Structural and Behavioral Patterns for Diagnostics, Anomaly Detection, Forensics, Prognostics, Root Cause Analysis, Debugging

Our tools are only as good as our pattern language.

Analysis patterns for the quality of software diagnostics in endpoint devices, enterprise, and cloud environments.

Diagnostics Science

Diagnostics is the mother of problem solving.

All areas of human activity involve the use of diagnostics. Proper diagnostics identifies the right problems to solve. We are now a part of a non-profit organization dedicated to the developing and promoting the application of such diagnostics: systemic and pattern-oriented (pattern-driven and pattern-based).

Book: Accelerated Rust Windows Memory Dump Analysis

Available in PDF format from Software Diagnostics Services.

The book contains the full Software Diagnostics Services training transcript and 10 step-by-step exercises and covers dozens of crash dump analysis patterns from the x64 process and complete (physical) memory dumps. Learn how to analyze Rust application crashes and freezes, navigate through memory dump space, and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more with the WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by the Software Diagnostics Institute to speed up the learning curve, and it is structurally based on the latest 6th revised edition of the bestselling Accelerated Windows Memory Dump Analysis book with the focus on safe and unsafe Rust code and its interfacing with the Windows OS. The training is useful whether you come to Rust from C and C++ or interpreted languages like Python and facilitates memory thinking when programming in Rust.

Prerequisites: Basic Windows troubleshooting and working knowledge of Rust.

Audience: Software technical support and escalation engineers, system administrators, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts, DevSecOps and SRE, software developers, system programmers, and quality assurance engineers.

  • Title: Accelerated Rust Windows Memory Dump Analysis
  • Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
  • Publisher: OpenTask (December 2024)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • PDF: 233 pages
  • ISBN-13: 978-1912636891

Table of Contents and sample exercise
Slides from the training

Book: Extended Windows Memory Dump Analysis, Second Edition

Available in PDF format from Software Diagnostics Services.

The book contains the full transcript of Software Diagnostics Services training with 25 hands-on exercises. This training course extends pattern-oriented analysis introduced in Accelerated Windows Memory Dump Analysis, Accelerated .NET Core Memory Dump Analysis, and Advanced Windows Memory Dump Analysis with Data Structures courses with:

  • Surveying the current landscape of WinDbg extensions with analysis pattern mappings
  • Writing WinDbg extensions in C, C++, and Rust (new)
  • Connecting WinDbg to NoSQL databases
  • Connecting WinDbg to streaming and log processing platforms
  • Querying and visualizing WinDbg output data
  • Using Data Science, Machine Learning, and Gen AI for diagnostics and postmortem debugging (new)

The new edition of the training updates existing and includes new exercises.

Prerequisites: Working knowledge of WinDbg. Working knowledge of C, C++, or Rust is optional (required only for some exercises). Other concepts are explained when necessary.

Audience: Software developers, software maintenance engineers, escalation engineers, quality assurance engineers, security and vulnerability researchers, malware and memory forensics analysts who want to build memory analysis pipelines.

  • Title: Extended Windows Memory Dump Analysis: Using and Writing WinDbg Extensions, Database and Event Stream Processing, Data Science and Visualization, Machine Learning and AI, Second Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (November 2024)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • PDF: 362 pages
  • ISBN-13: 978-1912636518

Table of Contents and sample exercise
Slides from the training

Memory Thinking for C & C++ Linux Diagnostics, Second Edition

Available in PDF format from Software Diagnostics Services

Solid C and C++ knowledge is a must to fully understand Linux diagnostic artifacts such as core memory dumps and do diagnostic, forensic, and root cause analysis beyond listing backtraces. This full-color reference book is a part of the Accelerated C & C++ for Linux Diagnostics training course organized by Software Diagnostics Services. The text contains slides, brief notes highlighting particular points, and source code illustrations. In addition to new topics, the second edition adds 45 projects with more than 5,500 lines of code. The book's detailed Table of Contents makes the usual Index redundant. We hope this reference is helpful for the following audiences:

  • C and C++ developers who want to deepen their knowledge
  • Software engineers developing and maintaining products on Linux platforms
  • Technical support, escalation, DevSecOps, cloud and site reliability engineers dealing with complex software issues
  • Quality assurance engineers who test software on Linux platforms
  • Security and vulnerability researchers, reverse engineers, malware and memory forensics analysts

  • Title: Memory Thinking for C & C++ Linux Diagnostics: Slides with Descriptions and Source Code Illustrations, Second Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
  • Language: English
  • Product Dimensions: 25.4 x 20.3
  • PDF: 292 pages
  • Publisher: OpenTask (October 2024)
  • ISBN-13: 978-1912636563

Table of Contents
The first 45 slides from the training (there are 297 slides in total)

Online Training: Accelerated Linux Core Dump Analysis

Software Diagnostics Services organizes this online training course.

November 5, 7, 12, 14, 19, 21, 26, December 3, 5, 10, 12, 17 2024, 12:30 pm - 1:30 pm (GMT) Price 99 USD Registration

Learn how to analyze Linux process and kernel crashes and hangs, navigate through core memory dump space, and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This training uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of more than 40 practical step-by-step exercises using GDB and WinDbg debuggers, highlighting more than 50 memory analysis patterns diagnosed in 64-bit core memory dumps from x64 and ARM64 platforms. The training also includes source code of modeling applications (C, C++, Rust, Python), a catalog of relevant patterns from the Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux memory dump analysis useful for engineers with a Wintel background. This fully revised and updated training is based on the 3rd edition of the bestselling Accelerated Linux Core Dump Analysis book and adds new material, such as defect mechanism patterns, expanded coverage of kernel postmortem analysis, and new exercises.

Prerequisites: Basic Linux user skills.

Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, cloud engineers, DevSecOps and SRE, and quality assurance engineers.

Slides from the previous training version

Before the training you get:

  • The current 3rd edition PDF book version of the training.
  • The previous version training recording.
  • Access to Software Diagnostics Library.

After the training, you also get:

  • The new 4th edition PDF book version of the training.
  • Personalized Certificate of Attendance with unique CID.
  • Optional Personalized Certificate of Completion with unique CID (after the tests).
  • Answers to questions during training sessions.
  • New recording

Online Training: Accelerated .NET Core Memory Dump Analysis

Software Diagnostics Services organizes this online training course.

Accelerated .NET Memory Dump Analysis Logo

February 11, 13, 18, 22, 25 2025, 12:30 pm - 1:30 pm (GMT) Price 99 USD Registration

Learn how to analyze .NET Core application and service crashes and freezes, navigate through memory dump space (managed and unmanaged code), and diagnose corruption, leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention on Windows and Linux platforms, and much more. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve, includes more than ten practical step-by-step exercises using the latest Microsoft WinDbg debugger to diagnose patterns in 64-bit process memory dumps, notes, source code of specially created modeling applications, and selected Q&A. It covers more than 20 .NET memory dump analysis patterns, plus an additional 15 unmanaged patterns. The new edition uses the latest WinDbg and .NET versions, new exercises related to microservices, additional LLDB exercises for x64 and A64 Linux platforms, and the necessary assembly language review.

Slides from the previous training version

The training consists of 5 one-hour sessions. Before the training, you get the following:

When you finish the training, you additionally get:

  • The new PDF book version
  • Personalized Certificate of Attendance with unique CID
  • Answers to questions during training sessions
  • New recording

Prerequisites: Basic .NET programming and debugging.

Audience: Software technical support and escalation engineers, system administrators, cloud engineers, DevOps, performance and reliability engineers, software developers, and quality assurance engineers. The training may be beneficial if you are interested in .NET security and internals.

If you are mainly interested in unmanaged process user space memory dump analysis, there is another course available: Accelerated Windows Memory Dump Analysis, Sixth Edition, Part 1: Process User Space.

Online Training: Accelerated Windows API for Software Diagnostics

Software Diagnostics Services organizes this online training course.

October 1, 8, 15, 22, 29 2024, 12:30 pm - 1:30 pm (GMT+1, October 29 GMT) Price 99 USD Registration

Slides from the previous training sessions

Knowledge of Windows API is necessary for:

  • Development
  • Malware analysis
  • Vulnerability analysis and exploitation
  • Reversing
  • Diagnostics
  • Debugging
  • Memory forensics
  • Crash and hang analysis
  • Secure coding
  • Static code analysis
  • Trace and log analysis

The training uses a unique and innovative pattern-oriented analysis approach and provides:

  • Overview
  • Classification
  • Patterns
  • Internals
  • Development examples
  • Analysis examples

Before the training, you get:

  • Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
  • The current PDF book version of the training
  • The previous recording
  • Access to Software Diagnostics Library

After the training, you also get:

  • The updated PDF book version of the training
  • Personalized Certificate of Attendance with unique CID
  • Recording

Online Training: Accelerated Rust Windows Memory Dump Analysis

Software Diagnostics Services organizes this online training course.

Accelerated Rust Windows Memory Dump Analysis Logo

This training includes step-by-step exercises and covers dozens of crash dump analysis patterns from the x64 process, kernel, and complete (physical) memory dumps. Learn how to analyze Rust applications, services, and system crashes and freezes, navigate through memory dump space, and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by the Software Diagnostics Institute to speed up the learning curve, and it is structurally based on the latest 6th revised edition of the bestselling Accelerated Windows Memory Dump Analysis book with the focus on safe and unsafe Rust code and its interfacing with the Windows OS. The training is useful whether you come to Rust from C and C++ or interpreted languages like Python and facilitates memory thinking when programming in Rust.

Slides from the first two sessions

October 4, 26, November 2, 24, December 4 2024, 12:30 pm - 1:30 pm (GMT) Price 99 USD Registration

Before the training, you get:

  • Memory Thinking for Rust PDF book (+300 pages)
  • Access to Software Diagnostics Library with more than 370 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies

After the training, you also get:

  • The training PDF book edition
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Current training sessions recording

Prerequisites: Basic Windows troubleshooting.

Audience: Software technical support and escalation engineers, system administrators, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts, DevSecOps and SRE, software developers, system programmers, and quality assurance engineers.

Slides from the structurally similar C and C++ training version, Part 1
Slides from the structurally similar C and C++ training version, Part 2

If you are mainly interested in C and C++ Windows memory dump analysis, there is another training: Accelerated Windows Memory Dump Analysis

If you are mainly interested in .NET memory dump analysis, there is another training: Accelerated .NET Core Memory Dump Analysis

If you are interested in C and C++ Linux memory dump analysis, there is another training: Accelerated Linux Core Dump Analysis

Online Training: Accelerated C & C++ for Linux Diagnostics

Software Diagnostics Services organizes this online training course.

Accelerated C & C++ for Windows Diagnostics Logo

The second version adds 45 projects with more than 5,500 lines of code.

For approximate training content of the new, fully revamped version, please see the first 45 slides (there are 295 slides in total) and TOC from the corresponding Windows Memory Thinking book. The Linux book will be updated correspondingly.

September 3, 5, 10, 12, 17, 19, 24, 26, October 3, 10, 17, 24 2024, 12:30 pm - 1:30 pm (GMT+1) Price 99 USD Registration

Solid C and C++ knowledge is a must to fully understand Linux diagnostic artifacts such as core dumps and do diagnostic, forensic, and root cause analysis beyond listing backtraces. Accelerated C and C++ for Linux Software Diagnostics training reviews memory-related topics from the perspective of software structure and behavior analysis and teaches C and C++ languages in parallel while demonstrating relevant code internals using GDB:

  • a tour of relevant language(s) constructs - classic/legacy C++, C++11, and later standards including C++23
  • Linux specifics
  • pointers and references
  • memory layout of structures and objects
  • local, static, and dynamic memory
  • object lifecycle
  • templates and standard library
  • functions, function objects, and lambdas
  • compilation and linkage
  • multithreading and synchronization
  • bad and insecure code
  • … and much more

System programming on Linux using C and C++ is unthinkable without Linux API. To avoid repeating some topics and save time, the training includes the Accelerated Linux API for Software Diagnostics book as a follow-up or additional reference. A necessary x64 and ARM64 review for some topics is also included.

Before the training, you get the following:

After the training, you also get the following:

  • The new edition of the Memory Thinking PDF book with additional C and C++ examples
  • Personalized Certificate of Attendance with unique CID
  • The new recording

Online Training: Extended Windows Memory Dump Analysis

Extended Windows Memory Dump Analysis Logo

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course:

Extended Windows Memory Dump Analysis: Using and Writing WinDbg Extensions, Database and Event Stream Processing, Visualization training course extends pattern-oriented analysis introduced in Accelerated Windows Memory Dump Analysis, Accelerated .NET Core Memory Dump Analysis, Advanced Windows Memory Dump Analysis with Data Structures, and Accelerated Windows Malware Analysis with Memory Dumps courses with elements of programming, data engineering, data science, and machine learning engineering:

  • Surveying the current landscape of WinDbg extensions with analysis pattern mappings
  • Writing WinDbg extensions in C, C++, and Rust (new)
  • Connecting WinDbg to NoSQL databases
  • Connecting WinDbg to streaming and log processing platforms
  • Querying and visualizing WinDbg output data
  • Using Data Science, Machine Learning, and AI for diagnostics and postmortem debugging (new)

The new version of the training updates existing and includes new exercises.

Slides from the previous training

Before the training, you get:

  • The current PDF book version and recording of the training
  • Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
  • Access to Software Diagnostics Library

After the training, you also get:

  • The new edition of the PDF book version of the training
  • Personalized Certificate of Attendance with unique CID
  • Answers to questions during training sessions
  • New recording

Prerequisites: Working knowledge of WinDbg. Working knowledge of Python, C, C++, or Rust is optional (required only for some exercises). Other concepts are explained when necessary.

Audience: Software developers, software maintenance engineers, escalation engineers, quality assurance engineers, security and vulnerability researchers, malware and memory forensics analysts who want to build memory analysis pipelines.

Online Training: Writing Bad Code (Part 1)

Software Diagnostics Services organizes this online training course.

March 3, 10, 17, 24, 31 2025, 12:30 pm - 1:30 pm (GMT, March 31 GMT+1) Price 99 USD Registration

Why would you need to learn how to write bad code? Of course, not to write malicious code backdoors but to understand software internals and diagnostics better. Writing “good” bad code is not easy, especially if you put specific requirements to it and are not satisfied with the accidental effects of bad bad code.

Topics include:

  • Modeling abnormal software behavior
  • Modeling memory analysis patterns
  • Modeling trace and log analysis patterns
  • Modeling defect mechanism patterns
  • Simulation of complex software problems
  • Software problem design patterns
  • Fault injection
  • Excellent bad code
  • Portable bad code
  • User and kernel code
  • Avoiding compiler undefined behavior
  • Debugging bad code to make it work as intended

The training also includes numerous hands-on coding projects using Visual C & C++ and GNU C & C++ compilers, x64 Windows and x64 and ARM64 Linux platforms. Some parts will also use Python, C#, Rust, and Scala for modeling examples.

Before the training, you get:

  • Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book (+300 pages)
  • Encyclopedia of Crash Dump Analysis Patterns, Third Edition (1,300 pages)
  • Trace, Log, Text, Narrative, Data: An Analysis Pattern Reference for Information Mining, Diagnostics, Anomaly Detection, Fifth Edition (400 pages)
  • Access to Software Diagnostics Library with more than 440 cross-referenced patterns of memory dump analysis, their classification, more than 70 case studies, and more than 240 general trace and log analysis patterns

After the training, you also get:

  • The PDF book version of the training
  • Personalized Certificate of Attendance with unique CID
  • Recording

Audience:

C and C++ developers, Windows and Linux system programmers, software technical support and escalation engineers, system administrators, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.

Memory Thinking for C & C++ Windows Diagnostics, Second Edition

Available in PDF format from Software Diagnostics Services

Solid C and C++ knowledge is a must to fully understand Windows diagnostic artifacts such as memory dumps and do diagnostic, forensic, and root cause analysis beyond listing stack traces, DLL, and driver information. This full-color reference book is a part of the Accelerated C & C++ for Windows Diagnostics training course organized by Software Diagnostics Services. The text contains slides, brief notes highlighting particular points, and illustrative source code fragments. The second edition added 45 Visual Studio projects with more than 5,500 lines of code. The book's detailed Table of Contents makes the usual Index redundant. The book's detailed Table of Contents makes the usual Index redundant. We hope this reference is helpful for the following audiences:

  • C and C++ developers who want to deepen their knowledge
  • Software engineers developing and maintaining products on Windows platforms
  • Technical support, escalation, DevSecOps, cloud and site reliability engineers dealing with complex software issues
  • Quality assurance engineers who test software on Windows platforms
  • Security and vulnerability researchers, reverse engineers, malware and memory forensics analysts

  • Title: Memory Thinking for C & C++ Windows Diagnostics: Slides with Descriptions and Source Code Illustrations, Second Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
  • Language: English
  • Product Dimensions: 25.4 x 20.3
  • PDF: 271 pages
  • Publisher: OpenTask (July 2024)
  • ISBN-13: 978-1912636617

Table of Contents
The first 56 slides from the training (there 289 slides in total)

Book: Accelerated Linux Debugging 4D

Available from Software Diagnostics Technology and Services.

Table of Contents and Sample Exercise
Slides from the training

The full transcript of Software Diagnostics Services training with more than 20 step-by-step exercises using WSL and Hyper-V environments, notes, and source code of specially created modeling applications in C, C++, and Rust. Learn live local and remote debugging techniques in the kernel, user process, and managed spaces using WinDbg, GDB, LLDB, rr, and KDB, KGDB debuggers. The unique and innovative course teaches unified debugging patterns applied to real problems from complex software environments. A necessary x64 and ARM64 review is also included.

Prerequisites: Working knowledge of one of these languages: C, C++, Rust. Operating system internals and assembly language concepts are explained when necessary.

Audience: Software engineers, software maintenance engineers, escalation engineers, SRE, DevOps and DevSecOps, cloud engineers, security and vulnerability researchers, malware and memory forensics analysts who want to learn live memory inspection techniques.

  • Title: Accelerated Linux Debugging4: Training Course Transcript with WinDbg, GDB, LLDB, rr, KDB, KGDB Practice Exercises
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (July 2024)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • PDF: 360 pages
  • ISBN-13: 978-1912636716

Memory Thinking for Rust

Available from Software Diagnostics Technology and Services.

Memory Thinking for Rust

Memory Thinking for Rust training reviews memory-related topics from the perspective of software structure and behavior analysis and teaches Rust language aspects in parallel while demonstrating relevant code internals using WinDbg and GDB on Windows (x64) and Linux (x64 and ARM64) platforms:

  • Relevant language constructs
  • Memory layout of structures
  • References, ownership, borrowing, and lifecycle
  • Local, static, and dynamic memory
  • Functions, closures
  • Object-oriented and functional features
  • Unsafe pointers
  • Windows and Linux specifics
  • … and much more

The training includes the PDF book that contains slides, brief notes highlighting particular points, and related source code with execution output:

  • Title: Memory Thinking for Rust: Slides with Descriptions and Source Code Illustrations
  • Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
  • Publisher: OpenTask (June 2024)
  • Language: English
  • Product Dimensions: 21.6 x 14.0
  • PDF: 338 pages
  • ISBN-13: 978-1912636662

The following audiences may benefit from the training:

  • Rust developers who want to deepen their knowledge
  • Non-C and C++ developers (for example, Java, Scala, Python) who want to learn more about pointer and reference internals
  • C and C++ developers who want to port their memory thinking to Rust quickly

For more detailed content, please see the first 15 slides (there are more than 200 slides for the training and 2,000 lines of Rust code) and Table of Contents from the reference book.

Online Training: Accelerated Linux Debugging 4D

Software Diagnostics Services organizes this online training course.

Learn live local and remote debugging techniques and tricks in the kernel and user process spaces using GDB and LLDB debuggers for C, C++, and Rust code. The unique and innovative Debugging 4D course teaches unified debugging patterns applied to real problems from complex software environments. The training consists of practical, step-by-step, hands-on exercises.

Before the training, you get:

  • Access to Software Diagnostics Library

After the training, you also get:

  • The PDF book version of the training: Accelerated Linux Debugging 4D
  • Personalized Certificate of Attendance with unique CID
  • Answers to questions during training sessions
  • Recording

Prerequisites:

Working knowledge of one of these languages: C, C++, Rust. Operating system internals and assembly language concepts are explained when necessary.

Audience:

Software engineers, software maintenance engineers, escalation engineers, security and vulnerability researchers, malware and memory forensics analysts who want to learn live memory inspection techniques.

If you are interested in live Windows debugging, there is another training course available.

Online Training: Accelerated C & C++ for Windows Diagnostics

Software Diagnostics Services organizes this online training course.

Accelerated C & C++ for Windows Diagnostics Logo

For approximate training content, please see the first 56 slides (there are 289 slides in total) and TOC from the corresponding Memory Thinking book.

Solid C and C++ knowledge is a must to fully understand Windows diagnostic artifacts such as memory dumps and do diagnostic, forensic, and root cause analysis beyond listing stack traces, DLL, and driver information. C and C++ for Windows Software Diagnostics training reviews the following topics from the perspective of software structure and behavior analysis and teaches C and C++ languages in parallel while demonstrating relevant code internals using WinDbg:

  • a tour of relevant language(s) constructs - classic/legacy C++, C++11, and later standards
  • Windows specifics
  • pointers and references
  • memory layout of structures and objects
  • local, static, and dynamic memory
  • object lifecycle
  • standard library
  • compilation, static and dynamic linkage
  • multithreading and synchronization
  • bad and insecure code
  • … and more

System and desktop application programming on Windows using C and C++ is unthinkable without Windows API. To avoid repeating some topics and save time, the training includes the Accelerated Windows API for Software Diagnostics book as a follow-up or additional reference. There is also a necessary x64 review for some topics, but if you are never used to reading assembly language, Practical Foundations of Windows Debugging, Disassembling, Reversing book is also included.

Before the training, you get the following:

After the training, you also get the following:

  • The new edition of the Memory Thinking PDF book with additional C and C++ examples
  • Personalized Certificate of Attendance with unique CID
  • The new recording

Declarative Memory


In addition to physical and virtual memory layers, we add another abstraction, the memory layer associated with source code values. We call it declarative memory. This term is not to be confused with declarative (or explicit) memory in neuropsychology. Memory corresponding to values in source code may be linearly organized but translated to a different layout by a compiler, or different values can be translated to the same virtual memory location. For example, in Rust (which prompted us to introduce this new memory concept), the following tuple is mapped to a different memory layout:

let i: i32 = 1;
let tuple: (bool, i32, &i32) = (true, 0, &i);

0:000> dt tuples!tuple
Local var @ 0x5c3196f2f0 Type tuple$<bool,i32,ref$<i32> >
   +0x004 __0              : 1
   +0x000 __1              : 0n0
   +0x008 __2              : 0x0000005c`3196f2ec  -> 0n1

0:000> dq 0x5c3196f2f0 L2
0000005c`3196f2f0  00000001`00000000 0000005c`3196f2ec

0:000> dd 0x5c3196f2f0 L4
0000005c`3196f2f0  00000000 00000001 3196f2ec 0000005c

Another virtual memory cell reuse example is the Optimized Code (function parameter reuse) memory analysis pattern.

Whereas in trace and log analysis, where there is the Declarative Trace analysis pattern where a declarative trace statement in source code may correspond to many actual trace statements, a kind of 1 to 0..N correspondence, declarative memory is usually M to N, where M >= N.
Similar to virtual-to-physical mapping, where the amount of virtual memory is greater than the amount of physical memory, the amount of declarative memory can be greater than the amount of virtual memory.

Memory Dump Analysis Anthology, Volume 16

Available in PDF format from Software Diagnostics Services

This reference volume consists of revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute (DumpAnalysis.org + TraceAnalysis.org) and Software Diagnostics Library (former Crash Dump Analysis blog, DumpAnalysis.org/blog) about software diagnostics, root cause analysis, debugging, crash and hang dump analysis, software trace and log analysis written from 15 April 2023 to 14 April 2024 for software engineers developing and maintaining products on Windows platforms, quality assurance engineers testing software, technical support, DevOps and DevSecOps, escalation and site reliability engineers dealing with complex software issues, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. This volume is fully cross-referenced with volumes 1 – 15 and features:

- 19 new crash dump analysis patterns
- 13 new software trace and log analysis patterns
- New defect mechanism pattern
- Introduction to Lov language
- Lists of recommended books

Product information:

  • Title: Memory Dump Analysis Anthology, Volume 16
  • Authors: Dmitry Vostokov, Software Diagnostics Institute
  • Language: English
  • Product Dimensions: 22.86 x 15.24
  • Paperback: 170 pages
  • Publisher: OpenTask (April 2024)
  • ISBN-13: 978-1-912636-16-7

Table of Contents

Advanced Software Diagnostics and Debugging Reference

These volumes are now also called Diagnomicon!

The new Volume 16 brings the total number of books to 18.

Now includes the new Revised Edition of Volume 1, Revised Edition of Volume 2, Revised Edition of Volume 3, Revised Edition of Volume 4, and Revised Edition of Volume 5.

Memory Dump Analysis Anthology contains revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) about software diagnostics, debugging, crash dump analysis, software trace and log analysis, malware analysis, and memory forensics. Its 16 volumes in 18 books have more than 5,400 pages and, among many topics, include more than 440 memory analysis patterns (mostly for WinDbg Windows debugger with selected macOS and Linux GDB variants), more than 70 WinDbg case studies, and more than 240 general trace and log analysis patterns. In addition, there are three supplemental volumes with articles reprinted in full color.

Tables of Contents and Indexes of WinDbg Commands from all volumes

Click on an individual volume to see its description and table of contents:

You can buy the 16-volume set from Software Diagnostics Services with a discount and also get free access to Software Diagnostics Library.

Praise for the series:

I have been working with reversing, dumps, IAT, unpacking, etc. and I am one of the few at my workplace that like analyzing hangs and crashes. I always knew that I had more to learn. So I continuously look for more info. Many links directed me to dumpanalysis.org. Frankly speaking, its spartan/simple design made me question its seriousness. But after reading some articles, I immediately decided to order "Memory Dump Analysis Anthology". I have only read 100 pages so far. But I am stunned. It is such an amazing book. How the author refines/reconstructs the call stack, and finds useful information in the stack is incredible. I am enormously thankful for the effort that the author has put into making these books. They are very didactic even though the topic is a bit hard. It is a real treasure.

Mattias Hogstrom

Book: Advanced Windows Memory Dump Analysis with Data Structures, Fifth Edition

Available in PDF format from Software Diagnostics Technology and Services.

The full transcript of the Software Diagnostics Services training course with 16 step-by-step exercises, notes, and selected questions and answers. Learn how to navigate through memory dump space and Windows data structures to diagnose, troubleshoot, and debug complex software incidents. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. It consists of practical step-by-step exercises using WinDbg to diagnose structural and behavioral patterns in the 64-bit kernel and complete (physical) memory dumps. Additional topics include memory search, kernel linked list navigation, practical WinDbg scripting, registry, system variables and objects, device drivers, and I/O. Prerequisites are basic and intermediate level Windows memory dump analysis: the ability to list processors, processes, threads, modules, apply symbols, walk through stack traces and raw stack data, diagnose patterns such as heap corruption, CPU spike, memory leaks, access violation, wait chains and deadlocks. If you don't feel comfortable with prerequisites, then Accelerated Windows Memory Dump Analysis training book is recommended before purchasing and reading this book course. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers. The fifth edition uses the latest WinDbg, includes the relevant Unified Modeling Language tutorial, revised and extended existing exercises, and added the exercise that demonstrates the use of a Generative AI LLM assistant.

  • Title: Advanced Windows Memory Dump Analysis with Data Structures: Training Course Transcript and WinDbg Practice Exercises with Notes, Fifth Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services, Dublin School of Security
  • Publisher: OpenTask (March 2024)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 341 pages
  • ISBN-13: 978-1912636952

Table of Contents and Sample Exercise

Theoretical Software Diagnostics, Fourth Edition

The following direct links can be used to order the fourth edition of the book:

Available in PDF format from Software Diagnostics Technology and Services

Contains reprinted articles in full color (including more than 230 figures) from 16 volumes of Memory Dump Analysis Anthology (Diagnomicon) related to pattern-oriented software diagnostics with additional comments showing the historical development of this autonomous and distinctive discipline over the last 18 years. In addition to 15 new articles, the fourth edition includes updated threads of thinking, a list of mathematical concepts, and notes’ references, and was completely remastered.

Product information:

  • Title: Theoretical Software Diagnostics: Collected Articles, Fourth Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Institute
  • Language: English
  • Product Dimensions: 21.6 x 14.0
  • PDF: 398 pages
  • Publisher: OpenTask (February 2024)
  • ISBN-13: 978-1912636914

Table of Contents
Bird's-eye View of Pages

Online Training: Advanced Windows Memory Dump Analysis with Data Structures

Software Diagnostics Services organizes this online training course.

Advanced Windows Memory Dump Analysis Logo

TBD

Learn how to navigate through memory dump space and Windows data structures to diagnose, troubleshoot, and debug complex software incidents. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. It consists of 15 practical step-by-step exercises using WinDbg to diagnose structural and behavioral patterns in the 64-bit kernel and complete (physical) memory dumps. Additional topics include memory search, kernel linked list navigation, practical WinDbg scripting including built-in language and JavaScript, registry, system variables and objects, device drivers, I/O, file system filters, and security. The training is based on the 4th revised edition of the Advanced Windows Memory Dump Analysis with Data Structures book. It is also optionally containerized. The new version uses the latest WinDbg and includes additional scripting and memory topics.

Slides from the previous training sessions

Before the training, you get:

  • Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book (+300 pages)
  • The current PDF book version
  • The previous training recording
  • Access to Software Diagnostics Library with more than 380 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies

After the training, you also get:

  • The new PDF book edition
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Current training sessions recording

Prerequisites: Basic and intermediate level Windows memory dump analysis: the ability to list processors, processes, threads, modules, apply symbols, walk through stack traces and raw stack data, diagnose patterns such as heap corruption, CPU spike, memory leaks, access violation, wait chains and deadlocks. If you don't feel comfortable with prerequisites, then Accelerated Windows Memory Dump Analysis training or the corresponding book is recommended before attending this training.

Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.

Book: Accelerated Windows Debugging 4D, Fourth Edition

Available in PDF format from Software Diagnostics Technology and Services.

The full transcript of Software Diagnostics Services training with 16 step-by-step exercises, notes, and source code of specially created modeling applications. Learn live local and remote debugging techniques in the kernel, user process, and managed .NET spaces using WinDbg debugger. The unique and innovative course teaches unified debugging patterns applied to real problems from complex software environments. The fourth edition was fully reworked and updated to use the latest WinDbg, added x64 disassembly review and Rust language to the existing and improved C/C++ and C# exercises.

Prerequisites: Working knowledge of one of these languages: C, C++, C#, Rust. Operating system internals and assembly language concepts are explained when necessary.

Audience: Software engineers, software maintenance engineers, escalation engineers, security and vulnerability researchers, malware and memory forensics analysts who want to learn live memory inspection techniques.

  • Title: Accelerated Windows Debugging4: Training Course Transcript and WinDbg Practice Exercises, Fourth Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (February 2024)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • PDF: 372 pages
  • ISBN-13: 978-1912636723

Table of Contents

Defect Mechanism Patterns (DMP), Part 1

In 2015, we introduced patterns-based root cause analysis methodology by adding software problem mechanisms to accompany software diagnostic problems and their analysis patterns. We also planned to start populating the new pattern catalog at that time, but due to other developments and ideas, we have postponed it until now. We also plan to include a new pattern catalog and case studies in our modeling software defects course.

Usually, an identified software diagnostic problem may have several different mechanisms, and a mechanism may contribute to several diagnostic signs and symptoms. Knowing such mechanisms helps greatly in modeling a problem, devising a debugging strategy, and proposing a code fix.

We start with the Spiking Thread memory analysis pattern, which has concrete analysis pattern variants for Windows, Linux, and macOS.

From its Stack Trace, we may identify the source code location. If the code uses some memory-intensive data structure, we may have an instance of Inefficient Container Implementation. Another mechanism to consider is Partial Breaking Functionality. The defect mechanism pattern names are provisional and may change as more patterns are added that require name revisions for generality, consistency, and perhaps just better names.

Inefficient Container Implementation is when a wrong container or flawed implementation is used for memory and CPU-bound code. For example, using a contiguous vector instead of a linked list may affect CPU resource consumption on insertions and deletions. Some containers, such as queues, may use underlying container implementations that can be replaced.

Partial Breaking Functionality is when we have a potentially infinite loop with checks for some conditions that prevent it from running forever. However, the list of such conditions is only partially implemented, leaving some conditions unchecked, which causes a real infinite loop with the detected CPU consumption.

Carnot Cycle Metaphor for Trace and Log Analysis

Recently, we added a few “thermodynamic” analysis patterns to our trace and log analysis pattern catalog, such as Trace Volume, Trace Temperature, and, finally, derived from an ideal gas equation metaphor, Trace Pressure. These patterns allow us to employ a Carnot cycle metaphor for a typical analysis cycle:

Initially, we have a low temperature (low importance) for a low volume of traces.

  1. During the incident, temperature (importance of traces) rises, triggering the rise in pressure.
  2. The volume of collected traces increases during investigations, and the pressure may go up or down.
  3. Once the problem is solved, the temperature comes down.
  4. During this phase, we do a retrospective and gradually reduce the volume of traces necessary for continuous monitoring to its original volume.

Accelerated Windows Memory Dump Analysis, Sixth Edition, Part 2: Kernel and Complete Spaces

The following direct links can be used to order the book:

Buy PDF from Leanpub

Buy Kindle edition

Also available in PDF format from Software Diagnostics Services

The full-color transcript of Software Diagnostics Services training sessions with 14 step-by-step exercises, notes, source code of specially created modeling applications, and 45 questions and answers. Covers more than 35 crash dump analysis patterns from x64 kernel and complete (physical) memory dumps. Learn how to analyze system crashes and freezes, navigate through the kernel and complete spaces, and diagnose patterns of abnormal software behavior with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve. Prerequisites: Basic Windows troubleshooting. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers and quality assurance engineers, and site reliability engineers. The 6th edition was fully reworked for the latest WinDbg version and includes additional relevant x64 assembly language review and BSOD analysis pattern strategy outline.

  • Title: Accelerated Windows Memory Dump Analysis, Sixth Edition, Part 2, Kernel and Complete Spaces: Training Course Transcript and WinDbg Practice Exercises with Notes
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (August 2023)
  • Language: English
  • PDF: 388 pages
  • ISBN-13: 978-1912636938

Table of Contents and Sample Exercise

Syndicate content