessfffffa8004514630Image:ApplicationA.
exe[.
.
.
]StackInitfffff88005b7fdb0Currentfffff88005b7f870Basefffff88005b80000Limitfffff88005b77000Call0Priority11BasePriority8UnusualBoost0ForegroundBoost2IoPriority2PagePriority5Child-SPRetAddrCallSitefffff880`05b7f8b0fffff800`01a93992nt!
KiSwapContext+0x7afffff880`05b7f9f0fffff800`01a95cffnt!
KiCommitThreadWait+0x1d2fffff880`05b7fa80fffff960`0011b557nt!
KeWaitForSingleObject+0x19ffffff880`05b7fb20fffff960`0011b5f1win32k!
xxxRealSleepThread+0x257fffff880`05b7fbc0fffff960`0012e22ewin32k!
xxxSleepThread+0x59fffff880`05b7fbf0fffff800`01a8b993win32k!
NtUserWaitMessage+0x46fffff880`05b7fc2000000000`775cbf5ant!
KiSystemServiceCopyEnd+0x13(TrapFrame@fffff880`05b7fc20)00000000`022ff7c800000000`775d7214USER32!
ZwUserWaitMessage+0xa00000000`022ff7d000000000`775d74a5USER32!
DialogBox2+0x27400000000`022ff86000000000`776227f0USER32!
InternalDialogBox+0x13500000000`022ff8c000000000`77621ae5USER32!
SoftModalMessageBox+0x9b400000000`022ff9f000000000`7762133bUSER32!
MessageBoxWorker+0x31d00000000`022ffbb000000000`77621232USER32!
MessageBoxTimeoutW+0xb3>>>00000000`022ffc8000000001`3f3c1089USER32!
MessageBoxW+0x4e00000000`022ffcc000000001`3f3c11fbApplicationA+0x108900000000`022ffcf000000001`3f3c12a5ApplicationA+0x11fb00000000`022ffd2000000000`776cf56dApplicationA+0x12a500000000`022ffd5000000000`77803281kernel32!
BaseThreadInitThunk+0xd00000000`022ffd8000000000`00000000ntdll!
RtlUserThreadStart+0x1d2013SoftwareDiagnosticsServicesExample:WaitChainTHREADfffffa8004562b60Cid0b34.
0858Teb:000007fffffae000Win32Thread:0000000000000000WAIT:(UserRequest)UserModeNon-Alertable>>>fffffa8004b96ce0Mutant-owningthreadfffffa8004523b60NotimpersonatingDeviceMapfffff8a001e84c00OwningProcessfffffa8005400b30Image:ApplicationC.
exeAttachedProcessN/AImage:N/AWaitStartTickCount36004Ticks:4286(0:00:01:06.
862)ContextSwitchCount2UserTime00:00:00.
000KernelTime00:00:00.
000Win32StartAddressApplicationC(0x000000013f7012a0)StackInitfffff88005b1ddb0Currentfffff88005b1d900Basefffff88005b1e000Limitfffff88005b18000Call0Priority11BasePriority8UnusualBoost0ForegroundBoost2IoPriority2PagePriority5Child-SPRetAddrCallSitefffff880`05b1d940fffff800`01a93992nt!
KiSwapContext+0x7afffff880`05b1da80fffff800`01a95cffnt!
KiCommitThreadWait+0x1d2fffff880`05b1db10fffff800`01d871d2nt!
KeWaitForSingleObject+0x19ffffff880`05b1dbb0fffff800`01a8b993nt!
NtWaitForSingleObject+0xb2fffff880`05b1dc2000000000`7781fefant!
KiSystemServiceCopyEnd+0x13(TrapFrame@fffff880`05b1dc20)00000000`00e2f658000007fe`fda910acntdll!
NtWaitForSingleObject+0xa00000000`00e2f66000000001`3f70112eKERNELBASE!
WaitForSingleObjectEx+0x7900000000`00e2f70000000001`3f70128bApplicationC+0x112e00000000`00e2f73000000001`3f701335ApplicationC+0x128b00000000`00e2f76000000000`776cf56dApplicationC+0x133500000000`00e2f79000000000`77803281kernel32!
BaseThreadInitThunk+0xd00000000`00e2f7c000000000`00000000ntdll!
RtlUserThreadStart+0x1d2013SoftwareDiagnosticsServicesExample:HandleLeak1:kd>!
process00****NTACTIVEPROCESSDUMP****PROCESSfffffa8003baa890SessionId:noneCid:0004Peb:00000000ParentCid:0000DirBase:00187000ObjectTable:fffff8a000001a80HandleCount:558.
Image:SystemPROCESSfffffa8004277870SessionId:noneCid:011cPeb:7fffffdf000ParentCid:0004DirBase:133579000ObjectTable:fffff8a00000f3d0HandleCount:35.
Image:smss.
exePROCESSfffffa80048f3950SessionId:0Cid:016cPeb:7fffffdf000ParentCid:0154DirBase:128628000ObjectTable:fffff8a001d62f90HandleCount:387.
Image:csrss.
exe[.
.
.
]PROCESSfffffa800541a060SessionId:1Cid:0b94Peb:7fffffde000ParentCid:06ac>>>DirBase:a6ba9000ObjectTable:fffff8a0098efaf0HandleCount:20013.
Image:ApplicationE.
exe[.
.
.
]2013SoftwareDiagnosticsServicesExample:CorruptionTHREADfffffa8004514060Cid0abc.
087cTeb:000007fffffae000Win32Thread:0000000000000000WAIT:(UserRequest)UserModeAlertablefffffa800518fb30ProcessObject[.
.
.
]Child-SPRetAddrCallSitefffff880`05a6c940fffff800`01a93992nt!
KiSwapContext+0x7afffff880`05a6ca80fffff800`01a95cffnt!
KiCommitThreadWait+0x1d2fffff880`05a6cb10fffff800`01d871d2nt!
KeWaitForSingleObject+0x19ffffff880`05a6cbb0fffff800`01a8b993nt!
NtWaitForSingleObject+0xb2fffff880`05a6cc2000000000`7781fefant!
KiSystemServiceCopyEnd+0x13(TrapFrame@fffff880`05a6cc20)00000000`00dde92800000000`77895ce2ntdll!
NtWaitForSingleObject+0xa00000000`00dde93000000000`77895e85ntdll!
RtlReportExceptionEx+0x1d200000000`00ddea2000000000`77895eeantdll!
RtlReportException+0xb500000000`00ddeaa000000000`77896d25ntdll!
RtlpTerminateFailureFilter+0x1a00000000`00ddead000000000`777e5148ntdll!
RtlReportCriticalFailure+0x9600000000`00ddeb0000000000`7780554dntdll!
_C_specific_handler+0x8c00000000`00ddeb7000000000`777e5d1cntdll!
RtlpExecuteHandlerForException+0xd00000000`00ddeba000000000`777e62eentdll!
RtlDispatchException+0x3cb00000000`00ddf28000000000`77896cd2ntdll!
RtlRaiseException+0x22100000000`00ddf8c000000000`77897396ntdll!
RtlReportCriticalFailure+0x6200000000`00ddf99000000000`778986c2ntdll!
RtlpReportHeapFailure+0x2600000000`00ddf9c000000000`7789a0c4ntdll!
RtlpHeapHandleError+0x1200000000`00ddf9f000000000`7783d1cdntdll!
RtlpLogHeapFailure+0xa400000000`00ddfa2000000000`776d2c7antdll!
::FNODOBFM::`string'+0x123b4>>>00000000`00ddfaa000000001`3fa71274kernel32!
HeapFree+0xa00000000`00ddfad000000001`3fa710c3ApplicationD+0x127400000000`00ddfb0000000001`3fa71303ApplicationD+0x10c300000000`00ddfb3000000001`3fa713adApplicationD+0x130300000000`00ddfb6000000000`776cf56dApplicationD+0x13ad00000000`00ddfb9000000000`77803281kernel32!
BaseThreadInitThunk+0xd00000000`00ddfbc000000000`00000000ntdll!
RtlUserThreadStart+0x1d2013SoftwareDiagnosticsServicesExample:SpecialProcess1:kd>!
vm[.
.
.
]0744svchost.
exe19725(78900Kb)06acexplorer.
exe11444(45776Kb)0920iexplore.
exe8828(35312Kb)0354svchost.
exe5589(22356Kb)040caudiodg.
exe4003(16012Kb)0334svchost.
exe3852(15408Kb)04e4spoolsv.
exe3230(12920Kb)012csvchost.
exe2802(11208Kb)0168iexplore.
exe2106(8424Kb)0384svchost.
exe2090(8360Kb)042csvchost.
exe1938(7752Kb)0218lsass.
exe1314(5256Kb)03d4svchost.
exe1128(4512Kb)>>>0a78WerFault.
exe1107(4428Kb)0210services.
exe1106(4424Kb)0288svchost.
exe980(3920Kb)02d8svchost.
exe891(3564Kb)0438msdtc.
exe851(3404Kb)071cmscorsvw.
exe821(3284Kb)0378taskhost.
exe795(3180Kb)01a8psxss.
exe685(2740Kb)08a0jusched.
exe667(2668Kb)09e0jucheck.
exe621(2484Kb)0828mscorsvw.
exe600(2400Kb)0538mdm.
exe595(2380Kb)0220lsm.
exe595(2380Kb)[.
.
.
]2013SoftwareDiagnosticsServicesExerciseC2Goal:LearnhowtorecognizevariousabnormalsoftwarebehaviorpatternsPatterns:SpecialProcess;HandleLeak;SpikingThread;StackTraceCollection;MessageBox;WaitChain;ExceptionThread2013SoftwareDiagnosticsServicesWaitChainCriticalSection00a9b7c0CriticalSection00a9b7a8Thread886ee030Thread886ee030(owns)Thread83336a00Thread83336a00(owns)Thread886ee030(waiting)processApplicationCprocessApplicationBMutant00a9b7c0Thread832be6d8Thread832be6d8(owns)Thread83336a00(waiting)Thread830f9990(waiting)2013SoftwareDiagnosticsServicesPatternLinksSpecialProcessHandleLeakSpikingThreadStackTraceCollectionMessageBoxWaitChain(criticalsections)ExceptionStackTraceAlsootherpatternsarepresentinC2memorydump(notshowninexercisetranscript):WaitChain(windowmessaging)PagedOutDataWaitChain(LPC/ALPC)2013SoftwareDiagnosticsServicesCommonMistakesNotswitchingtotheappropriatecontextNotlookingatfullstacktracesNotlookingatallstacktracesNotusingchecklistsNotlookingpastthefirstfoundevidenceNote:Listingbothx86andx64stacktraceshttp://www.
dumpanalysis.
org/blog/index.
php/2010/02/09/complete-stack-traces-from-x64-system/2013SoftwareDiagnosticsServicesKernelMinidumpsMemoryDumpAnalysisAnthology,Volume1pp.
43-672013SoftwareDiagnosticsServicesPatternClassification2013SoftwareDiagnosticsServicesSpace/ModeMemorydumptypeHookswareWaitChainPatternsDLLLinkPatternsInsufficientMemoryPatternsContentionPatternsStackOverflowPatternsStackTracePatternsSymbolPatternsExceptionPatternsMeta-MemoryDumpPatternsModulePatternsOptimizationPatternsThreadPatternsProcessPatternsDynamicMemoryCorruptionPatternsDeadlockandLivelockPatterns.
NET/CLR/ManagedSpacePatternsExecutiveResourcePatternsPatternCaseStudies70multiplepatterncasestudies:http://www.
dumpanalysis.
org/blog/index.
php/pattern-cooperation/PatternInteractionchaptersinMemoryDumpAnalysisAnthology2013SoftwareDiagnosticsServicesResourcesWinDbgHelp/WinDbg.
org(quicklinks)DumpAnalysis.
orgDebugging.
TVWindowsInternals,6thed.
WindowsDebugging:PracticalFoundationsx64WindowsDebugging:PracticalFoundationsAdvancedWindowsDebuggingWindowsDebuggingNotebook:EssentialUserSpaceWinDbgCommandsMemoryDumpAnalysisAnthology2013SoftwareDiagnosticsServicesQ&APleasesendyourfeedbackusingthecontactformonPatternDiagnostics.
com2013SoftwareDiagnosticsServicesThankyouforattendance!
2013SoftwareDiagnosticsServices