Structural and Behavioral Patterns for Diagnostics, Anomaly Detection, Forensics, Prognostics, Root Cause Analysis, Debugging

Our tools are only as good as our pattern language.

Analysis patterns for the quality of software diagnostics in endpoint devices, enterprise, and cloud environments.

Diagnostics Science

Diagnostics is the mother of problem solving.

All areas of human activity involve the use of diagnostics. Proper diagnostics identifies the right problems to solve. We are now a part of a non-profit organization dedicated to the developing and promoting the application of such diagnostics: systemic and pattern-oriented (pattern-driven and pattern-based).

Online Training: Accelerated Windows Debugging 5D

Accelerated Windows Debugging 4D Logo

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course:

November 6 - 9 2023 6.30pm - 8.30pm (GMT) Price 99 USD Registration

Learn live local and remote debugging techniques and tricks in the kernel, user process, and managed .NET spaces using WinDbg and HyperDbg debuggers. The unique and innovative Debugging5 course teaches unified debugging patterns applied to real problems from complex software environments. The training consists of practical step-by-step, hands-on exercises. The new edition extends the previous 4D version with hypervisor-assisted debugging and adds Rust language to the existing C/C++ and C# exercises.

Slides from the previous Debugging4 training

Before the training, you get:

  • Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
  • Accelerated Windows Debugging4 PDF book
  • Access to Software Diagnostics Library

After the training, you also get the following:

  • The updated PDF book version of the training: Accelerated Windows Debugging5
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Recording

Prerequisites: Working knowledge of one of these languages: C, C++, C#, Rust. Operating system internals and assembly language concepts are explained when necessary.

Audience: software engineers, software maintenance engineers, escalation engineers, security and vulnerability researchers, malware and memory forensics analysts who want to learn live memory inspection techniques.

If you are interested in Windows postmortem software diagnostics using memory dump files, there are other courses available:

Accelerated Windows Memory Dump Analysis

Accelerated .NET Core Memory Dump Analysis

Advanced Windows Memory Dump Analysis with Data Structures

Accelerated Windows Malware Analysis with Memory Dumps

Online Training: Accelerated Windows Disassembly, Reconstruction and Reversing

Software Diagnostics Services organizes this online training course.

August 29 - 31, September 5 2023 6.30pm - 8.30pm (GMT+1) Price 99 USD Registration

Accelerated Windows Disassembly, Reconstruction, and Reversing Logo

Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, and debugging on x64 Windows platforms. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using WinDbg and memory dumps. Covered more than 25 ADDR patterns, and many concepts are illustrated with Memory Cell Diagrams. The prerequisites for this training are working knowledge of C and C++ programming languages. Operating system internals and assembly language concepts are explained when necessary. The primary audience for this training is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to go deeper in their analysis of abnormal and malicious software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse cloud and endpoint computer environments, security and vulnerability researchers, and malware and memory forensics analysts who have never used WinDbg for analysis of computer memory. The course builds upon and extends the basic patterns introduced in the Practical Foundations of Windows Debugging, Disassembling, Reversing book. The new version includes an overview of the relevant x64 assembly language.

Slides from the previous training

Before the training, you get:

  • Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
  • The previous PDF book version of the training
  • Access to Software Diagnostics Library

After the training, you also get:

  • The new 2nd edition PDF book of the training
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Recording

Online Training: Accelerated C & C++ for Windows Diagnostics

Software Diagnostics Services organizes this online training course.

Accelerated C & C++ for Windows Diagnostics Logo

July 10, 17, 24, 31, August 7, 16, 23, September 4, 11, 18, 25 2023 6.30pm - 7.30pm (GMT+1) Price 99 USD Registration

Solid C and C++ knowledge is a must to fully understand Windows diagnostic artifacts such as memory dumps and do diagnostic, forensic, and root cause analysis beyond listing stack traces, DLL, and driver information. C and C++ for Windows Software Diagnostics training reviews the following topics from the perspective of software structure and behavior analysis and teaches C and C++ languages in parallel:

  • a tour of relevant language(s) constructs - classic/legacy C++, C++11, and later standards
  • Windows specifics
  • pointers and references
  • memory layout of structures and objects
  • local, static, and dynamic memory
  • object lifecycle
  • standard library
  • compilation, static and dynamic linkage
  • multithreading and synchronization
  • bad and insecure code
  • … and more

System and desktop application programming on Windows using C and C++ is unthinkable without Windows API. To avoid repeating some topics and save time, the training includes the Accelerated Windows API for Software Diagnostics book as a follow-up or additional reference. There is also a necessary x64 review for some topics, but if you are never used to reading assembly language, Practical Foundations of Windows Debugging, Disassembling, Reversing book is also included.

Before the training, you get the following:

After the training, you also get the following:

  • The PDF book of the training
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Recording

Online Training: Accelerated Windows Memory Dump Analysis

Software Diagnostics Services organizes this online training course.

Accelerated Windows Memory Dump Analysis Logo

Slides from the previous training version, days 1-3
Slides from the previous training version, days 4-6

New dates/times TBD

This training includes 32 step-by-step exercises and covers more than 65 crash dump analysis patterns from x86 and x64 process, kernel, and complete (physical) memory dumps. Learn how to analyze application, service and system crashes and freezes, navigate through memory dump space and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve, and it is based on the latest 5th revised edition of the bestselling Accelerated Windows Memory Dump Analysis book. This new training version also includes:

  • x86 and x64 disassembly overviews
  • Additional memory analysis patterns
  • Memory dump analysis of Go and Rust processes
  • Additional coverage of BSOD
  • New kernel exercises with source code

Training outline:

  • Day 1 (2 hours): Overview. Process memory dump analysis.
  • Day 2 (2 hours): Process memory dump analysis.
  • Day 3 (2 hours): Process memory dump analysis.
  • Day 4 (2 hours): Kernel memory dump analysis.
  • Day 5 (2 hours): Complete (physical) memory dump analysis.
  • Day 6 (2 hours): Additional memory dump analysis topics.

Before the training, you get:

After the training, you also get:

  • The new 6th PDF book edition (+800 pages)
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Current training sessions recording

Prerequisites: Basic Windows troubleshooting

Audience: Software technical support and escalation engineers, system administrators, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts, DevSecOps and SRE, software developers, and quality assurance engineers.

If you are mainly interested in .NET memory dump analysis, there is another training: Accelerated .NET Core Memory Dump Analysis

If you are interested in Linux memory dump analysis, there is another training: Accelerated Linux Core Dump Analysis

Book: Accelerated Linux API for Software Diagnostics

Available in PDF format from Software Diagnostics Services.

The book contains the full transcript of Software Diagnostics Services training with 16 hands-on exercises.

Knowledge of Linux API is necessary for:

  • Development
  • Malware analysis
  • Vulnerability analysis and exploitation
  • Reversing
  • Diagnostics
  • Debugging
  • Memory forensics
  • Crash and hang analysis
  • Secure coding
  • Static code analysis
  • Trace and log analysis

The training uses a unique and innovative pattern-oriented analysis approach and provides:

  • Overview
  • Classification
  • Patterns
  • Internals
  • Development examples
  • Analysis examples
  • Comparison with Windows API

  • Title: Accelerated Linux API for Software Diagnostics: With Category Theory in View
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (June 2023)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • PDF: 232 pages
  • ISBN-13: 978-1912636624

Table of Contents and sample exercise
Slides from the training

Runtime Thread (Python, Linux)

We continue extending our memory analysis pattern language to Python execution environment after introducing Managed Stack Trace variant. Now we add Runtime Thread (former CLR Thread memory analysis pattern) variant. For Linux and GDB, in the case of Reduced Symbolic Information we get this stack trace:


(gdb) bt
#0 0x00007ffff7caeb97 in __GI___select (nfds=0, readfds=0x0, writefds=0x0, exceptfds=0x0, timeout=0x7fffffffd9f0)
at ../sysdeps/unix/sysv/linux/select.c:41
#1 0x00000000004e8965 in ?? ()
#2 0x00000000005d8711 in _PyMethodDef_RawFastCallKeywords ()
#3 0x000000000054b330 in ?? ()
#4 0x00000000005524cd in _PyEval_EvalFrameDefault ()
#5 0x00000000005d91fc in _PyFunction_FastCallKeywords ()
#6 0x000000000054e5ac in _PyEval_EvalFrameDefault ()
#7 0x00000000005d91fc in _PyFunction_FastCallKeywords ()
#8 0x000000000054e5ac in _PyEval_EvalFrameDefault ()
#9 0x00000000005d91fc in _PyFunction_FastCallKeywords ()
#10 0x000000000054e5ac in _PyEval_EvalFrameDefault ()
#11 0x000000000054bcc2 in _PyEval_EvalCodeWithName ()
#12 0x000000000054e0a3 in PyEval_EvalCode ()
#13 0x0000000000630ce2 in ?? ()
#14 0x0000000000630d97 in PyRun_FileExFlags ()
#15 0x00000000006319ff in PyRun_SimpleFileExFlags ()
#16 0x000000000065432e in ?? ()
#17 0x000000000065468e in _Py_UnixMain ()
#18 0x00007ffff7be209b in __libc_start_main (main=0x4bc560 <main>, argc=2, argv=0x7fffffffe4c8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe4b8) at ../csu/libc-start.c:308
#19 0x00000000005e0e8a in _start ()

If we install python debug package (for example, python3.7-dbg) we get full symbolic information:


(gdb) bt
#0 0x00007ffff7caeb97 in __GI___select (nfds=0, readfds=0x0, writefds=0x0, exceptfds=0x0, timeout=0x7fffffffd9f0)
at ../sysdeps/unix/sysv/linux/select.c:41
#1 0x00000000004e8965 in pysleep (secs=<optimized out>) at ../Modules/timemodule.c:1829
#2 time_sleep (self=<optimized out>, obj=<optimized out>, self=<optimized out>, obj=<optimized out>) at ../Modules/timemodule.c:371
#3 0x00000000005d8711 in _PyMethodDef_RawFastCallKeywords (method=0x82dbe0 <time_methods+288>, self=<module at remote 0x7ffff77d5c28>,
args=0x7ffff788c550, nargs=<optimized out>, kwnames=<optimized out>) at ../Objects/call.c:644
#4 0x000000000054b330 in _PyCFunction_FastCallKeywords (kwnames=<optimized out>, nargs=<optimized out>, args=0x7ffff788c550,
func=<built-in method sleep of module object at remote 0x7ffff77d5c28>) at ../Objects/call.c:730
#5 call_function (pp_stack=0x7fffffffdb60, oparg=<optimized out>, kwnames=<optimized out>) at ../Python/ceval.c:4568
#6 0x00000000005524cd in _PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at ../Python/ceval.c:3093
#7 0x00000000005d91fc in PyEval_EvalFrameEx (throwflag=0, f=Frame 0x7ffff788c3d8, for file sleepLoop.py, line 11, in bar ()) at ../Python/ceval.c:547
#8 function_code_fastcall (globals=<optimized out>, nargs=<optimized out>, args=<optimized out>, co=<optimized out>) at ../Objects/call.c:283
#9 _PyFunction_FastCallKeywords (func=<optimized out>, stack=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at ../Objects/call.c:408
#10 0x000000000054e5ac in call_function (kwnames=0x0, oparg=<optimized out>, pp_stack=<synthetic pointer>) at ../Python/ceval.c:4616
#11 _PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at ../Python/ceval.c:3124
#12 0x00000000005d91fc in PyEval_EvalFrameEx (throwflag=0, f=Frame 0x7ffff77d85e8, for file sleepLoop.py, line 7, in foo ()) at ../Python/ceval.c:547
#13 function_code_fastcall (globals=<optimized out>, nargs=<optimized out>, args=<optimized out>, co=<optimized out>) at ../Objects/call.c:283
#14 _PyFunction_FastCallKeywords (func=<optimized out>, stack=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at ../Objects/call.c:408
#15 0x000000000054e5ac in call_function (kwnames=0x0, oparg=<optimized out>, pp_stack=<synthetic pointer>) at ../Python/ceval.c:4616
#16 _PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at ../Python/ceval.c:3124
#17 0x00000000005d91fc in PyEval_EvalFrameEx (throwflag=0, f=Frame 0x926ee8, for file sleepLoop.py, line 4, in main ()) at ../Python/ceval.c:547
#18 function_code_fastcall (globals=<optimized out>, nargs=<optimized out>, args=<optimized out>, co=<optimized out>) at ../Objects/call.c:283
#19 _PyFunction_FastCallKeywords (func=<optimized out>, stack=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at ../Objects/call.c:408
#20 0x000000000054e5ac in call_function (kwnames=0x0, oparg=<optimized out>, pp_stack=<synthetic pointer>) at ../Python/ceval.c:4616
#21 _PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at ../Python/ceval.c:3124
#22 0x000000000054bcc2 in PyEval_EvalFrameEx (throwflag=0, f=Frame 0x7ffff78739f8, for file sleepLoop.py, line 14, in <module> ())
at ../Python/ceval.c:547
#23 _PyEval_EvalCodeWithName (_co=<optimized out>, globals=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>,
kwnames=0x0, kwargs=0x0, kwcount=<optimized out>, kwstep=2, defs=0x0, defcount=0, kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0)
at ../Python/ceval.c:3930
#24 0x000000000054e0a3 in PyEval_EvalCodeEx (closure=0x0, kwdefs=0x0, defcount=0, defs=0x0, kwcount=0, kws=0x0, argcount=0, args=0x0,
locals=<optimized out>, globals=<optimized out>, _co=<optimized out>) at ../Python/ceval.c:3959
#25 PyEval_EvalCode (co=<optimized out>, globals=<optimized out>, locals=<optimized out>) at ../Python/ceval.c:524
#26 0x0000000000630ce2 in run_mod (mod=<optimized out>, filename=<optimized out>,
globals={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='sleepLoop.py') at remote 0x7ffff7805f60>, '__spec__': None, '__annotations__': {}, '__builtins__': <module at remote 0x7ffff78cac28>, '__file__': 'sleepLoop.py', '__cached__': None, 'time': <module at remote 0x7ffff77d5c28>, 'main': <function at remote 0x7ffff78411e0>, 'foo': <function at remote 0x7ffff7731c80>, 'bar': <function at remote 0x7ffff7731d08>},
locals={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='sleepLoop.py') at remote 0x7ffff7805f60>, '__spec__': None, '__annotations__': {}, '__builtins__': <module at remote 0x7ffff78cac28>, '__file__': 'sleepLoop.py', '__cached__': None, 'time': <module at remote 0x7ffff77d5c28>, 'main': <function at remote 0x7ffff78411e0>, 'foo': <function at remote 0x7ffff7731c80>, 'bar': <function at remote 0x7ffff7731d08>}, flags=<optimized out>, arena=<optimized out>) at ../Python/pythonrun.c:1035
#27 0x0000000000630d97 in PyRun_FileExFlags (fp=0x92e490, filename_str=<optimized out>, start=<optimized out>,
globals={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='sleepLoop.py') at remote 0x7ffff7805f60>, '__spec__': None, '__annotations__': {}, '__builtins__': <module at remote 0x7ffff78cac28>, '__file__': 'sleepLoop.py', '__cached__': No--Type <RET> for more, q to quit, c to continue without paging--
ne, 'time': <module at remote 0x7ffff77d5c28>, 'main': <function at remote 0x7ffff78411e0>, 'foo': <function at remote 0x7ffff7731c80>, 'bar': <function at remote 0x7ffff7731d08>},
locals={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='sleepLoop.py') at remote 0x7ffff7805f60>, '__spec__': None, '__annotations__': {}, '__builtins__': <module at remote 0x7ffff78cac28>, '__file__': 'sleepLoop.py', '__cached__': None, 'time': <module at remote 0x7ffff77d5c28>, 'main': <function at remote 0x7ffff78411e0>, 'foo': <function at remote 0x7ffff7731c80>, 'bar': <function at remote 0x7ffff7731d08>}, closeit=1, flags=0x7fffffffe2ac) at ../Python/pythonrun.c:988
#28 0x00000000006319ff in PyRun_SimpleFileExFlags (fp=0x92e490, filename=<optimized out>, closeit=1, flags=0x7fffffffe2ac) at ../Python/pythonrun.c:429
#29 0x000000000065432e in pymain_run_file (p_cf=0x7fffffffe2ac, filename=<optimized out>, fp=0x92e490) at ../Modules/main.c:427
#30 pymain_run_filename (cf=0x7fffffffe2ac, pymain=0x7fffffffe380) at ../Modules/main.c:1627
#31 pymain_run_python (pymain=0x7fffffffe380) at ../Modules/main.c:2877
#32 pymain_main (pymain=<optimized out>, pymain=<optimized out>) at ../Modules/main.c:3038
#33 0x000000000065468e in _Py_UnixMain (argc=<optimized out>, argv=<optimized out>) at ../Modules/main.c:3073
#34 0x00007ffff7be209b in __libc_start_main (main=0x4bc560 <main>, argc=2, argv=0x7fffffffe4c8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe4b8) at ../csu/libc-start.c:308
#35 0x00000000005e0e8a in _start () at ../Modules/main.c:797

Managed Code Exception (Scala) and Managed Stack Trace (Scala)

We extend our memory analysis patterns to managed platforms other than .NET. We chose Scala as our modeling language, we have experience with for the last 3 years. The first analysis patterns we choose to extend are Managed Code Exception and Managed Stack Trace which are exceptions and stack traces from some virtual machine execution, not native platform exceptions and stack traces. To model it we created the following application:

package org.dumpanalysis.patterns.memory

@main def helloCrash: Int =
  foo

def foo: Int =
  bar

def bar: Int =
  val ref: Option[Int] = None
  ref.get

When executing the resulting project we got this exception and its stack trace:

java.util.NoSuchElementException: None.get
        at scala.None$.get(Option.scala:627)
        at scala.None$.get(Option.scala:626)
        at org.dumpanalysis.patterns.memory.Main$package$.bar(Main.scala:11)
        at org.dumpanalysis.patterns.memory.Main$package$.foo(Main.scala:7)
        at org.dumpanalysis.patterns.memory.Main$package$.helloCrash(Main.scala:4)
        at org.dumpanalysis.patterns.memory.helloCrash.main(Main.scala:3)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at dotty.tools.runner.RichClassLoader$.run$extension$$anonfun$1(ScalaClassLoader.scala:36)
        at dotty.tools.runner.ScalaClassLoader$.asContext(ScalaClassLoader.scala:80)
        at dotty.tools.runner.RichClassLoader$.dotty$tools$runner$RichClassLoader$$$
asContext$extension(ScalaClassLoader.scala:18)
        at dotty.tools.runner.RichClassLoader$.run$extension(ScalaClassLoader.scala:36)
        at dotty.tools.runner.CommonRunner.run(ObjectRunner.scala:23)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at coursier.bootstrap.launcher.a.a(Unknown Source)
        at coursier.bootstrap.launcher.Launcher.main(Unknown Source)

Memory Dump Analysis Anthology, Volume 15

Available in PDF format from Software Diagnostics Services

This reference volume consists of revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute (DumpAnalysis.org + TraceAnalysis.org) and Software Diagnostics Library (former Crash Dump Analysis blog, DumpAnalysis.org/blog) about software diagnostics, root cause analysis, debugging, crash and hang dump analysis, software trace and log analysis written from 15 August 2021 to 14 April 2023 for software engineers developing and maintaining products on Windows platforms, quality assurance engineers testing software, technical support, DevOps and DevSecOps, escalation and site reliability engineers dealing with complex software issues, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. This volume is fully cross-referenced with volumes 1 – 14 and features:

- 11 new crash dump analysis patterns
- New crash dump analysis case study
- 21 new software trace and log analysis patterns
- New software diagnostics architecture pattern
- Introduction to systematic software diagnostics
- Introduction to using Dia|gram language in memory dump analysis
- Introduction to traces and logs as 2-categories
- Introduction to a broad program for diagnostics of artificial intelligence
- Lists of recommended books

Product information:

  • Title: Memory Dump Analysis Anthology, Volume 15
  • Authors: Dmitry Vostokov, Software Diagnostics Institute
  • Language: English
  • Product Dimensions: 22.86 x 15.24
  • Paperback: 291 pages
  • Publisher: OpenTask (April 2023)
  • ISBN-13: 978-1-912636-15-0

Table of Contents

Advanced Software Diagnostics and Debugging Reference

These volumes are now also called Diagnomicon!

The new Volume 15 brings the total number of books to 17.

Now includes the new Revised Edition of Volume 1, Revised Edition of Volume 2, Revised Edition of Volume 3, Revised Edition of Volume 4, and Revised Edition of Volume 5.

Memory Dump Analysis Anthology contains revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) about software diagnostics, debugging, crash dump analysis, software trace and log analysis, malware analysis, and memory forensics. Its 15 volumes in 17 books have more than 5,200 pages and, among many topics, include more than 380 memory analysis patterns (mostly for WinDbg Windows debugger with selected macOS and Linux GDB variants), more than 70 WinDbg case studies, and more than 230 general trace and log analysis patterns. In addition, there are three supplemental volumes with articles reprinted in full color.

Tables of Contents and Indexes of WinDbg Commands from all volumes

Click on an individual volume to see its description and table of contents:

You can buy the 15-volume set from Software Diagnostics Services with a discount and also get free access to Software Diagnostics Library.

Praise for the series:

I have been working with reversing, dumps, IAT, unpacking, etc. and I am one of the few at my workplace that like analyzing hangs and crashes. I always knew that I had more to learn. So I continuously look for more info. Many links directed me to dumpanalysis.org. Frankly speaking, its spartan/simple design made me question its seriousness. But after reading some articles, I immediately decided to order "Memory Dump Analysis Anthology". I have only read 100 pages so far. But I am stunned. It is such an amazing book. How the author refines/reconstructs the call stack, and finds useful information in the stack is incredible. I am enormously thankful for the effort that the author has put into making these books. They are very didactic even though the topic is a bit hard. It is a real treasure.

Mattias Hogstrom

Online Training: Extended Windows Memory Dump Analysis

Extended Windows Memory Dump Analysis Logo

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course:

New dates/times TBD

Extended Windows Memory Dump Analysis: Using and Writing WinDbg Extensions, Database and Event Stream Processing, Visualization training course extends pattern-oriented analysis introduced in Accelerated Windows Memory Dump Analysis, Accelerated .NET Core Memory Dump Analysis, Advanced Windows Memory Dump Analysis with Data Structures, and Accelerated Windows Malware Analysis with Memory Dumps courses with:

  • Surveying the current landscape of WinDbg extensions with analysis pattern mappings
  • Writing WinDbg extensions in C and C++
  • Connecting WinDbg to NoSQL databases
  • Connecting WinDbg to streaming and log processing platforms
  • Querying and visualizing WinDbg output data

The new version of the training updates existing and includes new exercises.

Slides from the previous training

Before the training, you get:

  • The current PDF book version and recording of the training
  • Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
  • Access to Software Diagnostics Library

After the training, you also get:

  • The new edition of the PDF book version of the training
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • New recording

Prerequisites: Working knowledge of WinDbg. Working knowledge of Python, C or C++ is optional (required only for some exercises). Other concepts are explained when necessary.

Audience: Software developers, software maintenance engineers, escalation engineers, quality assurance engineers, security and vulnerability researchers, malware and memory forensics analysts who want to build memory analysis pipelines.

Trace, Log, Text, Narrative, Data: An Analysis Pattern Reference for Information Mining, Diagnostics, Anomaly Detection

The Fifth Edition is available in PDF format from Software Diagnostics Services

Other Fifth Edition links:

Buy PDF from Leanpub

The first edition is also available for SkillSoft Books24x7 subscribers

General trace and log analysis patterns allow the application of uniform diagnostics and anomaly detection across diverse software environments. This pattern language covers any execution artifact from a small debugging trace to a distributed log with billions of messages from hundreds of computers, thousands of software components, threads, and processes. Pattern-oriented trace and log analysis is applicable to troubleshooting and debugging Windows, Mac OS X, Linux, FreeBSD, Android, iOS, z/OS, and any other possible computer platform, including networking and IoT. Its pattern catalog is a part of pattern-oriented software data analysis, diagnostics, anomaly detection, forensics, prognostics, root cause analysis, and debugging developed by Software Diagnostics Institute. Also, the scope of applicability of such analysis patterns is much wider than just software execution artifacts or temporal data and now includes general data, narratives, text, and image analysis (space-like narratology). This reference reprints with corrections almost 230 patterns originally published in Memory Dump Analysis Anthology volumes 3 - 14 and Software Diagnostics Library. It also includes additional 19 analysis patterns from the forthcoming volume 15 bringing the total analysis pattern count to 229. Full-color diagrams accompany almost all pattern descriptions. The fifth edition includes 28 more patterns, updated diagram pictures, classification, and the list of narratological and mathematical influences, and now includes the long-awaited introduction and two new appendixes.

Product information:

  • Title: Trace, Log, Text, Narrative, Data: An Analysis Pattern Reference for Information Mining, Diagnostics, Anomaly Detection, Fifth Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Institute
  • Language: English
  • Product Dimensions: 21.6 x 14.0
  • Paperback: 400 pages
  • Publisher: OpenTask (March 2023)
  • ISBN-13: 978-1912636587

Table of Contents
Bird's-eye View of Pages

Diagnostics of Artificial Intelligence

If wrong labels are ML bugs, then wrong answers are ML crashes.

We propose to define Diagnostics of AI as a combination of ideas and approaches from different disciplines such as software engineering, computer science, mathematics, physics, chemistry, biology, literary theory and criticism, narratology, semiotics, humanities, sociology, medicine, forensic science, psychology, psychiatry, and psychopathology with the following main directions of our research activities:

It is also important to differentiate diagnostics of artificial intelligence from diagnostics of artificial intelligence systems which is just software and hardware diagnostics, where diagnostics of AI may be just a part. Diagnostics of AI systems is metaphorically like medicine, whereas diagnostics of AI is like psychiatry and psychopathology.

We also organized a few groups for information sharing, such as relevant books and articles:

LinkedIn Diagnostics of Artificial Intelligence group
Facebook Diagnostics of Artificial Intelligence group

Traces and Logs as 2-categories

In the past, we looked at software traces and logs as semigroups or monoids as a single object category. In the latter case, the monoid object is a trace or log, and arrows (morphisms) are trace and log messages.

Online Training: Accelerated Linux API for Software Diagnostics

Software Diagnostics Services organizes this online training course.

New dates/times TBD

For the approximate agenda please check slides from the similar Windows training

Knowledge of Windows API is necessary for:

  • Development
  • Malware analysis
  • Vulnerability analysis and exploitation
  • Reversing
  • Diagnostics
  • Debugging
  • Memory forensics
  • Core dump analysis
  • Secure coding
  • Static code analysis
  • Trace and log analysis

The training uses a unique and innovative pattern-oriented analysis approach and provides:

  • Overview
  • Classification
  • Patterns
  • Internals
  • Development examples
  • Analysis examples
  • Comparison with Windows API

Before the training you get:

  • Access to Software Diagnostics Library

After the training, you also get:

  • The PDF book version of the training
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Recording

Book: Accelerated Linux Core Dump Analysis, Third Edition

Available in PDF format from Software Diagnostics Technology and Services.

The full transcript of Software Diagnostics Services training. Learn how to analyze Linux process and kernel crashes and hangs, navigate through core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This training uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of 47 practical step-by-step exercises using GDB and WinDbg debuggers, highlighting almost 40 memory analysis patterns diagnosed in 64-bit core memory dumps from x64 and ARM64 platforms. The training also includes source code of modeling applications, a catalog of relevant patterns from the Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux memory dump analysis useful for engineers with a Wintel background. In addition to various improvements, the third edition includes a review of relevant x64 and ARM64 disassembly and a new set of ARM64 GDB exercises.

  • Title: Accelerated Linux Core Dump Analysis: Training Course Transcript with GDB and WinDbg Practice Exercises, Third Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (January 2023)
  • Language: English
  • PDF: 637 pages
  • ISBN-13: 978-1912636594

Table of Contents and Sample Exercise

Online Training: Accelerated Linux Disassembly, Reconstruction, and Reversing

Accelerated Disassembly, Reconstruction and Reversing Logo

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course.

March 6 - 8, 13 - 15 2023 6.30pm - 8.30pm (GMT) Price 99 USD Registration

Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, debugging, memory forensics, vulnerability and malware analysis on x64 and ARM64 Linux platforms. The course uses a unique and innovative pattern language approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using GDB and Linux core memory dumps. Covered more than 25 ADDR patterns originally introduced for the x64 Windows platform, and many concepts are illustrated with Memory Cell Diagrams. This new training version includes a review of necessary x64 and ARM64 assembly language fundamentals.

Slides from the previous training

Level: Intermediate/Advanced.

Prerequisites: Working knowledge of C and C++. Operating system internals and assembly language concepts are explained when necessary.

Audience: Software technical support and escalation engineers who analyze core dumps from complex software environments and need to go deeper in their analysis of abnormal and malicious software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse cloud and endpoint computer environments, SRE and DevSecOps, security and vulnerability researchers, malware and memory forensics analysts who have never used GDB for analysis of computer memory.

The training consists of 4 two-hour sessions.

Before the training, you get the following:

  • The current PDF book version
  • The previous training recording
  • Access to Software Diagnostics Library

After the training, you also get the following:

  • The updated PDF book version of the training
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • The new recording

Online Training: Accelerated Linux Core Dump Analysis

Software Diagnostics Services organizes this online training course.

January 17 - 20 2023 6.30pm - 8.30pm (GMT) Price 99 USD Registration

Learn how to analyze Linux process and kernel crashes and hangs, navigate through core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This training uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of more than 20 practical step-by-step exercises using GDB and WinDbg debuggers highlighting more than 50 memory analysis patterns diagnosed in 64-bit core memory dumps from x64 and ARM64 platforms. The training also includes source code of modeling applications, a catalog of relevant patterns from Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux memory dump analysis useful for engineers with Wintel background. The training is based on the 2nd revised and extended edition of the bestselling Accelerated Linux Core Dump Analysis book. There will be additional material added related to x64 and ARM64 disassembly.

Prerequisites: Basic Linux user skills.

Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, DevSecOps and SRE, and quality assurance engineers.

Slides from the training

Training outline:

  • Day 1: Overview. Process core dump analysis.
  • Day 2: Process core dump analysis.
  • Day 3: Kernel core dump analysis.
  • Before the training you get:

    • The current PDF book version of the training.
    • Access to Software Diagnostics Library.
    • Past recording.

    After the training, you also get:

    • The new 3rd edition PDF book version of the training.
    • Personalized Certificate of Attendance with unique CID.
    • Optional Personalized Certificate of Completion with unique CID (after the tests).
    • Answers to questions during training sessions.
    • New recording.

Dia|gram Language and Memory Dump Analysis Patterns

We illustrate trace and log analysis patterns using a graphical language named Dia|gram. When we analyze memory dumps, we get textual log output to which we can apply the same analysis patterns. Therefore, we can reuse the same Dia|gram language for memory dump analysis, for example, for analysis pattern illustrations. We start with the first memory dump analysis pattern, Multiple Exceptions. However, we now use some later analysis pattern names in the latter's description, for example, Stack Trace Collection from multiple threads, which consists of Stack Traces from individual threads.

Each individual thread stack trace can be illustrated using this trace diagram with an implicit time arrow but without time values:



If we knew individual stack trace frame timings, we could have assembled the normal trace diagram:

However, we can assemble the combined trace by gluing individual thread traces and sorting them by thread creation time (available in Windows memory dumps):

Additionally, we can impose sparse discrete time labels and structure via Trace Schema:

Having ATIDs, we can use the Adjoint Thread of Activity analysis pattern.

Since we know that top frames existed at the time of the memory snapshot, we can also group them at the end of the trace:

Exception indicators (like exception processing frames) can be highlighted as Error Message and Periodic Error. We can also use Exception Stack Trace:

We can also add other debugger log output to such diagrams for Intra-Correlation.

We now start using Dia|gram in our memory dump analysis training courses and reference materials.

Book: Accelerated macOS Core Dump Analysis, Third Edition

Available for sale in PDF format from Software Diagnostics Services.

The full transcript of Software Diagnostics Services training with 12 step-by-step exercises. Learn how to analyze app crashes and freezes, navigate through process core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. We use a unique and innovative pattern-driven analysis approach to speed up the learning curve. The training consists of practical step-by-step exercises using Xcode and LLDB environments, highlighting more than 30 analysis patterns from Software Diagnostics Institute diagnosed in ARM64 process core memory dumps. The training also includes an overview of relevant similarities and differences between Windows and macOS user space memory dump analysis useful for engineers with a Wintel background and the relevant ARM64 disassembly tutorial. The course is thoroughly updated for the latest macOS version and M2 platform. The primary audience for this training is software technical support and escalation engineers who analyze crash reports and memory dumps, quality assurance and software engineers who test and debug macOS software, security and vulnerability researchers, and malware and memory forensics analysts who have never used LLDB for the analysis of computer memory.

  • Title: Accelerated macOS Core Dump Analysis, Third Edition: Training Course Transcript with LLDB Practice Exercises
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (December 2022)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • PDF: 250 pages
  • ISBN-13: 978-1912636754

Table of Contents and Sample Exercise
Slides from the training

Book: Accelerated Windows API for Software Diagnostics

Available in PDF format from Software Diagnostics Services.

The book contains the full transcript of Software Diagnostics Services training with 10 hands-on exercises.

Knowledge of Windows API is necessary for:

  • Development
  • Malware analysis
  • Vulnerability analysis and exploitation
  • Reversing
  • Diagnostics
  • Debugging
  • Memory forensics
  • Crash and hang analysis
  • Secure coding
  • Static code analysis
  • Trace and log analysis

The training uses a unique and innovative pattern-oriented analysis approach and provides:

  • Overview
  • Classification
  • Patterns
  • Internals
  • Development examples
  • Analysis examples

  • Title: Accelerated Windows API for Software Diagnostics: With Category Theory in View
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (December 2022)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • PDF: 305 pages
  • ISBN-13: 978-1912636631

Table of Contents and sample exercise
Slides from the training

Online Training: Accelerated macOS (M2) Disassembly, Reconstruction, and Reversing

Accelerated macOS (M2) Disassembly, Reconstruction and Reversing Logo

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course.

New dates/times TBD

Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, debugging, memory forensics, vulnerability and malware analysis on the ARM64 macOS platform. The course uses a unique and innovative pattern language approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using LLDB and macOS core memory dumps. Covered more than 25 ADDR patterns originally introduced for the x64 Windows platform and later expanded to x64 and ARM64 Linux, and many concepts are illustrated with Memory Cell Diagrams. The course builds upon and extends the basic patterns introduced in Practical Foundations of macOS Debugging, Disassembling, Reversing book.

Slides from the simialr Linux-based training

Level: Intermediate/Advanced.

Prerequisites: Working knowledge of C and C++. Operating system internals and assembly language concepts are explained when necessary.

Audience: Software technical support and escalation engineers who analyze core dumps from complex software environments and need to go deeper in their analysis of abnormal and malicious software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse endpoint computer environments, security and vulnerability researchers, malware and memory forensics analysts who have never used LLDB for analysis of computer memory.

The training consists of 3 two-hour sessions. Before the training, you get:

Before the training, you get:

  • Access to Software Diagnostics Library
  • Practical Foundations of macOS Debugging, Disassembling, Reversing PDF book (January 2023)

After the training, you also get:

  • The PDF book version of the training
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Recording

Training: Accelerated macOS Core Dump Analysis (M2 Version)

Accelerated Mac OS X Core Dump Analysis Logo

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course:

New dates/times TBD

Learn how to analyze app crashes and freezes, navigate through process core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. We use a unique and innovative pattern-driven analysis approach to speed up the learning curve. The training consists of practical step-by-step exercises using Xcode and LLDB environments, highlighting more than 30 patterns diagnosed in 64-bit process core memory dumps. The training also includes an overview of relevant similarities and differences between Windows and Mac OS X user space memory dump analysis useful for engineers with a Wintel background. The course is thoroughly updated for the latest macOS version and M2 platform.

Slides from the previous x64-based training

Level: Beginner/Intermediate.

Prerequisites: Prerequisites: Basic macOS troubleshooting and debugging.

Audience: Audience: Software technical support and escalation engineers, system administrators, software developers, security professionals, and quality assurance engineers.

The training consists of 2 two-hour sessions. Before the training, you get:

  • The previous PDF edition of this course (Intel x64 LLDB and GDB)
  • Access to Software Diagnostics Library

After the training, you also get:

  • The new PDF book version of the training
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Recording
  • Practical Foundations of macOS Debugging, Disassembling, Reversing PDF book (January 2023)

Online Training: Accelerated Windows Trace and Log Analysis

Software Diagnostics Services organizes this online training course.

February 20 - 23, 27 2023 6.30pm - 7.30pm (GMT) Price 99 USD Registration

Accelerated Software Trace Analysis Logo

Feel frustrated when opening a software trace with millions of messages from hundreds of software components, threads, and processes? Go beyond simple CPU and disk hog monitoring or searching for errors in a text and learn how to efficiently and effectively analyze software traces and logs from complex software environments. In addition to a theoretical part, practical illustrations, examples, and exercises include Microsoft Event Tracing for Windows (ETW), Procmon, Windows Performance Analyzer, and PerfView. This course teaches trace and log analysis using pioneering and innovative pattern-oriented analysis of abnormal software behavior incidents developed by Software Diagnostics Institute.

Sample slides from a theoretical part

The training consists of 5 one-hour sessions. Before the training, you get:

  1. Accelerated Software Trace Analysis, Revised Edition, Part 1: Fundamentals and Basic Patterns (PDF)
  2. The current version of Malware Narratives (PDF).
  3. Trace, Log, Text, Narrative: An Analysis Pattern Reference for Data Mining, Diagnostics, Anomaly Detection, Fourth Edition (PDF).
  4. Access to Software Diagnostics Library.

After the training, you also get:

  1. The new edition of Accelerated Windows Software Trace Analysis: Training Course Transcript (PDF).
  2. The revised edition of Malware Narratives (PDF).
  3. The new edition of Trace, Log, Text, Narrative (PDF).
  4. Personalized Certificate of Attendance with unique CID.
  5. Optional Personalized Certificate of Completion with unique CID (after the tests).
  6. Answers to questions during training sessions.
  7. Recording.

Prerequisites: Basic Windows troubleshooting.

Audience: Software technical support and escalation engineers, system administrators, security researchers, incident response professionals, software developers, platform engineers, DevSecOps and SRE, and quality assurance engineers.

Online Training: Accelerated Windows API for Software Diagnostics

Software Diagnostics Services organizes this online training course.

New dates/times TBD

Slides from the training sessions

Knowledge of Windows API is necessary for:

  • Development
  • Malware analysis
  • Vulnerability analysis and exploitation
  • Reversing
  • Diagnostics
  • Debugging
  • Memory forensics
  • Crash and hang analysis
  • Secure coding
  • Static code analysis
  • Trace and log analysis

The training uses a unique and innovative pattern-oriented analysis approach and provides:

  • Overview
  • Classification
  • Patterns
  • Internals
  • Development examples
  • Analysis examples

Before the training you get:

  • Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
  • Access to Software Diagnostics Library

After the training, you also get:

  • The PDF book version of the training
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Recording

Pattern-Oriented Memory Forensics

The following direct links can be used to order the book now:

Buy PDF from Leanpub

Also available in PDF format from Software Diagnostics Services as a part of Accelerated Windows Memory Forensics and Malware Analysis with Memory Dumps training course and Pattern-Oriented Windows Memory Forensics Training Pack

The original edition is available for SkillSoft Books24x7 subscribers

This short book is a fully revised transcript of a lecture introducing a pattern language for memory forensics - an investigation of past software behavior in memory snapshots. It provides a unified language for discussing and communicating detection and analysis results despite the proliferation of operating systems and tools, a base language for checklists, and aid in accelerated learning. The lecture has a short theoretical part and then illustrates various patterns seen in crash dumps by using WinDbg debugger from Microsoft Debugging Tools for Windows.

  • Title: Pattern-Oriented Memory Forensics: A Pattern Language Approach, Revised Edition
  • Author: Dmitry Vostokov, Software Diagnostics Institute, Software Diagnostics Services
  • Publisher: OpenTask (October 2022)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 97 pages
  • ISBN-13: 978-1912636761

Presentation Slides

Syndicate content