Agile Software Diagnostics

We introduce this method based on iterative and incremental pattern-oriented diagnostics we founded and developed during the last few years. It is currently based on 5 principles:

  1. Patterns are the principal measure of quality
  2. Attention to detail through checklists
  3. Analysis is done by motivated expertise-driven trusted individuals
  4. Customer satisfaction by useful analysis delivered in the shortest possible time
  5. Analysis audit as a pair diagnostics

Book: Software Diagnostics

The following direct links can be used to order the book now:

Buy Hardcover from Amazon

Buy Hardcover from Barnes & Noble

Buy Hardcover from Book Depository

The book is available for Safari Books Online subscribers

Also available for sale in PDF format from Software Diagnostics Services.

This is a collection of Software Diagnostics Services webinar transcripts about pattern-oriented software diagnostics developed by Software Diagnostics Institute. Includes 9 seminars on pattern-driven software problem solving, software narratology, pattern-driven software diagnostics, systemic software diagnostics, pattern-based software diagnostics, philosophy of software diagnostics, victimware, malware narratives and pattern-oriented network trace analysis.

  • Title: Software Diagnostics: The Collected Seminars
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (September 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Hardback: 302 pages
  • ISBN-13: 978-1908043641

Book: Accelerated .NET Memory Dump Analysis, Second Edition

The following direct links can be used to order the book now:

Buy Paperback or Kindle from Amazon

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

The first edition is also available for Safari Books Online subscribers

The second edition is available for SkillSoft Books24x7 subscribers

The second edition is also available in PDF format from Software Diagnostics Services.

The full transcript of Software Diagnostics Services training with 9 step-by-step exercises, notes, source code of specially created modeling applications and selected Q&A. Covers 20 .NET memory dump analysis patterns plus additional unmanaged patterns. Learn how to analyze .NET application and service crashes and freezes, navigate through memory dump space (managed and unmanaged code) and diagnose corruption, leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and much more. The training consists of practical step-by-step exercises using WinDbg to diagnose patterns in 32-bit and 64-bit process memory dumps. The training uses a unique and innovative pattern-driven analysis approach to speed up the learning curve. Prerequisites: Basic .NET programming and debugging. Audience: Software technical support and escalation engineers, system administrators, software developers and quality assurance engineers.

  • Title: Accelerated .NET Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises, Second Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (August 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 268 pages
  • ISBN-13: 978-1908043597

Table of Contents

Debugging TV

Welcome to Debugging TV and Frames series where each episode features some facet of debugging, memory dump, and software trace analysis on Windows, Mac OS X, and Android platforms in 8 slides in 8 minutes including live WinDbg (Windows) or GDB demonstration (Mac OS X, Linux) plus extra 8 minutes for you to ask questions.

All episodes are available on YouTube with descriptions: http://www.youtube.com/DebuggingTV

Debugging TV Frame 0x01
Slides: DebuggingTV_Frame_0x01.pdf
WinDbg log: DebuggingTV_Frame_0x01.txt

Debugging TV Frame 0x02
Slides: DebuggingTV_Frame_0x02.pdf
From Q&A session: DIA SDK to access PDB symbol files

Debugging TV Frame 0x03
Slides: DebuggingTV_Frame_0x03.pdf
WinDbg log: DebuggingTV_Frame_0x03.txt

Debugging TV Frame 0x04
Slides: DebuggingTV_Frame_0x04.pdf
WinDbg log: DebuggingTV_Frame_0x04.txt
Note on Q&A: There was a question about the difference between .symopt-4 and .reload /f and indeed for the exercise purpose there was no difference. However I understood the question incorrectly and when I mentioned about forcing mismatched symbols load I meant .reload /f /i that we covered in the previous Frame Episode 0x02.

Debugging TV Frame 0x05
Slides: DebuggingTV_Frame_0x05.pdf
WinDbg log: DebuggingTV_Frame_0x05.txt

Debugging TV Frame 0x06
Slides: DebuggingTV_Frame_0x06.pdf
WinDbg log: DebuggingTV_Frame_0x06.txt

Debugging TV Frame 0x07
Slides: DebuggingTV_Frame_0x07.pdf
WinDbg log: DebuggingTV_Frame_0x07.txt

Debugging TV Frame 0x08
Slides: DebuggingTV_Frame_0x08.pdf
WinDbg log: DebuggingTV_Frame_0x08.txt
API description: contexts.h

Debugging TV Frame 0x09
Slides: DebuggingTV_Frame_0x09.pdf
WinDbg log 1: DebuggingTV_Frame_0x09-1.txt
WinDbg log 2: DebuggingTV_Frame_0x09-2.txt

Debugging TV Frame 0x0A (Mac OS X)
Slides: DebuggingTV_Frame_0x0A.pdf

Debugging TV Frame 0x0B (Mac OS X)
Slides: DebuggingTV_Frame_0x0B.pdf

Debugging TV Frame 0x0C (Mac OS X)
Crash report: MultipleThreads_2012-04-06-092234_DumpAnalysis-MacBook-Air.crash
Slides: DebuggingTV_Frame_0x0C.pdf

Debugging TV Frame 0x0D (Mac OS X)
Crash report: SpikingThread_2012-05-04-174941_DumpAnalysis-MacBook-Air.crash
Slides: DebuggingTV_Frame_0x0D.pdf

Debugging TV Frame 0x0E (Mac OS X)
Crash report: HeapCorruption2_2012-05-24-111258_DumpAnalysis-MacBook-Air.crash
Crash report: DoubleFree_2012-05-24-130929_DumpAnalysis-MacBook-Air.crash
Slides: DebuggingTV_Frame_0x0E.pdf

Debugging TV Frame 0x0F (Mac OS X)
Slides: DebuggingTV_Frame_0x0F.pdf

Debugging TV Frame 0x10 (General Software Diagnostics)
Slides: DebuggingTV_Frame_0x10.pdf

Debugging TV Frame 0x11 (Windows, Mac OS X)
Slides: DebuggingTV_Frame_0x11.pdf

Debugging TV Frame 0x12 (Mac OS X)
Slides: DebuggingTV_Frame_0x12.pdf

Debugging TV Frame 0x13 (Mac OS X)
Slides: DebuggingTV_Frame_0x13.pdf

Debugging TV Frame 0x14 (Windows)
Slides: DebuggingTV_Frame_0x14.pdf

Debugging TV Frame 0x15 (Windows)
Slides: DebuggingTV_Frame_0x15.pdf
MessageHistory x86 log: messages32.txt
MessageHistory x64 log: messages64.txt

Debugging TV Frame 0x16 (Windows)
Slides: DebuggingTV_Frame_0x16.pdf
WinDbg log (process dump): windbg-old-hangs-on-windows8-dump.txt
WinDbg log (complete dump): memory-windows8.txt

Debugging TV Frame 0x17 (Windows)
Slides: DebuggingTV_Frame_0x17.pdf

Debugging TV Frame 0x18 (Windows)
Slides: DebuggingTV_Frame_0x18.pdf
WinDbg log: logfile.txt
Source code: FrameNavigation.txt

Debugging TV Frame 0x19 (Windows)
Slides: DebuggingTV_Frame_0x19.pdf

Debugging TV Frame 0x1A (Software Diagnostics Architecture)
Slides: DebuggingTV_Frame_0x1A.pdf

Debugging TV Frame 0x1B (Windows)
Slides: DebuggingTV_Frame_0x1B.pdf
WinDbg log (iexplore memory dump analysis): iexplore-dump-analysis.txt
WinDbg log (iexplore live analysis): iexplore-live-analysis.txt

Debugging TV Frame 0x1C (Windows)
Slides: DebuggingTV_Frame_0x1C.pdf
WinDbg log: Episode-0x1C-1-no-lsass.txt
WinDbg log: Episode-0x1C-2-fibre-bundle-user-space.txt
WinDbg log: Episode-0x1C-3-fibre-bundle-kernel-space.txt
WinDbg log: Episode-0x1C-4-file-copy-spike-wrl-symbols.txt

Debugging TV Frame 0x20 (Windows)
Slides: DebuggingTV_Frame_0x20.pdf
WinDbg log: InjectionResidue.txt

Debugging TV Frame 0x21 (Windows)
Slides: DebuggingTV_Frame_0x21.pdf

Debugging TV Frame 0x22 (Windows)
Slides: DebuggingTV_Frame_0x22.pdf

Debugging TV Frame 0x23 (Windows)
Slides: DebuggingTV_Frame_0x23.pdf

Debugging TV Frame 0x24 (Windows)
Slides: DebuggingTV_Frame_0x24.pdf
Source code: PastStackTrace.txt
WinDbg log (x86): PastStackTrace32.txt
WinDbg log (x64): PastStackTrace64.txt

Debugging TV Frame 0x25 (Windows)
Slides: DebuggingTV_Frame_0x25.pdf
WinDbg log: Episode-0x25-windbg-log.txt

Debugging TV Frame 0x26 (Windows)
Slides: DebuggingTV_Frame_0x26.pdf
Source code: BufferUnderwrite.cpp
WinDbg log 1: NormalHeap.txt
WinDbg log 2: FullPageHeap.txt
WinDbg log 3: FullPageHeapBackwards.txt

Debugging TV Frame 0x27 (Windows)
Slides: DebuggingTV_Frame_0x27.pdf
WinDbg log: Episode-0x27-windbg-log.txt

Debugging TV Frame 0x28 (Windows)
Slides: DebuggingTV_Frame_0x28.pdf
WinDbg log: Episode-0x28-windbg-log.txt

Debugging TV Frame 0x29 (Windows)
Slides: DebuggingTV_Frame_0x29.pdf
WinDbg log: Episode-0x29-windbg-log.txt

Debugging TV Frame 0x30 (Windows)
Slides: DebuggingTV_Frame_0x30.pdf

Debugging TV Frame 0x31 (Windows)
Slides: DebuggingTV_Frame_0x31.pdf
WinDbg log: Episode-0x31-WinDbg-log.txt

Debugging TV Frame 0x32 (Android)
Slides: DebuggingTV_Frame_0x32.pdf
Java code: FullscreenActivityJava.txt
Android log (fragments): StackTraceCollectionLog.txt

Debugging TV Frame 0x33 (Android)
Slides: DebuggingTV_Frame_0x33.pdf
Java code for SpikingThread app: FullscreenActivitySpikingThreadJava.txt
Java code for Deadlock app: FullscreenActivityDeadlockJava.txt
Android log (fragments) for SpikingThread app: SpikingThreadLog.txt
Android log (fragments) for Deadlock app: DeadlockLog.txt
The output of top command (ADB): top.txt
The output of ps -t command (ADB): ps-t.txt

Debugging TV Frame 0x34 (Android)
Slides: DebuggingTV_Frame_0x34.pdf

More frames are coming and www.debugging.tv hosts TV programme and recordings of past episodes.

Introduction to Systemic Software Diagnostics

The following direct links can be used to order the book now:

Buy Kindle version

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

Available for SkillSoft Books24x7 subscribers

This is a transcript of Software Diagnostics Services seminar about how to apply systems theory and systems thinking for effective and efficient abnormal software behaviour diagnostics: the foundation of software troubleshooting and debugging.

  • Title: Systemic Software Diagnostics: An Introduction
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (July 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 32 pages
  • ISBN-13: 978-1908043399

Book: Accelerated Windows Debugging 3

The following direct links can be used to order the book now:

Buy Paperback or Kindle from Amazon

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

Available for SkillSoft Books24x7 subscribers

Also available in PDF format from Software Diagnostics Services.

The full transcript of Software Diagnostics Services training. Learn live local and remote debugging techniques and tricks in kernel, user process and managed .NET spaces using WinDbg debugger. The unique and innovative course teaches unified debugging patterns applied to real problems from complex software environments. The training consists of more than 12 practical step-by-step hands-on exercises.

  • Title: Accelerated Windows Debugging 3: Training Course Transcript and WinDbg Practice Exercises
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (July 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 252 pages
  • ISBN-13: 978-1908043566

Table of Contents

The Structure of Software Problem Solving Organization

Based on the separation of problem solving powers we propose the following software problem solving triangle with a separate software diagnostics department:

In the forthcoming Webinar we outline the benefits of this approach.

Bridging The Great Divide

In Pattern-Based Software Diagnostics seminar we proposed to use pattern catalogues to bridge the separation of software construction and memory dump software diagnostics. With an introduction of Motifs to trace and log analysis pattern catalogue it is now possible (at least conceptually) to bridge construction and trace analysis too:

Elementary Software Diagnostics Patterns

These are patterns of abnormal software behaviour that affect software users and trigger the application of pattern-oriented software diagnostics and debugging if necessary. The initial list of relevant elementary patterns include:

  1. Functional

    • Use-case Deviation
  2. Non-functional
    • Crash
    • Hang (includes delays*)
    • Counter Value (includes resource leaks, CPU spikes)
    • Error Message
  3. * In choosing the pattern vocabulary we decided to use ordinary names, for example, Hang was chosen instead of Response Delay.

Windows Memory Analysis Checklist

General:

  • Symbol servers (.symfix)
  • Internal database(s) search
  • Google or Microsoft search for suspected components as this could be a known issue. Sometimes a simple search immediately points to the fix on a vendor’s site
  • The tool used to save a dump (to flag false positive, incomplete or inconsistent dumps)
  • OS/SP version (version)
  • Language
  • Debug time
  • System uptime
  • Computer name (dS srv!srvcomputername or !envvar COMPUTERNAME)
  • List of loaded and unloaded modules (lmv or !dlls)
  • Hardware configuration (!sysinfo)
  • .kframes 1000

Application or service:

  • Default analysis (!analyze -v or !analyze -v -hang for hangs)
  • Critical sections (!cs -s -l -o, !locks) for both crashes and hangs
  • Component timestamps, duplication and paths. DLL Hell? (lmv and !dlls)
  • Do any newer components exist?
  • Process threads (~*kv or !uniqstack) for multiple exceptions and blocking functions
  • Process uptime
  • Your components on the full raw stack of the problem thread
  • Your components on the full raw stack of the main application thread
  • Process size
  • Number of threads
  • Gflags value (!gflag)
  • Time consumed by threads (!runaway)
  • Environment (!peb)
  • Import table (!dh)
  • Hooked functions (!chkimg)
  • Exception handlers (!exchain)
  • Computer name (!envvar COMPUTERNAME)
  • Process heap stats and validation (!heap -s, !heap -s -v)
  • CLR threads? (mscorwks or clr modules on stack traces) Yes: use .NET checklist below
  • Hidden (unhandled and handled) exceptions on thread raw stacks

System hang:

  • Default analysis (!analyze -v -hang)
  • ERESOURCE contention (!locks)
  • Processes and virtual memory including session space (!vm 4)
  • Important services are present and not hanging
  • Pools (!poolused)
  • Waiting threads (!stacks)
  • Critical system queues (!exqueue f)
  • I/O (!irpfind)
  • The list of all thread stack traces (!process 0 3f)
  • LPC/ALPC chain for suspected threads (!lpc message or !alpc /m after search for "Waiting for reply to LPC" or "Waiting for reply to ALPC" in !process 0 3f output)
  • RPC threads (search for "RPCRT4!OSF" in !process 0 3f output)
  • Mutants (search for "Mutants - owning thread" in !process 0 3f output)
  • Critical sections for suspected processes (!cs -l -o -s)
  • Sessions, session processes (!session, !sprocess)
  • Processes (size, handle table size) (!process 0 0)
  • Running threads (!running)
  • Ready threads (!ready)
  • DPC queues (!dpcs)
  • The list of APCs (!apc)
  • Internal queued spinlocks (!qlocks)
  • Computer name (dS srv!srvcomputername)
  • File cache, VACB (!filecache)
  • File objects for blocked thread IRPs (!irp -> !fileobj)
  • Network (!ndiskd.miniports and !ndiskd.pktpools)
  • Disk (!scsikd.classext -> !scsikd.classext class_device 2)
  • Modules rdbss, mrxdav, mup, mrxsmb in stack traces
  • Functions Ntfs!Ntfs*, nt!Fs* and fltmgr!Flt* in stack traces

BSOD:

  • Default analysis (!analyze -v)
  • Pool address (!pool)
  • Component timestamps (lmv)
  • Processes and virtual memory (!vm 4)
  • Current threads on other processors
  • Raw stack
  • Bugcheck description (including ln exception address for corrupt or truncated dumps)
  • Bugcheck callback data (!bugdump for systems prior to Windows XP SP1)
  • Bugcheck secondary callback data (.enumtag)
  • Computer name (dS srv!srvcomputername)
  • Hardware configuration (!sysinfo)

.NET application or service:

  • CLR module and SOS extension versions (lmv and .chain)
  • Managed exceptions (~*e !pe)
  • Nested managed exceptions (!pe -nested)
  • Managed threads (!Threads -special)
  • Managed stack traces (~*e !CLRStack)
  • Managed execution residue (~*e !DumpStackObjects and !DumpRuntimeTypes)
  • Managed heap (!VerifyHeap, !DumpHeap -stat and !eeheap -gc)
  • GC handles (!GCHandles, !GCHandleLeaks)
  • Finalizer queue (!FinalizeQueue)
  • Sync blocks (!syncblk)

Introduction to Pattern-Driven Software Diagnostics

The following direct links can be used to order the book now:

Buy Kindle or Paperback from Amazon

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

Available for SkillSoft Books24x7 subscribers

This is a transcript of Software Diagnostics Services seminar about different pattern categories for effective and efficient abnormal software behaviour diagnostics: the foundation of scalable and cost-effective pattern-driven software support.

  • Title: Pattern-Driven Software Diagnostics: An Introduction
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (April 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 32 pages
  • ISBN-13: 978-1908043382

Unified Computer Diagnostics: Incorporating Hardware Narratology

Interpreting hardware signals as messages and messages as signals allows us to apply Software Narratology and software trace analysis patterns to the domain of hardware diagnostics:

Generalized trace analysis patterns and narrative extends the view of hardware-software traces and logs as temporarily ordered event sequences. The time domain is generalized to any arbitrary set such as a list of indexes or pointers or even memory itself. This gives a unification of memory and log analysis and application of Computer Narratology (*) to memory dump analysis as well.

(*) We call the application of methods of literary narratology to computer trace and log analysis and computer-related stories in general as Hardware-Software Narratology or simply Computer Narratology as it was originally done in Memory Dump Analysis Anthology, Volume 3 when we first introduced Software Narratology.

Zero Fault Software Diagnostics

Software diagnostics is used whenever there is a fault that triggers some kind of an artefact such as a memory dump or a software trace. It is also used proactively in software and network monitoring. We combine all these uses with our pattern-oriented approach to anticipate faults before their occurrence:

Such preventive software diagnostics consists from 4 interrelated parts:

  • General software structure and behaviour pattern catalogues
  • Domain, vendor and product specific problem catalogues
  • Live monitoring
  • Pre-mortem analysis

Pre-mortem here means preventive memory dump analysis. It is similar to post-mortem analysis but artefacts are collected and analysed proactively before any actual problem. In some sense pre-mortem analysis is a part of live monitoring but we confine the latter to software trace and log analysis.

Book: Accelerated Windows Malware Analysis with Memory Dumps

The following direct links can be used to order the book now:

Buy Paperback or Kindle from Amazon

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

Available for SkillSoft Books24x7 subscribers

Also available in PDF format from Software Diagnostics Services.

The full transcript of Software Diagnostics Services training. Learn how to navigate process, kernel, and physical spaces and diagnose various malware patterns in Windows memory dump files. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step hands-on exercises using WinDbg, process, kernel and complete memory dumps. Covered more than 20 malware analysis patterns. The main audience is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible malware presence in cases of abnormal software behavior. The course will also be useful for software engineers, quality assurance and software maintenance engineers, security researchers, malware and memory forensics analysts who have never used WinDbg for analysis of computer memory.

  • Title: Accelerated Windows Malware Analysis with Memory Dumps: Training Course Transcript and WinDbg Practice Exercises
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (February 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 232 pages
  • ISBN-13: 978-1908043443

Table of Contents

Memory Dump Analysis Anthology, Volume 6

The following direct links can be used to order the book now:

Buy Kindle version

Buy Paperback or Hardcover from Amazon

Buy Paperback or Hardcover from Barnes & Noble

Buy Paperback or Hardcover from Book Depository

Available for Safari Books Online subscribers

Also available in PDF format from Software Diagnostics Services

Contains revised, edited, cross-referenced, and thematically organized selected DumpAnalysis.org blog posts about memory dump and software trace analysis, software troubleshooting and debugging written in November 2010 - October 2011 for software engineers developing and maintaining products on Windows platforms, quality assurance engineers testing software on Windows platforms, technical support and escalation engineers dealing with complex software issues, and security researchers, malware analysts and reverse engineers. The sixth volume features:

- 56 new crash dump analysis patterns including 14 new .NET memory dump analysis patterns
- 4 new pattern interaction case studies
- 11 new trace analysis patterns
- New Debugware pattern
- Introduction to UI problem analysis patterns
- Introduction to intelligence analysis patterns
- Introduction to unified debugging pattern language
- Introduction to generative debugging, metadefect template library and DNA of software behavior
- The new school of debugging
- .NET memory dump analysis checklist
- Software trace analysis checklist
- Introduction to close and deconstructive readings of a software trace
- Memory dump analysis compass
- Computical and Stack Trace Art
- The abductive reasoning of Philip Marlowe
- Orbifold memory space and cloud computing
- Memory worldview
- Interpretation of cyberspace
- Relationship of memory dumps to religion
- Fully cross-referenced with Volume 1, Volume 2, Volume 3, Volume 4, and Volume 5

Product information:

  • Title: Memory Dump Analysis Anthology, Volume 6
  • Author: Dmitry Vostokov
  • Language: English
  • Product Dimensions: 22.86 x 15.24
  • Paperback: 306 pages
  • Publisher: Opentask (January 2013)
  • ISBN-13: 978-1-908043-19-1
  • Hardcover: 306 pages
  • Publisher: Opentask (January 2013)
  • ISBN-13: 978-1-908043-20-7

Table of Contents
Errata

Back cover features 3d memory space visualization image created with ParaView.

Pattern-Oriented Software Diagnostics

consists of two main parts:

  • Pattern-Driven process of finding patterns from existing pattern catalogs
  • Pattern-Based evolution of pattern catalogs and pattern relationships

Book: Accelerated Windows Software Trace Analysis

The following direct links can be used to order the book now:

Buy Kindle version

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

Available for SkillSoft Books24x7 subscribers

Also available in PDF format + recording from Software Diagnostics Services.

The full transcript of Software Diagnostics Services training. Feel frustrated when opening a software trace with millions of messages from hundreds of software components, threads and processes? Go beyond simple CPU and disk hog monitoring or searching for errors in a text and learn how to efficiently and effectively analyze software traces and logs from complex software environments. Covered popular software logs and trace formats from Microsoft and Citrix products and tools including Event Tracing for Windows (ETW) and Citrix Common Diagnostics Format (CDF). This course teaches using pioneering and innovative pattern-driven and pattern-based analysis of abnormal software behavior incidents developed by Software Diagnostics Institute.

  • Title: Accelerated Windows Software Trace Analysis: Training Course Transcript
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (January 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 130 pages
  • ISBN-13: 978-1908043429

Table of Contents

Software Trace Analysis Problem Domain Pattern Hierarchy

Software log analysis patterns from Software Diagnostics Institute are independent from any OS, platform or product because they are based on viewing software logs as stories of computation and were discovered by application of narratological analysis (software narratology). In addition to these patterns there exist domain specific problem patterns such as wrong hotfix level or specific product error code during software installation or execution. Typical examples of support for such platform and product specific type of patterns include Microsoft Windows Problem Reporting and Citrix Auto Support.

Software Diagnostics Discipline

Let’s define software diagnostics as a discipline studying abnormal software structure and behavior in software execution artifacts (such as memory dumps, software and network traces and logs) using pattern-driven, systemic and pattern-based analysis methodologies.

Pattern-Based v. Pattern-Driven Software Diagnostics

Pattern-driven software post-construction problem solving involves using preexisting pattern languages and pattern catalogs for software diagnostics, troubleshooting and debugging. Pattern-based software post-construction problem solving addresses PLS (Pattern Life Cycle) - from the discovery of a new pattern through its integration into an existing catalog and language, testing, packaging and delivering to pattern consumers with subsequent usage, refactoring and writing case studies:

Software Diagnostics Certifications

The first software diagnostics certification in memory dump analysis starts this September and will be administered by Software Diagnostics Services:

http://www.patterndiagnostics.com/memory-dump-analysis-certification-out...

We also plan a beta software trace analysis certification.

For companies there is also available Software Diagnostics Maturity enterprise certification:

http://www.patterndiagnostics.com/software-diagnostics-maturity

CARE: Crash Analysis Report Environment

Welcome to the project CARE!

New! We now also accept GDB logs and crash reports from Mac OS X and iOS.

CARE means Crash Analysis Report Environment. It includes a pattern-driven debugger log analyzer and standards for structured audience-driven reports. The system architecture is described here.

Please help to populate the database of stack traces by submitting your WinDbg and GDB output logs including Mac OS X and iOS crash reports. For Windows you can use VBScript / WinDbg script to process all .DMP files on your hard drives: DebuggerLogs.zip. The archive contains VBScript file for x64 WinDbg (DebuggerLogs64.vbs) and for x86 WinDbg (DebuggerLogs.vbs) plus the very simple mode-independent WinDbg script (DebuggerLogs.wds). The WinDbg output is stored in dbgeng.log file.

Note: Please do not submit your crash or core dumps because the file size is limited to 2 MB and CARE system is currently being designed to analyze debugger logs and crash reports only. If your log is bigger you can submit a zip file. If you have any problems please contact the administrator. Please do not expect any crash analysis response for your logs or reports. The submittal is currently for internal CARE database population only and not for the pattern analysis of your computer memory.

Contact name:

E-mail address:



Rosetta Stone for Debuggers

Under inscription...

The name for this table was suggested by Joshua J. Drake and first propagated to me by @jcran

Action                      | GDB                 | WinDbg
----------------------------------------------------------------
Start the process           | run                 | g
Exit                        | (q)uit              | q
Disassemble (forward)       | (disas)semble       | uf, u
Disassemble N instructions  | x/<N>i              | -
Disassemble (backward)      | disas <a-o> <a>     | ub
Stack trace                 | backtrace (bt)      | k
Full stack trace            | bt full             | kv
Stack trace with parameters | bt full             | kP
Partial trace (innermost)   | bt <N>              | k <N>
Partial trace (outermost)   | bt -<N>             | -
Stack trace for all threads | thread apply all bt | ~*k
Breakpoint                  | break               | bp
Frame numbers               | any bt command      | kn
Select frame                | frame               | .frame
Display parameters          | info args           | dv /t /i /V
Display locals              | info locals         | dv /t /i /V
Dump byte char array        | x/<N>bc             | db
Switch to thread            | thread <N>          | ~<N>s
Sections/regions            | maint info sections | !address
Load symbol file            | add-symbol-file     | .reload
CPU registers               | i(nfo) r            | r

The current version is from April 30th, 2012:
http://www.dumpanalysis.org/blog/index.php/2012/04/30/gdb-for-windbg-users-part-8/

To Do:

- Split rows by categories
- Add links to command descriptions, examples, relevant patterns

Introduction to Software Narratology

The following direct links can be used to order the book now:

Buy Kindle or Paperback from Amazon

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

Available for Safari Books Online subscribers

This is a transcript of Memory Dump Analysis Services seminar about Software Narratology: an exciting new discipline and a field of research founded by DumpAnalysis.org. When software executes it gives us its stories in the form of UI events, software traces and logs. Such stories can be analyzed for their structure and patterns for troubleshooting, debugging and problem resolution purposes. Topics also include software narremes and their types, anticipatory software construction and software diagnostics.

  • Title: Software Narratology: An Introduction to the Applied Science of Software Stories
  • Authors: Dmitry Vostokov, Memory Dump Analysis Services
  • Publisher: OpenTask (April 2012)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 26 pages
  • ISBN-13: 978-1908043078

Memoretics Helps Writing Fiction

One of sources of Memoretics is Narratology to which the former contributes back by providing structural and behavioral analysis patterns and frameworks.

For the full story please visit our blog: http://www.dumpanalysis.org/blog/index.php/2012/02/13/software-narratolo...

Software Problem Solving Tools as a Service

A software problem incident is described using software problem description language. Its program interpretation or compilation results in a published software problem solving tool. Tools can be reused, parameterized, aggregated and organized into hierarchical catalogs. Welcome to the TaaS of the future!

Analysis Productivity Now!

We have conducted research and our internal case studies show that pattern-driven approach to memory analysis significantly decreases learning time: up to 10 times faster than before if not more. Whereas in the past it could take several years to master crash and hang dump analysis - today it takes a few months.

Software Diagnostics Services provides the first accelerated pattern-driven analysis training to decrease learning time even more while simultaneously lowering the steep learning curve:

Accelerated Windows Memory Dump Analysis Training

Accelerated .NET Memory Dump Analysis Training


Also available:

Advanced Windows Memory Dump Analysis with Data Structures

Windows Debugging: Practical Foundations

The following direct links can be used to order the book now:

Buy Kindle version

Buy Paperback or Hardcover from Amazon

Buy Paperback or Hardcover from Barnes & Noble

Buy Paperback or Hardcover from Book Depository

Available for Safari Books Online subscribers

Written by the founder of DumpAnalysis.org this book is not about bugs or debugging techniques but about background knowledge everyone needs to start experimenting with WinDbg, learn from practical experience and read other advanced debugging books. Solid understanding of fundamentals like pointers is needed to analyze stack traces beyond !analyze -v and lmv WinDbg commands. This is the book to help technical support and escalation engineers and Windows software testers without the knowledge of assembly language to master necessary prerequisites to understand and start debugging and crash dump analysis on Windows platforms. It doesn't require any specific knowledge, fills the gap and lowers the learning curve. The book is also useful for software engineers coming from managed code or Java background, engineers coming from non-Wintel environments, Windows C/C++ software engineers without assembly language background, security researchers and beginners learning Windows software disassembling and reverse engineering techniques. This book can also be used as Intel assembly language and Windows debugging supplement for relevant undergraduate level courses.

Product details:

  • Title: Windows Debugging: Practical Foundations
  • Author: Dmitry Vostokov
  • Language: English
  • Product Dimensions: 22.86 x 15.24
  • Paperback: 200 pages
  • ISBN-13: 978-1-906717-10-0
  • Publisher: Opentask (01 February 2009)
  • Hardback: 200 pages
  • ISBN-13: 978-1-906717-67-4
  • Publisher: Opentask (23 March 2009)

Table of Contents
Errata

Praise for the book:

I am a C++/Windows developer and have been a Windows debugging enthusiast for quite a long time now. However, I have never been able to get a good and credible source of information with regards to the internals of debugging using WinDbg. Over the years, I have laid my hands on various sources that deal with Windows Debugging tools and debugging techniques. Every time I purchased a book or went through an online source, I was limited to confusing information that lead me to give up on this topic. Even reliable books that claimed to be the best in the market were nothing less than a colossal disappointment. However, recently when I came across "Windows Debugging: Practical Foundation" that was purchased by a friend of mine, I was sceptic but, nonetheless, decided to give it a chance. Trust me, although not perfect, the book has helped me a lot in learning more about windows internals and debugging techniques. I would like to extend my complements for writing a book that divulges details in a very concise yet clear manner.

Sriram Sarma

Book reviews:

Amazon reviews
Amazon UK reviews

Syndicate content