Multiple Exceptions (user mode) - Modeling Example
Multiple Exceptions (kernel mode)
Multiple Exceptions (managed space)- Multiple Exceptions (stowed)
Dynamic Memory Corruption (process heap)
Dynamic Memory Corruption (kernel pool)- Dynamic Memory Corruption (managed heap)
False Positive Dump
Lateral Damage (general)- Lateral Damage (CPU mode)
Optimized Code (function parameter reuse)
Invalid Pointer (general)- Invalid Pointer (objects)
NULL Pointer (code)
NULL Pointer (data)
Inconsistent Dump
Hidden Exception (user space)- Hidden Exception (kernel space)
- Hidden Exception (managed space)
Deadlock (critical sections)
Deadlock (executive resources)
Deadlock (mixed objects, user space)
Deadlock (LPC)
Deadlock (mixed objects, kernel space)
Deadlock (self)- Deadlock (managed space)
- Deadlock (.NET Finalizer)
Changed Environment
Incorrect Stack Trace
OMAP Code Optimization
No Component Symbols
Insufficient Memory (committed memory)
Insufficient Memory (handle leak)
Insufficient Memory (kernel pool)
Insufficient Memory (PTE)
Insufficient Memory (module fragmentation)
Insufficient Memory (physical memory)
Insufficient Memory (control blocks)- Insufficient Memory (reserved virtual memory)
- Insufficient Memory (session pool)
- Insufficient Memory (stack trace database)
- Insufficient Memory (region)
- Insufficient Memory (stack)
Spiking Thread
Module Variety
Stack Overflow (kernel mode)
Stack Overflow (user mode)
Stack Overflow (software implementation)- Stack Overflow (insufficient memory)
- Stack Overflow (managed space)
Managed Code Exception- Managed Code Exception (Scala)
- Managed Code Exception (Python)
Truncated Dump
Waiting Thread Time (kernel dumps)
Waiting Thread Time (user dumps)
Memory Leak (process heap) - Modeling Example
Memory Leak (.NET heap)- Memory Leak (page tables)
- Memory Leak (I/O completion packets)
- Memory Leak (regions)
Missing Thread
Unknown Component
Double Free (process heap)
Double Free (kernel pool)
Coincidental Symbolic Information
Stack Trace- Stack Trace (I/O request)
- Stack Trace (file system filters)
- Stack Trace (database)
- Stack Trace (I/O devices)
Virtualized Process (WOW64)
Stack Trace Collection (unmanaged space)- Stack Trace Collection (managed space)
- Stack Trace Collection (predicate)
- Stack Trace Collection (I/O requests)
- Stack Trace Collection (CPUs)
Coupled Processes (strong)
Coupled Processes (weak)
Coupled Processes (semantics)
High Contention (executive resources)
High Contention (critical sections)
High Contention (processors)- High Contention (.NET CLR monitors)
- High Contention (.NET heap)
- High Contention (sockets)
Accidental Lock
Passive Thread (user space)
Passive System Thread (kernel space)
Main Thread
Busy System
Historical Information
Object Distribution Anomaly (IRP)- Object Distribution Anomaly (.NET heap)
Local Buffer Overflow (user space)- Local Buffer Overflow (kernel space)
Early Crash Dump
Hooked Functions (user space)
Hooked Functions (kernel space)- Hooked Modules
Custom Exception Handler (user space)
Custom Exception Handler (kernel space)
Special Stack Trace
Manual Dump (kernel)
Manual Dump (process)
Wait Chain (general)
Wait Chain (critical sections)
Wait Chain (executive resources)
Wait Chain (thread objects)
Wait Chain (LPC/ALPC)
Wait Chain (process objects)
Wait Chain (RPC)
Wait Chain (window messaging)
Wait Chain (named pipes)- Wait Chain (mutex objects)
- Wait Chain (pushlocks)
- Wait Chain (CLR monitors)
- Wait Chain (RTL_RESOURCE)
- Wait Chain (modules)
- Wait Chain (nonstandard synchronization)
- Wait Chain (C++11, condition variable)
- Wait Chain (SRW lock)
Corrupt Dump
Dispatch Level Spin
No Process Dumps
No System Dumps
Suspended Thread
Special Process
Frame Pointer Omission
False Function Parameters
Message Box
Self-Dump
Blocked Thread (software)
Blocked Thread (hardware)- Blocked Thread (timeout)
Zombie Processes
Wild Pointer
Wild Code
Hardware Error
Handle Limit (GDI, kernel space)- Handle Limit (GDI, user space)
Missing Component (general)
Missing Component (static linking, user mode)
Execution Residue (unmanaged space, user)- Execution Residue (unmanaged space, kernel)
- Execution Residue (managed space)
Optimized VM Layout- Invalid Handle (general)
- Invalid Handle (managed space)
- Overaged System
- Thread Starvation (realtime priority)
- Thread Starvation (normal priority)
- Duplicated Module
- Not My Version (software)
- Not My Version (hardware)
- Data Contents Locality
- Nested Exceptions (unmanaged code)
- Nested Exceptions (managed code)
- Affine Thread
- Self-Diagnosis (user mode)
- Self-Diagnosis (kernel mode)
- Self-Diagnosis (registry)
- Inline Function Optimization (unmanaged code)
- Inline Function Optimization (managed code)
- Critical Section Corruption
- Lost Opportunity
- Young System
- Last Error Collection
- Hidden Module
- Data Alignment (page boundary)
- C++ Exception
- Divide by Zero (user mode)
- Divide by Zero (kernel mode)
- Swarm of Shared Locks
- Process Factory
- Paged Out Data
- Semantic Split
- Pass Through Function
- JIT Code (.NET)
- JIT Code (Java)
- Ubiquitous Component (user space)
- Ubiquitous Component (kernel space)
- Nested Offender
- Virtualized System
- Effect Component
- Well-Tested Function
- Mixed Exception
- Random Object
- Missing Process
- Platform-Specific Debugger
- Value Deviation (stack trace)
- Value Deviation (structure field)
- Runtime Thread (CLR)
- Runtime Thread (Python, Linux)
- Coincidental Frames
- Fault Context
- Hardware Activity
- Incorrect Symbolic Information
- Message Hooks - Modeling Example
- Coupled Machines
- Abridged Dump
- Exception Stack Trace
- Distributed Spike
- Instrumentation Information
- Template Module
- Invalid Exception Information
- Shared Buffer Overwrite
- Pervasive System
- Problem Exception Handler
- Same Vendor
- Crash Signature
- Blocked Queue (LPC/ALPC)
- Fat Process Dump
- Invalid Parameter (process heap)
- Invalid Parameter (runtime function)
- String Parameter
- Well-Tested Module
- Embedded Comment
- Hooking Level
- Blocking Module
- Dual Stack Trace
- Environment Hint
- Top Module
- Livelock
- Technology-Specific Subtrace (COM interface invocation)
- Technology-Specific Subtrace (dynamic memory)
- Technology-Specific Subtrace (JIT .NET code)
- Technology-Specific Subtrace (COM client call)
- Dialog Box
- Instrumentation Side Effect
- Semantic Structure (PID.TID)
- Directing Module
- Least Common Frame
- Truncated Stack Trace
- Data Correlation (function parameters)
- Data Correlation (CPU times)
- Module Hint
- Version-Specific Extension
- Cloud Environment
- No Data Types
- Managed Stack Trace
- Managed Stack Trace (Scala)
- Managed Stack Trace (Python)
- Coupled Modules
- Thread Age
- Unsynchronized Dumps
- Pleiades
- Quiet Dump
- Blocking File
- Problem Vocabulary
- Activation Context
- Stack Trace Set
- Double IRP Completion
- Caller-n-Callee
- Annotated Disassembly (JIT .NET code)
- Annotated Disassembly (unmanaged code)
- Handled Exception (user space)
- Handled Exception (.NET CLR)
- Handled Exception (kernel space)
- Duplicate Extension
- Special Thread (.NET CLR)
- Hidden Parameter
- FPU Exception
- Module Variable
- System Object
- Value References
- Debugger Bug
- Empty Stack Trace
- Problem Module
- Disconnected Network Adapter
- Network Packet Buildup
- Unrecognizable Symbolic Information
- Translated Exception
- Regular Data
- Late Crash Dump
- Blocked DPC
- Coincidental Error Code
- Punctuated Memory Leak
- No Current Thread
- Value Adding Process
- Activity Resonance
- Stored Exception
- Spike Interval
- Stack Trace Change
- Unloaded Module
- Deviant Module
- Paratext
- Incomplete Session
- Error Reporting Fault
- First Fault Stack Trace
- Frozen Process
- Disk Packet Buildup
- Hidden Process
- Active Thread (Mac OS X)
- Active Thread (Windows)
- Critical Stack Trace
- Handle Leak
- Module Collection
- Module Collection (predicate)
- Deviant Token
- Step Dumps
- Broken Link
- Debugger Omission
- Glued Stack Trace
- Reduced Symbolic Information
- Injected Symbols
- Distributed Wait Chain
- One-Thread Process
- Module Product Process
- Crash Signature Invariant
- Small Value
- Shared Structure
- Thread Cluster
- False Effective Address
- Screwbolt Wait Chain
- Design Value
- Hidden IRP
- Tampered Dump
- Memory Fluctuation (process heap)
- Last Object
- Rough Stack Trace (unmanaged space)
- Rough Stack Trace (managed space)
- Past Stack Trace
- Ghost Thread
- Dry Weight
- Exception Module
- Reference Leak
- Origin Module
- Hidden Call
- Corrupt Structure
- Software Exception
- Crashed Process
- Variable Subtrace
- User Space Evidence
- Internal Stack Trace
- Distributed Exception (managed code)
- Thread Poset
- Stack Trace Surface
- Hidden Stack Trace
- Evental Dumps
- Clone Dump
- Parameter Flow
- Critical Region
- Diachronic Module
- Constant Subtrace
- Not My Thread
- Window Hint
- Place Trace
- Stack Trace Signature
- Relative Memory Leak
- Quotient Stack Trace
- Module Stack Trace
- Foreign Module Frame
- Unified Stack Trace
- Mirror Dump Set
- Memory Fibration
- Aggregated Frames
- Frame Regularity
- Stack Trace Motif
- System Call
- Stack Trace Race
- Hyperdump
- Disassembly Ambiguity
- Exception Reporting Thread
- Active Space
- Subsystem Modules
- Region Profile
- Region Clusters
- Source Stack Trace
- Hidden Stack
- Interrupt Stack
- False Memory
- Frame Trace
- Pointer Cone
- Context Pointer
- Pointer Class
- False Frame
- Procedure Call Chain
- C++ Object
- COM Exception
- Structure Sheaf
- Saved Exception Context (.NET)
- Shared Thread
- Spiking Interrupts
- Structure Field Collection
- Black Box
- Rough Stack Trace Collection (unmanaged space)
- COM Object
- Shared Page
- Exception Collection
- Dereference Nearpoint
- Address Representations
- Near Exception
- Shadow Stack Trace
- Past Process
- Foreign Stack
- Annotated Stack Trace
- Disassembly Summary
- Region Summary
- Analysis Summary
- Region Spectrum
- Normalized Region
Online Training: Accelerated Windows Postmortem Diagnostics and Debugging
Software Diagnostics Services organizes this online training course.
This comprehensive training includes more than 40 step-by-step exercises and covers more than 85 crash dump analysis patterns from x86 and x64 process, kernel, and complete (physical) memory dumps. Learn how to analyze application (native and .NET Core), service, and system crashes and freezes, navigate through memory dump space (managed and unmanaged code) and diagnose corruption, memory and handle leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and much more with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute< to speed up the learning curve, and it is based on the latest edition of Accelerated Windows Memory Dump Analysis and Accelerated .NET Core Memory Dump Analysis books. It uses the latest WinDbg Preview and is optionally containerized.
Outline slides
Slides from Days 1-3
Slides from Days 4-6
Slides from Days 7-8
The difference between this training and the current book version:
- You can ask questions
- .NET Core exercises use the latest WinDbg Preview
- Certificates and tests
Training outline:
- Day 1 (2 hours): Overview. Native process memory dump analysis.
- Day 2 (2 hours): Native process memory dump analysis.
- Day 3 (2 hours): Native process memory dump analysis.
- Day 4 (2 hours): .NET Core process memory dump analysis.
- Day 5 (2 hours): .NET Core process memory dump analysis.
- Day 6 (2 hours). Kernel memory dump analysis.
- Day 7 (2 hours). Complete (physical) memory dump analysis.
- Day 8 (Optional 2 hours): Additional Q&A and memory dump analysis if necessary. Tests.
Before the training, you get:
- Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book (+300 pages)
- The current PDF books (+900 pages)
- The previous training recording
- Access to Software Diagnostics Library with more than 370 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies
After the training, you also get:
- The updated PDF books (including the new edition of .NET Core book)
- Personalized Certificate of Attendance with unique CID
- Optional Personalized Certificate of Completion with unique CID (after the tests)
- Answers to questions during training sessions
- Current training sessions recording
Prerequisites: Basic Windows troubleshooting
Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.
If you are interested in Linux memory dump analysis there is another forthcoming training: Accelerated Linux Core Dump Analysis