Software Diagnostics and Observability Institute

Our tools are only as good as our pattern language.

Analysis patterns for the quality of software diagnostics and observability in endpoint devices, enterprise, and cloud environments.

Diagnostics is the mother of problem solving.

All areas of human activity involve the use of diagnostics. Proper diagnostics identifies the right problems to solve. We are now a part of a non-profit organization dedicated to the developing and promoting the application of such diagnostics: systemic and pattern-oriented (pattern-driven and pattern-based).

Please join LinkedIn The Software Diagnostics and Anomaly Detection Group.

The following direct links can be used to order the book now:

Available in PDF format from Software Diagnostics Technology and Services.

The full Software Diagnostics Services training transcript with 15 step-by-step exercises, notes, and source code of specially created modeling applications. The course covers 22 .NET memory dump analysis patterns, plus the additional 21 unmanaged patterns. Learn how to analyze .NET 9 application and service crashes and freezes, navigate through memory dump space (managed and unmanaged code), and diagnose corruption, leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and more. The training consists of practical step-by-step exercises using WinDbg and LLDB debuggers to diagnose patterns in 64-bit process memory dumps from x64 Windows and x64 Linux environments. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The book is a completely revamped and extended the previous Accelerated .NET Core Memory Dump Analysis, Revised Edition. It is updated to the latest WinDbg. It also includes reviews of x64 and IL disassembly and memory space basics, Linux LLDB exercises, .NET memory dump collection on Windows and Linux, and the relationship of analysis patterns to defect patterns.

Prerequisites: Basic .NET programming and debugging.

Audience: Software technical support and escalation engineers, system administrators, DevOps, performance and reliability engineers, software developers, and quality assurance engineers. The book may also interest security researchers, reverse engineers, malware and memory forensics analysts.

• Title: Accelerated .NET Memory Dump Analysis: Training Course Transcript with WinDbg and LLDB Practice Exercises, Seventh Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
• Publisher: OpenTask (May 2025)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 324 pages
• ISBN-13: 978-1912636877

Table of Contents and Sample Exercise
Slides from the training

Situational awareness is defined as "the understanding of an environment, its elements, and how it changes with respect to time or other factors. It is also defined as the perception of the elements in the environment considering time and space, the understanding of their meaning, and the prediction of their status in the near future."

How does it fit into software diagnostics, which is often incorrectly perceived as an analysis of the past (which is forensics)? To answer this question with examples from pattern-oriented software diagnostics (and forensics and prognostics), we should map the three levels of situational awareness (Endsley's model):

Perception – noticing key environmental forensic, diagnostic, and prognostic elements: symptoms, signs, syndromes, alerts, anomalies, and counters.

Comprehension – understanding the situation, what’s going wrong and what’s going on at the particular moment in time and place in memory space (and trace space), and what those key elements mean in current (and past) local immediate and wider big-picture context: software internals and analysis patterns (Fault Context, Message Context, Dump Context, Activity Context, Trace Context), whether they are related to a potential root cause or just surface phenomena (Effect Component). Here, attention to detail is very important.

Projection – anticipating the future: how the situation would have evolved if we had collected diagnostic artifacts later, for example, Near Exception, or the environment had changed (Changed Environment), and plenty of trace and log analysis patterns related to prognostics. It also includes avoiding unintended side effects when acting (providing recommendations), for example, the Instrumentation Side Effect.

In summary, situational awareness in software diagnostics, forensics, and prognostics involves maintaining an appropriate mental model of the system as seen from forensics and diagnostic artifacts (including live ones) and continuous perception, understanding, and anticipation of the system's state, anomalies, potential not-yet-discovered patterns, and future failures while performing a diagnostic (forensic, prognostic) analysis.

Metrics, logs, and traces are considered traditional pillars of observability. However, what is the base they stand upon? It is memory. In 2009, I defined software traces as fragments of memory since they are all assembled in memory first (Software Trace: A Mathematical Definition, Memory Dump Analysis Anthology, Volume 3). Also, every trace or log message had some corresponding memory state(s) at the time it was generated, the so-called Adjoint Space trace and log analysis pattern (Volume 8b), and memory state may have traces and logs erected on its pedestal if we talk about classic memory dump analysis, the so-called Memory Fibration analysis pattern (Volume 10). These two analysis patterns are a kind of duality between memory and traces, the so-called De Broglie Trace Duality (Volume 10). Also, what about trace and log’s own memory? Based on the growing block universe theory analogy, any chosen trace message may be considered trace's present, and everything before it as trace’s past. We can also consider trace and log as memory to predict future behavior, next trace and log messages, and metrics’ values (the so-called process time perspective).

A note about the chosen terminology: base slab or foundation is used in modern structural design. If some prefer classical architecture, we can use stylobate or podium terminology. For each pillar, we can have a corresponding memory plinth.

Software Diagnostics Services organizes this online training course.

June 16, 18, 19, 23, 25, 26, 30, July 2, 3, 7, 9, 10, 14, 16, 17 2025, 12:30 pm - 1:30 pm (GMT+1) Price 99 USD Registration

For the approximate content, please see the slides from the previous training:

Slides from sessions 1-3
Slides from sessions 4-7

This training includes over 40 step-by-step exercises and covers over 100 crash dump analysis patterns from x64 process, kernel, and complete (physical) memory dumps. Learn how to analyze application, service, and system crashes and freezes, navigate through memory dump space, and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and more with the WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve, and it is based on the latest 6th edition of the bestselling Accelerated Windows Memory Dump Analysis book. This new training version also includes:

• Overview of relevant Windows internals
• Memory dump collection methods and patterns
• Defect mechanism patterns
• Additional memory analysis patterns
• Extended coverage of BSOD
• Extended coverage of system hangs
• New kernel exercises with source code

Before the training, you get:

• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book (+300 pages)
• The current PDF book version (+700 pages)
• The previous training recording
• Access to Software Diagnostics Library with more than 440 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies

After the training, you also get:

• The new 7th PDF book edition (+800 pages)
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• New training sessions recording

Prerequisites: Basic Windows troubleshooting

Audience: Software technical support and escalation engineers, system administrators, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts, DevSecOps and SRE, software developers, and quality assurance engineers.

If you are mainly interested in .NET memory dump analysis, there is another training: Accelerated .NET Memory Dump Analysis

If you are interested in Linux memory dump analysis, there is another training: Accelerated Linux Core Dump Analysis

Available from Software Diagnostics Technology and Services.

Memory Thinking for Rust training reviews memory-related topics from the perspective of software structure and behavior analysis and teaches Rust language aspects in parallel while demonstrating relevant code internals using WinDbg and GDB on Windows (x64) and Linux (x64 and ARM64) platforms:

• Relevant language constructs
• Memory layout of structs and enums
• References, ownership, borrowing, and lifecycle
• Local, static, and dynamic memory
• Functions, closures
• Smart pointers
• Object-oriented and functional features
• Unsafe pointers
• Windows and Linux specifics
• … and much more

The new training version updates and extends the existing topics, adding some missing from the first edition. The updated PDF book also has a new format similar to the second edition of Memory Thinking books for C and C++.

The training includes the PDF book that contains slides, brief notes highlighting particular points, and related source code with execution output:

• Title: Memory Thinking for Rust: Slides with Descriptions and Source Code Illustrations, Second Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
• Publisher: OpenTask (April 2025)
• Language: English
• Product Dimensions: 25.4 x 20.3
• PDF: 272 pages
• ISBN-13: 978-1912636488

The following audiences may benefit from the training:

• Rust developers who want to deepen their knowledge
• Non-C and C++ developers (for example, Java, Scala, Python) who want to learn more about pointer and reference internals
• C and C++ developers who want to port their memory thinking to Rust quickly

For more detailed content, please see the first 15 slides (there are more than 240 slides for the training and 2,500 lines of Rust code) and Table of Contents from the reference book.

Software Diagnostics Services organizes this online training course.

TBD

Learn how to analyze .NET application and service crashes and freezes, navigate through memory dump space (managed and unmanaged code), and diagnose corruption, leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention on Windows and Linux platforms, and much more. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve, includes more than ten practical step-by-step exercises using the latest Microsoft WinDbg debugger to diagnose patterns in 64-bit process memory dumps, notes, source code of specially created modeling applications, and selected Q&A. It covers more than 20 .NET memory dump analysis patterns, plus an additional 15 unmanaged patterns. The new edition uses the latest WinDbg and .NET versions, new exercises related to microservices, additional LLDB exercises for x64 Linux platforms, and the necessary assembly language review.

Slides from the previous training version

The training consists of 5 one-hour sessions. Before the training, you get the following:

• The current .NET Core PDF book version and the previous recording of the training
• The previous legacy .NET Framework PDF book version
• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
• Accelerated Windows API for Software Diagnostics PDF book
• Access to Software Diagnostics Library

When you finish the training, you additionally get:

• The new PDF book version
• Personalized Certificate of Attendance with unique CID
• Answers to questions during training sessions
• New recording

Prerequisites: Basic .NET programming and debugging.

Audience: Software technical support and escalation engineers, system administrators, cloud engineers, DevOps, performance and reliability engineers, software developers, and quality assurance engineers. The training may be beneficial if you are interested in .NET security and internals.

If you are mainly interested in unmanaged process user space memory dump analysis, there is another course available: Accelerated Windows Memory Dump Analysis, Sixth Edition, Part 1: Process User Space.

Available in PDF and paperback formats with recording from Software Diagnostics Technology and Services.

Also:

Leanpub (PDF)
Amazon (paperback)
Amazon (Kindle print replica)
Barnes&Noble (paperback)

The full transcript of Software Diagnostics Services training. Learn how to analyze Linux process and kernel crashes and hangs, navigate through core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This training uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of more than 70 practical step-by-step exercises using GDB and WinDbg debuggers, highlighting more than 50 memory analysis patterns diagnosed in 64-bit core memory dumps from x64 and ARM64 platforms. The training also includes source code of modeling applications, a catalog of relevant patterns from the Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux memory dump analysis useful for engineers with a Wintel background. In addition to various improvements, the fully revised and updated fourth edition adds entirely new material, such as defect mechanism patterns and WinDbg Linux kernel dump analysis exercises.

• Title: Accelerated Linux Core Dump Analysis: Training Course Transcript with GDB and WinDbg Practice Exercises, Fourth Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
• Publisher: OpenTask (January 2025)
• Language: English
• PDF/Paperback: 737 pages
• ISBN-13: 978-1912636495

Table of Contents and Sample Exercise
Slides from the training

Available in PDF format from Software Diagnostics Services.

The book contains the full Software Diagnostics Services training transcript with 10 hands-on exercises.

Knowledge of Windows API is necessary for:

• Development
• Malware analysis
• Vulnerability analysis and exploitation
• Reversing
• Diagnostics
• Debugging
• Memory forensics
• Crash and hang analysis
• Secure coding
• Static code analysis
• Trace and log analysis

The training uses a unique and innovative pattern-oriented analysis approach and provides:

• Overview
• Classification
• Patterns
• Internals
• Development examples
• Analysis examples

The second edition includes the relevant x64 disassembly overview and additional topics.

• Title: Accelerated Windows API for Software Diagnostics: With Category Theory in View, Second Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
• Publisher: OpenTask (December 2024)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 329 pages
• ISBN-13: 978-1912636884

Table of Contents and sample exercise
Slides from the training

Available in PDF format from Software Diagnostics Services.

The book contains the full Software Diagnostics Services training transcript and 10 step-by-step exercises and covers dozens of crash dump analysis patterns from the x64 process and complete (physical) memory dumps. Learn how to analyze Rust application crashes and freezes, navigate through memory dump space, and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more with the WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by the Software Diagnostics Institute to speed up the learning curve, and it is structurally based on the latest 6th revised edition of the bestselling Accelerated Windows Memory Dump Analysis book with the focus on safe and unsafe Rust code and its interfacing with the Windows OS. The training is useful whether you come to Rust from C and C++ or interpreted languages like Python and facilitates memory thinking when programming in Rust.

Prerequisites: Basic Windows troubleshooting and working knowledge of Rust.

Audience: Software technical support and escalation engineers, system administrators, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts, DevSecOps and SRE, software developers, system programmers, and quality assurance engineers.

• Title: Accelerated Rust Windows Memory Dump Analysis
• Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
• Publisher: OpenTask (December 2024)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 233 pages
• ISBN-13: 978-1912636891

Table of Contents and sample exercise
Slides from the training

Available in PDF format from Software Diagnostics Services.

The book contains the full transcript of Software Diagnostics Services training with 25 hands-on exercises. This training course extends pattern-oriented analysis introduced in Accelerated Windows Memory Dump Analysis, Accelerated .NET Core Memory Dump Analysis, and Advanced Windows Memory Dump Analysis with Data Structures courses with:

• Surveying the current landscape of WinDbg extensions with analysis pattern mappings
• Writing WinDbg extensions in C, C++, and Rust (new)
• Connecting WinDbg to NoSQL databases
• Connecting WinDbg to streaming and log processing platforms
• Querying and visualizing WinDbg output data
• Using Data Science, Machine Learning, and Gen AI for diagnostics and postmortem debugging (new)

The new edition of the training updates existing exercises and includes new ones.

Prerequisites: Working knowledge of WinDbg. Working knowledge of C, C++, or Rust is optional (required only for some exercises). Other concepts are explained when necessary.

Audience: Software developers, software maintenance engineers, escalation engineers, quality assurance engineers, security and vulnerability researchers, malware and memory forensics analysts who want to build memory analysis pipelines.

• Title: Extended Windows Memory Dump Analysis: Using and Writing WinDbg Extensions, Database and Event Stream Processing, Data Science and Visualization, Machine Learning and AI, Second Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (November 2024)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 362 pages
• ISBN-13: 978-1912636518

Table of Contents and sample exercise
Slides from the training

Available in PDF format from Software Diagnostics Services

Solid C and C++ knowledge is a must to fully understand Linux diagnostic artifacts such as core memory dumps and do diagnostic, forensic, and root cause analysis beyond listing backtraces. This full-color reference book is a part of the Accelerated C & C++ for Linux Diagnostics training course organized by Software Diagnostics Services. The text contains slides, brief notes highlighting particular points, and source code illustrations. In addition to new topics, the second edition adds 45 projects with more than 5,500 lines of code. The book's detailed Table of Contents makes the usual Index redundant. We hope this reference is helpful for the following audiences:

• C and C++ developers who want to deepen their knowledge
• Software engineers developing and maintaining products on Linux platforms
• Technical support, escalation, DevSecOps, cloud and site reliability engineers dealing with complex software issues
• Quality assurance engineers who test software on Linux platforms
• Security and vulnerability researchers, reverse engineers, malware and memory forensics analysts

• Title: Memory Thinking for C & C++ Linux Diagnostics: Slides with Descriptions and Source Code Illustrations, Second Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
• Language: English
• Product Dimensions: 25.4 x 20.3
• PDF: 292 pages
• Publisher: OpenTask (October 2024)
• ISBN-13: 978-1912636563

Table of Contents
The first 45 slides from the training (there are 297 slides in total)

Software Diagnostics Services organizes this online training course.

Registration: TBD

Why would you need to learn how to write bad code? Of course, not to write malicious code backdoors but to understand software internals and diagnostics better. Writing “good” bad code is not easy, especially if you put specific requirements to it and are not satisfied with the accidental effects of bad bad code.

Topics include:

• Modeling abnormal software behavior
• Modeling memory analysis patterns
• Modeling trace and log analysis patterns
• Modeling defect mechanism patterns
• Simulation of complex software problems
• Software problem design patterns
• Fault injection
• Excellent bad code
• Portable bad code
• User and kernel code
• Avoiding compiler undefined behavior
• Debugging bad code to make it work as intended

The training also includes numerous hands-on coding projects using Visual C & C++ and GNU C & C++ compilers, x64 Windows and x64 and ARM64 Linux platforms. Some parts will also use Python, C#, Rust, and Scala for modeling examples.

Before the training, you get:

• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book (+300 pages)
• Encyclopedia of Crash Dump Analysis Patterns, Third Edition (1,300 pages)
• Trace, Log, Text, Narrative, Data: An Analysis Pattern Reference for Information Mining, Diagnostics, Anomaly Detection, Fifth Edition (400 pages)
• Access to Software Diagnostics Library with more than 440 cross-referenced patterns of memory dump analysis, their classification, more than 70 case studies, and more than 240 general trace and log analysis patterns

After the training, you also get:

• The PDF book version of the training
• Personalized Certificate of Attendance with unique CID
• Recording

Audience:

C and C++ developers, Windows and Linux system programmers, software technical support and escalation engineers, system administrators, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.

Available in PDF format from Software Diagnostics Services

Solid C and C++ knowledge is a must to fully understand Windows diagnostic artifacts, such as memory dumps, and perform diagnostic, forensic, and root cause analysis beyond listing stack traces, DLLs, and driver information. This full-color reference book is a part of the Accelerated C & C++ for Windows Diagnostics training course organized by Software Diagnostics Services. The text contains slides, brief notes highlighting particular points, and illustrative source code fragments. The second edition added 45 Visual Studio projects with more than 5,500 lines of code. The book's detailed Table of Contents makes the usual Index redundant. The book's detailed Table of Contents makes the usual Index redundant. We hope this reference is helpful for the following audiences:

• C and C++ developers who want to deepen their knowledge
• Software engineers developing and maintaining products on Windows platforms
• Technical support, escalation, DevSecOps, cloud and site reliability engineers dealing with complex software issues
• Quality assurance engineers who test software on Windows platforms
• Security and vulnerability researchers, reverse engineers, malware and memory forensics analysts

• Title: Memory Thinking for C & C++ Windows Diagnostics: Slides with Descriptions and Source Code Illustrations, Second Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
• Language: English
• Product Dimensions: 25.4 x 20.3
• PDF: 272 pages
• Publisher: OpenTask (July 2024)
• ISBN-13: 978-1912636617

Table of Contents
The first 56 slides from the training (there 289 slides in total)

Available from Software Diagnostics Technology and Services.

Table of Contents and Sample Exercise
Slides from the training

The full transcript of Software Diagnostics Services training with more than 20 step-by-step exercises using WSL and Hyper-V environments, notes, and source code of specially created modeling applications in C, C++, and Rust. Learn live local and remote debugging techniques in the kernel, user process, and managed spaces using WinDbg, GDB, LLDB, rr, and KDB, KGDB debuggers. The unique and innovative course teaches unified debugging patterns applied to real problems from complex software environments. A necessary x64 and ARM64 review is also included.

Prerequisites: Working knowledge of one of these languages: C, C++, Rust. Operating system internals and assembly language concepts are explained when necessary.

Audience: Software engineers, software maintenance engineers, escalation engineers, SRE, DevOps and DevSecOps, cloud engineers, security and vulnerability researchers, malware and memory forensics analysts who want to learn live memory inspection techniques.

• Title: Accelerated Linux Debugging⁴: Training Course Transcript with WinDbg, GDB, LLDB, rr, KDB, KGDB Practice Exercises
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (July 2024)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 360 pages
• ISBN-13: 978-1912636716

In addition to physical and virtual memory layers, we add another abstraction, the memory layer associated with source code values. We call it declarative memory. This term is not to be confused with declarative (or explicit) memory in neuropsychology. Memory corresponding to values in source code may be linearly organized but translated to a different layout by a compiler, or different values can be translated to the same virtual memory location. For example, in Rust (which prompted us to introduce this new memory concept), the following tuple is mapped to a different memory layout:

let i: i32 = 1;
let tuple: (bool, i32, &i32) = (true, 0, &i);

0:000> dt tuples!tuple
Local var @ 0x5c3196f2f0 Type tuple$<bool,i32,ref$<i32> >
   +0x004 __0              : 1
   +0x000 __1              : 0n0
   +0x008 __2              : 0x0000005c`3196f2ec  -> 0n1

0:000> dq 0x5c3196f2f0 L2
0000005c`3196f2f0  00000001`00000000 0000005c`3196f2ec

0:000> dd 0x5c3196f2f0 L4
0000005c`3196f2f0  00000000 00000001 3196f2ec 0000005c

Another virtual memory cell reuse example is the Optimized Code (function parameter reuse) memory analysis pattern.

Whereas in trace and log analysis, where there is the Declarative Trace analysis pattern where a declarative trace statement in source code may correspond to many actual trace statements, a kind of 1 to 0..N correspondence, declarative memory is usually M to N, where M >= N.
Similar to virtual-to-physical mapping, where the amount of virtual memory is greater than the amount of physical memory, the amount of declarative memory can be greater than the amount of virtual memory.

Available in PDF format from Software Diagnostics Services

This reference volume consists of revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute (DumpAnalysis.org + TraceAnalysis.org) and Software Diagnostics Library (former Crash Dump Analysis blog, DumpAnalysis.org/blog) about software diagnostics, root cause analysis, debugging, crash and hang dump analysis, software trace and log analysis written from 15 April 2023 to 14 April 2024 for software engineers developing and maintaining products on Windows platforms, quality assurance engineers testing software, technical support, DevOps and DevSecOps, escalation and site reliability engineers dealing with complex software issues, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. This volume is fully cross-referenced with volumes 1 – 15 and features:

- 17 new crash dump analysis patterns
- 13 new software trace and log analysis patterns
- New defect mechanism pattern
- Introduction to Lov language
- Lists of recommended books

Product information:

• Title: Memory Dump Analysis Anthology, Volume 16
• Authors: Dmitry Vostokov, Software Diagnostics Institute
• Language: English
• Product Dimensions: 22.86 x 15.24
• Paperback: 170 pages
• Publisher: OpenTask (April 2024)
• ISBN-13: 978-1-912636-16-7

Table of Contents

These volumes are now also called Diagnomicon!

The new Volume 16 brings the total number of books to 18.

Now includes the new Revised Edition of Volume 1, Revised Edition of Volume 2, Revised Edition of Volume 3, Revised Edition of Volume 4, and Revised Edition of Volume 5.

Memory Dump Analysis Anthology contains revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) about software diagnostics, debugging, crash dump analysis, software trace and log analysis, malware analysis, and memory forensics. Its 16 volumes in 18 books have more than 5,400 pages and, among many topics, include more than 440 memory analysis patterns (mostly for WinDbg Windows debugger with selected macOS and Linux GDB variants), more than 70 WinDbg case studies, and more than 240 general trace and log analysis patterns. In addition, there are three supplemental volumes with articles reprinted in full color.

Tables of Contents and Indexes of WinDbg Commands from all volumes

Click on an individual volume to see its description and table of contents:

You can buy the 16-volume set from Software Diagnostics Services with a discount and also get free access to Software Diagnostics Library.

Praise for the series:

I have been working with reversing, dumps, IAT, unpacking, etc. and I am one of the few at my workplace that like analyzing hangs and crashes. I always knew that I had more to learn. So I continuously look for more info. Many links directed me to dumpanalysis.org. Frankly speaking, its spartan/simple design made me question its seriousness. But after reading some articles, I immediately decided to order "Memory Dump Analysis Anthology". I have only read 100 pages so far. But I am stunned. It is such an amazing book. How the author refines/reconstructs the call stack, and finds useful information in the stack is incredible. I am enormously thankful for the effort that the author has put into making these books. They are very didactic even though the topic is a bit hard. It is a real treasure.

Mattias Hogstrom

Available in PDF format from Software Diagnostics Technology and Services.

The full transcript of the Software Diagnostics Services training course with 16 step-by-step exercises, notes, and selected questions and answers. Learn how to navigate through memory dump space and Windows data structures to diagnose, troubleshoot, and debug complex software incidents. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. It consists of practical step-by-step exercises using WinDbg to diagnose structural and behavioral patterns in the 64-bit kernel and complete (physical) memory dumps. Additional topics include memory search, kernel linked list navigation, practical WinDbg scripting, registry, system variables and objects, device drivers, and I/O. Prerequisites are basic and intermediate level Windows memory dump analysis: the ability to list processors, processes, threads, modules, apply symbols, walk through stack traces and raw stack data, diagnose patterns such as heap corruption, CPU spike, memory leaks, access violation, wait chains and deadlocks. If you don't feel comfortable with prerequisites, then Accelerated Windows Memory Dump Analysis training book is recommended before purchasing and reading this book course. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers. The fifth edition uses the latest WinDbg, includes the relevant Unified Modeling Language tutorial, revised and extended existing exercises, and added the exercise that demonstrates the use of a Generative AI LLM assistant.

• Title: Advanced Windows Memory Dump Analysis with Data Structures: Training Course Transcript and WinDbg Practice Exercises with Notes, Fifth Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
• Publisher: OpenTask (March 2024)
• Language: English
• Product Dimensions: 28.0 x 21.6
• Paperback: 341 pages
• ISBN-13: 978-1912636952

Table of Contents and Sample Exercise

The following direct links can be used to order the fourth edition of the book:

Available in PDF format from Software Diagnostics Technology and Services

Contains reprinted articles in full color (including more than 230 figures) from 16 volumes of Memory Dump Analysis Anthology (Diagnomicon) related to pattern-oriented software diagnostics with additional comments showing the historical development of this autonomous and distinctive discipline over the last 18 years. In addition to 15 new articles, the fourth edition includes updated threads of thinking, a list of mathematical concepts, and notes’ references, and was completely remastered.

Product information:

• Title: Theoretical Software Diagnostics: Collected Articles, Fourth Edition
• Authors: Dmitry Vostokov, Software Diagnostics Institute
• Language: English
• Product Dimensions: 21.6 x 14.0
• PDF: 398 pages
• Publisher: OpenTask (February 2024)
• ISBN-13: 978-1912636914

Table of Contents
Bird's-eye View of Pages

Available in PDF format from Software Diagnostics Technology and Services.

The full transcript of Software Diagnostics Services training with 16 step-by-step exercises, notes, and source code of specially created modeling applications. Learn live local and remote debugging techniques in the kernel, user process, and managed .NET spaces using WinDbg debugger. The unique and innovative course teaches unified debugging patterns applied to real problems from complex software environments. The fourth edition was fully reworked and updated to use the latest WinDbg, added x64 disassembly review and Rust language to the existing and improved C/C++ and C# exercises.

Prerequisites: Working knowledge of one of these languages: C, C++, C#, Rust. Operating system internals and assembly language concepts are explained when necessary.

Audience: Software engineers, software maintenance engineers, escalation engineers, security and vulnerability researchers, malware and memory forensics analysts who want to learn live memory inspection techniques.

• Title: Accelerated Windows Debugging⁴: Training Course Transcript and WinDbg Practice Exercises, Fourth Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (February 2024)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 372 pages
• ISBN-13: 978-1912636723

Table of Contents

In 2015, we introduced patterns-based root cause analysis methodology by adding software problem mechanisms to accompany software diagnostic problems and their analysis patterns. We also planned to start populating the new pattern catalog at that time, but due to other developments and ideas, we have postponed it until now. We also plan to include a new pattern catalog and case studies in our modeling software defects course.

Usually, an identified software diagnostic problem may have several different mechanisms, and a mechanism may contribute to several diagnostic signs and symptoms. Knowing such mechanisms helps greatly in modeling a problem, devising a debugging strategy, and proposing a code fix.

We start with the Spiking Thread memory analysis pattern, which has concrete analysis pattern variants for Windows, Linux, and macOS.

From its Stack Trace, we may identify the source code location. If the code uses some memory-intensive data structure, we may have an instance of Inefficient Container Implementation. Another mechanism to consider is Partial Breaking Functionality. The defect mechanism pattern names are provisional and may change as more patterns are added that require name revisions for generality, consistency, and perhaps just better names.

Inefficient Container Implementation is when a wrong container or flawed implementation is used for memory and CPU-bound code. For example, using a contiguous vector instead of a linked list may affect CPU resource consumption on insertions and deletions. Some containers, such as queues, may use underlying container implementations that can be replaced.

Partial Breaking Functionality is when we have a potentially infinite loop with checks for some conditions that prevent it from running forever. However, the list of such conditions is only partially implemented, leaving some conditions unchecked, which causes a real infinite loop with the detected CPU consumption.

Recently, we added a few “thermodynamic” analysis patterns to our trace and log analysis pattern catalog, such as Trace Volume, Trace Temperature, and, finally, derived from an ideal gas equation metaphor, Trace Pressure. These patterns allow us to employ a Carnot cycle metaphor for a typical analysis cycle:

Initially, we have a low temperature (low importance) for a low volume of traces.

1. During the incident, temperature (importance of traces) rises, triggering the rise in pressure.
2. The volume of collected traces increases during investigations, and the pressure may go up or down.
3. Once the problem is solved, the temperature comes down.
4. During this phase, we do a retrospective and gradually reduce the volume of traces necessary for continuous monitoring to its original volume.

The following direct links can be used to order the book:

Buy PDF from Leanpub

Buy Kindle edition

Also available in PDF format from Software Diagnostics Services

The full-color transcript of Software Diagnostics Services training sessions with 14 step-by-step exercises, notes, source code of specially created modeling applications, and 45 questions and answers. Covers more than 35 crash dump analysis patterns from x64 kernel and complete (physical) memory dumps. Learn how to analyze system crashes and freezes, navigate through the kernel and complete spaces, and diagnose patterns of abnormal software behavior with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve. Prerequisites: Basic Windows troubleshooting. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers and quality assurance engineers, and site reliability engineers. The 6th edition was fully reworked for the latest WinDbg version and includes additional relevant x64 assembly language review and BSOD analysis pattern strategy outline.

• Title: Accelerated Windows Memory Dump Analysis, Sixth Edition, Part 2, Kernel and Complete Spaces: Training Course Transcript and WinDbg Practice Exercises with Notes
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (August 2023)
• Language: English
• PDF: 388 pages
• ISBN-13: 978-1912636938

Table of Contents and Sample Exercise

The following direct links can be used to order the book now:

Buy PDF from Leanpub

Buy Kindle edition

Also available in PDF format from Software Diagnostics Services

The full-color transcript of Software Diagnostics Services training sessions with 22 step-by-step exercises, notes, source code of specially created modeling applications, and more than 70 questions and answers. Covers more than 50 crash dump analysis patterns from x86 and x64 process memory dumps. Learn how to analyze application and service crashes and freezes, navigate through process user space, and diagnose heap corruption, memory and handle leaks, CPU spikes, blocked threads, deadlocks, wait chains, and many more patterns of abnormal software behavior with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve. Prerequisites: Basic Windows troubleshooting. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers and quality assurance engineers, and site reliability engineers. The 6th edition was fully reworked for the latest WinDbg version and includes additional Windows 11 memory dumps, relevant x64 assembly language review, and a Rust memory dump analysis example.

• Title: Accelerated Windows Memory Dump Analysis, Sixth Edition, Part 1, Process User Space: Training Course Transcript and WinDbg Practice Exercises with Notes
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (August 2023)
• Language: English
• Paperback: 354 pages
• ISBN-13: 978-1912636921

Table of Contents and Sample Exercise

The following direct links can be used to order the book now:

Buy PDF from Leanpub

Buy Kindle edition

Available in PDF format from Software Diagnostics Services.

The original first edition is available for SkillSoft Books24x7 subscribers

The book contains the full transcript of Software Diagnostics Services training. Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, debugging, memory forensics, vulnerability, and malware analysis on x64 Windows platforms. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using WinDbg and memory dumps. Covered more than 25 ADDR patterns, and many concepts are illustrated with Memory Cell Diagrams. The prerequisites for this training are a working knowledge of C and C++ programming languages. Operating system internals and assembly language concepts are explained when necessary. The primary audience for this training is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to go deeper in their analysis of abnormal software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse computer environments, security researchers, malware, and memory forensics analysts who have never used WinDbg for analysis of computer memory. The third edition includes the x64 disassembly review and internals of C++ virtual function calls.

• Title: Accelerated Disassembly, Reconstruction and Reversing: Training Course Transcript and WinDbg Practice Exercises with Memory Cell Diagrams, Third Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (September 2023)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 269 pages
• ISBN-13: 978-1912636679

Table of Contents and sample exercise
Slides from the training