Software Diagnostics Institute

Software Diagnostics Services organizes this online training course.

Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, and debugging on x64 Windows platforms. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using WinDbg and memory dumps. Covered more than 25 ADDR patterns, and many concepts are illustrated with Memory Cell Diagrams. The prerequisites for this training are working knowledge of C and C++ programming languages. Operating system internals and assembly language concepts are explained when necessary. The primary audience for this training is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to go deeper in their analysis of abnormal and malicious software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse cloud and endpoint computer environments, security and vulnerability researchers, and malware and memory forensics analysts who have never used WinDbg for analysis of computer memory. The course builds upon and extends the basic patterns introduced in the Practical Foundations of Windows Debugging, Disassembling, Reversing book. The new version includes an overview of the relevant x64 assembly language.

Slides from the previous training

Before the training, you get:

• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
• The previous PDF book version of the training
• Access to Software Diagnostics Library

After the training, you also get:

• The new 2nd edition PDF book of the training
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• Recording

Available in PDF format from Software Diagnostics Services.

The book contains the full transcript of Software Diagnostics Services training with 16 hands-on exercises.

Knowledge of Linux API is necessary for:

• Development
• Malware analysis
• Vulnerability analysis and exploitation
• Reversing
• Diagnostics
• Debugging
• Memory forensics
• Crash and hang analysis
• Secure coding
• Static code analysis
• Trace and log analysis

The training uses a unique and innovative pattern-oriented analysis approach and provides:

• Overview
• Classification
• Patterns
• Internals
• Development examples
• Analysis examples
• Comparison with Windows API

• Title: Accelerated Linux API for Software Diagnostics: With Category Theory in View
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (June 2023)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 232 pages
• ISBN-13: 978-1912636624

Table of Contents and sample exercise
Slides from the training

We continue extending our memory analysis pattern language to Python execution environment after introducing Managed Stack Trace variant. Now we add Runtime Thread (former CLR Thread memory analysis pattern) variant. For Linux and GDB, in the case of Reduced Symbolic Information we get this stack trace:


(gdb) bt
#0 0x00007ffff7caeb97 in __GI___select (nfds=0, readfds=0x0, writefds=0x0, exceptfds=0x0, timeout=0x7fffffffd9f0)
at ../sysdeps/unix/sysv/linux/select.c:41
#1 0x00000000004e8965 in ?? ()
#2 0x00000000005d8711 in _PyMethodDef_RawFastCallKeywords ()
#3 0x000000000054b330 in ?? ()
#4 0x00000000005524cd in _PyEval_EvalFrameDefault ()
#5 0x00000000005d91fc in _PyFunction_FastCallKeywords ()
#6 0x000000000054e5ac in _PyEval_EvalFrameDefault ()
#7 0x00000000005d91fc in _PyFunction_FastCallKeywords ()
#8 0x000000000054e5ac in _PyEval_EvalFrameDefault ()
#9 0x00000000005d91fc in _PyFunction_FastCallKeywords ()
#10 0x000000000054e5ac in _PyEval_EvalFrameDefault ()
#11 0x000000000054bcc2 in _PyEval_EvalCodeWithName ()
#12 0x000000000054e0a3 in PyEval_EvalCode ()
#13 0x0000000000630ce2 in ?? ()
#14 0x0000000000630d97 in PyRun_FileExFlags ()
#15 0x00000000006319ff in PyRun_SimpleFileExFlags ()
#16 0x000000000065432e in ?? ()
#17 0x000000000065468e in _Py_UnixMain ()
#18 0x00007ffff7be209b in __libc_start_main (main=0x4bc560 <main>, argc=2, argv=0x7fffffffe4c8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe4b8) at ../csu/libc-start.c:308
#19 0x00000000005e0e8a in _start ()


If we install python debug package (for example, python3.7-dbg) we get full symbolic information:


(gdb) bt
#0 0x00007ffff7caeb97 in __GI___select (nfds=0, readfds=0x0, writefds=0x0, exceptfds=0x0, timeout=0x7fffffffd9f0)
at ../sysdeps/unix/sysv/linux/select.c:41
#1 0x00000000004e8965 in pysleep (secs=<optimized out>) at ../Modules/timemodule.c:1829
#2 time_sleep (self=<optimized out>, obj=<optimized out>, self=<optimized out>, obj=<optimized out>) at ../Modules/timemodule.c:371
#3 0x00000000005d8711 in _PyMethodDef_RawFastCallKeywords (method=0x82dbe0 <time_methods+288>, self=<module at remote 0x7ffff77d5c28>,
args=0x7ffff788c550, nargs=<optimized out>, kwnames=<optimized out>) at ../Objects/call.c:644
#4 0x000000000054b330 in _PyCFunction_FastCallKeywords (kwnames=<optimized out>, nargs=<optimized out>, args=0x7ffff788c550,
func=<built-in method sleep of module object at remote 0x7ffff77d5c28>) at ../Objects/call.c:730
#5 call_function (pp_stack=0x7fffffffdb60, oparg=<optimized out>, kwnames=<optimized out>) at ../Python/ceval.c:4568
#6 0x00000000005524cd in _PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at ../Python/ceval.c:3093
#7 0x00000000005d91fc in PyEval_EvalFrameEx (throwflag=0, f=Frame 0x7ffff788c3d8, for file sleepLoop.py, line 11, in bar ()) at ../Python/ceval.c:547
#8 function_code_fastcall (globals=<optimized out>, nargs=<optimized out>, args=<optimized out>, co=<optimized out>) at ../Objects/call.c:283
#9 _PyFunction_FastCallKeywords (func=<optimized out>, stack=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at ../Objects/call.c:408
#10 0x000000000054e5ac in call_function (kwnames=0x0, oparg=<optimized out>, pp_stack=<synthetic pointer>) at ../Python/ceval.c:4616
#11 _PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at ../Python/ceval.c:3124
#12 0x00000000005d91fc in PyEval_EvalFrameEx (throwflag=0, f=Frame 0x7ffff77d85e8, for file sleepLoop.py, line 7, in foo ()) at ../Python/ceval.c:547
#13 function_code_fastcall (globals=<optimized out>, nargs=<optimized out>, args=<optimized out>, co=<optimized out>) at ../Objects/call.c:283
#14 _PyFunction_FastCallKeywords (func=<optimized out>, stack=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at ../Objects/call.c:408
#15 0x000000000054e5ac in call_function (kwnames=0x0, oparg=<optimized out>, pp_stack=<synthetic pointer>) at ../Python/ceval.c:4616
#16 _PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at ../Python/ceval.c:3124
#17 0x00000000005d91fc in PyEval_EvalFrameEx (throwflag=0, f=Frame 0x926ee8, for file sleepLoop.py, line 4, in main ()) at ../Python/ceval.c:547
#18 function_code_fastcall (globals=<optimized out>, nargs=<optimized out>, args=<optimized out>, co=<optimized out>) at ../Objects/call.c:283
#19 _PyFunction_FastCallKeywords (func=<optimized out>, stack=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at ../Objects/call.c:408
#20 0x000000000054e5ac in call_function (kwnames=0x0, oparg=<optimized out>, pp_stack=<synthetic pointer>) at ../Python/ceval.c:4616
#21 _PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at ../Python/ceval.c:3124
#22 0x000000000054bcc2 in PyEval_EvalFrameEx (throwflag=0, f=Frame 0x7ffff78739f8, for file sleepLoop.py, line 14, in <module> ())
at ../Python/ceval.c:547
#23 _PyEval_EvalCodeWithName (_co=<optimized out>, globals=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>,
kwnames=0x0, kwargs=0x0, kwcount=<optimized out>, kwstep=2, defs=0x0, defcount=0, kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0)
at ../Python/ceval.c:3930
#24 0x000000000054e0a3 in PyEval_EvalCodeEx (closure=0x0, kwdefs=0x0, defcount=0, defs=0x0, kwcount=0, kws=0x0, argcount=0, args=0x0,
locals=<optimized out>, globals=<optimized out>, _co=<optimized out>) at ../Python/ceval.c:3959
#25 PyEval_EvalCode (co=<optimized out>, globals=<optimized out>, locals=<optimized out>) at ../Python/ceval.c:524
#26 0x0000000000630ce2 in run_mod (mod=<optimized out>, filename=<optimized out>,
globals={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='sleepLoop.py') at remote 0x7ffff7805f60>, '__spec__': None, '__annotations__': {}, '__builtins__': <module at remote 0x7ffff78cac28>, '__file__': 'sleepLoop.py', '__cached__': None, 'time': <module at remote 0x7ffff77d5c28>, 'main': <function at remote 0x7ffff78411e0>, 'foo': <function at remote 0x7ffff7731c80>, 'bar': <function at remote 0x7ffff7731d08>},
locals={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='sleepLoop.py') at remote 0x7ffff7805f60>, '__spec__': None, '__annotations__': {}, '__builtins__': <module at remote 0x7ffff78cac28>, '__file__': 'sleepLoop.py', '__cached__': None, 'time': <module at remote 0x7ffff77d5c28>, 'main': <function at remote 0x7ffff78411e0>, 'foo': <function at remote 0x7ffff7731c80>, 'bar': <function at remote 0x7ffff7731d08>}, flags=<optimized out>, arena=<optimized out>) at ../Python/pythonrun.c:1035
#27 0x0000000000630d97 in PyRun_FileExFlags (fp=0x92e490, filename_str=<optimized out>, start=<optimized out>,
globals={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='sleepLoop.py') at remote 0x7ffff7805f60>, '__spec__': None, '__annotations__': {}, '__builtins__': <module at remote 0x7ffff78cac28>, '__file__': 'sleepLoop.py', '__cached__': No--Type <RET> for more, q to quit, c to continue without paging--
ne, 'time': <module at remote 0x7ffff77d5c28>, 'main': <function at remote 0x7ffff78411e0>, 'foo': <function at remote 0x7ffff7731c80>, 'bar': <function at remote 0x7ffff7731d08>},
locals={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <SourceFileLoader(name='__main__', path='sleepLoop.py') at remote 0x7ffff7805f60>, '__spec__': None, '__annotations__': {}, '__builtins__': <module at remote 0x7ffff78cac28>, '__file__': 'sleepLoop.py', '__cached__': None, 'time': <module at remote 0x7ffff77d5c28>, 'main': <function at remote 0x7ffff78411e0>, 'foo': <function at remote 0x7ffff7731c80>, 'bar': <function at remote 0x7ffff7731d08>}, closeit=1, flags=0x7fffffffe2ac) at ../Python/pythonrun.c:988
#28 0x00000000006319ff in PyRun_SimpleFileExFlags (fp=0x92e490, filename=<optimized out>, closeit=1, flags=0x7fffffffe2ac) at ../Python/pythonrun.c:429
#29 0x000000000065432e in pymain_run_file (p_cf=0x7fffffffe2ac, filename=<optimized out>, fp=0x92e490) at ../Modules/main.c:427
#30 pymain_run_filename (cf=0x7fffffffe2ac, pymain=0x7fffffffe380) at ../Modules/main.c:1627
#31 pymain_run_python (pymain=0x7fffffffe380) at ../Modules/main.c:2877
#32 pymain_main (pymain=<optimized out>, pymain=<optimized out>) at ../Modules/main.c:3038
#33 0x000000000065468e in _Py_UnixMain (argc=<optimized out>, argv=<optimized out>) at ../Modules/main.c:3073
#34 0x00007ffff7be209b in __libc_start_main (main=0x4bc560 <main>, argc=2, argv=0x7fffffffe4c8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe4b8) at ../csu/libc-start.c:308
#35 0x00000000005e0e8a in _start () at ../Modules/main.c:797


We extend our memory analysis patterns to managed platforms other than .NET. We chose Scala as our modeling language, we have experience with for the last 3 years. The first analysis patterns we choose to extend are Managed Code Exception and Managed Stack Trace which are exceptions and stack traces from some virtual machine execution, not native platform exceptions and stack traces. To model it we created the following application:

package org.dumpanalysis.patterns.memory

@main def helloCrash: Int =
  foo

def foo: Int =
  bar

def bar: Int =
  val ref: Option[Int] = None
  ref.get

When executing the resulting project we got this exception and its stack trace:

java.util.NoSuchElementException: None.get
        at scala.None$.get(Option.scala:627)
        at scala.None$.get(Option.scala:626)
        at org.dumpanalysis.patterns.memory.Main$package$.bar(Main.scala:11)
        at org.dumpanalysis.patterns.memory.Main$package$.foo(Main.scala:7)
        at org.dumpanalysis.patterns.memory.Main$package$.helloCrash(Main.scala:4)
        at org.dumpanalysis.patterns.memory.helloCrash.main(Main.scala:3)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at dotty.tools.runner.RichClassLoader$.run$extension$$anonfun$1(ScalaClassLoader.scala:36)
        at dotty.tools.runner.ScalaClassLoader$.asContext(ScalaClassLoader.scala:80)
        at dotty.tools.runner.RichClassLoader$.dotty$tools$runner$RichClassLoader$$$
asContext$extension(ScalaClassLoader.scala:18)
        at dotty.tools.runner.RichClassLoader$.run$extension(ScalaClassLoader.scala:36)
        at dotty.tools.runner.CommonRunner.run(ObjectRunner.scala:23)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at coursier.bootstrap.launcher.a.a(Unknown Source)
        at coursier.bootstrap.launcher.Launcher.main(Unknown Source)

Available in PDF format from Software Diagnostics Services

This reference volume consists of revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute (DumpAnalysis.org + TraceAnalysis.org) and Software Diagnostics Library (former Crash Dump Analysis blog, DumpAnalysis.org/blog) about software diagnostics, root cause analysis, debugging, crash and hang dump analysis, software trace and log analysis written from 15 August 2021 to 14 April 2023 for software engineers developing and maintaining products on Windows platforms, quality assurance engineers testing software, technical support, DevOps and DevSecOps, escalation and site reliability engineers dealing with complex software issues, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. This volume is fully cross-referenced with volumes 1 – 14 and features:

- 11 new crash dump analysis patterns
- New crash dump analysis case study
- 21 new software trace and log analysis patterns
- New software diagnostics architecture pattern
- Introduction to systematic software diagnostics
- Introduction to using Dia|gram language in memory dump analysis
- Introduction to traces and logs as 2-categories
- Introduction to a broad program for diagnostics of artificial intelligence
- Lists of recommended books

Product information:

• Title: Memory Dump Analysis Anthology, Volume 15
• Authors: Dmitry Vostokov, Software Diagnostics Institute
• Language: English
• Product Dimensions: 22.86 x 15.24
• Paperback: 291 pages
• Publisher: OpenTask (April 2023)
• ISBN-13: 978-1-912636-15-0

Table of Contents

The Fifth Edition is available in PDF format from Software Diagnostics Services

Other Fifth Edition links:

Buy PDF from Leanpub

The first edition is also available for SkillSoft Books24x7 subscribers

General trace and log analysis patterns allow the application of uniform diagnostics and anomaly detection across diverse software environments. This pattern language covers any execution artifact from a small debugging trace to a distributed log with billions of messages from hundreds of computers, thousands of software components, threads, and processes. Pattern-oriented trace and log analysis is applicable to troubleshooting and debugging Windows, macOS, Linux, FreeBSD, Android, iOS, z/OS, and any other possible computer platform, including networking and IoT. Its pattern catalog is a part of pattern-oriented software data analysis, diagnostics, anomaly detection, forensics, prognostics, root cause analysis, and debugging developed by Software Diagnostics Institute. Also, the scope of applicability of such analysis patterns is much wider than just software execution artifacts or temporal data and now includes general data, narratives, text, and image analysis (space-like narratology). This reference reprints with corrections almost 230 patterns originally published in Memory Dump Analysis Anthology volumes 3 - 14 and Software Diagnostics Library. It also includes additional 19 analysis patterns from the forthcoming volume 15, bringing the total analysis pattern count to 229. Full-color diagrams accompany almost all pattern descriptions. The fifth edition includes 28 more patterns, updated diagram pictures, classification, and the list of narratological and mathematical influences, and now includes the long-awaited introduction and two new appendixes.

Product information:

• Title: Trace, Log, Text, Narrative, Data: An Analysis Pattern Reference for Information Mining, Diagnostics, Anomaly Detection, Fifth Edition
• Authors: Dmitry Vostokov, Software Diagnostics Institute
• Language: English
• Product Dimensions: 21.6 x 14.0
• Paperback: 400 pages
• Publisher: OpenTask (March 2023)
• ISBN-13: 978-1912636587

Table of Contents
Bird's-eye View of Pages

If wrong labels are ML bugs, then wrong answers are ML crashes.

We propose to define Diagnostics of AI as a combination of ideas and approaches from different disciplines such as software engineering, computer science, mathematics, physics, chemistry, biology, literary theory and criticism, narratology, semiotics, humanities, sociology, medicine, forensic science, psychology, psychiatry, and psychopathology with the following main directions of our research activities:

• Pattern-Oriented Software Diagnostics and Data Analysis
• Systemic Software Diagnostics
• Software Narratology
• Software Pathology

It is also important to differentiate diagnostics of artificial intelligence from diagnostics of artificial intelligence systems which is just software and hardware diagnostics, where diagnostics of AI may be just a part. Diagnostics of AI systems is metaphorically like medicine, whereas diagnostics of AI is like psychiatry and psychopathology.

We also organized a few groups for information sharing, such as relevant books and articles:

LinkedIn Diagnostics of Artificial Intelligence group
Facebook Diagnostics of Artificial Intelligence group

In the past, we looked at software traces and logs as semigroups or monoids as a single object category. In the latter case, the monoid object is a trace or log, and arrows (morphisms) are trace and log messages.

We illustrate trace and log analysis patterns using a graphical language named Dia|gram. When we analyze memory dumps, we get textual log output to which we can apply the same analysis patterns. Therefore, we can reuse the same Dia|gram language for memory dump analysis, for example, for analysis pattern illustrations. We start with the first memory dump analysis pattern, Multiple Exceptions. However, we now use some later analysis pattern names in the latter's description, for example, Stack Trace Collection from multiple threads, which consists of Stack Traces from individual threads.

Each individual thread stack trace can be illustrated using this trace diagram with an implicit time arrow but without time values:

 
If we knew individual stack trace frame timings, we could have assembled the normal trace diagram:

However, we can assemble the combined trace by gluing individual thread traces and sorting them by thread creation time (available in Windows memory dumps):

Additionally, we can impose sparse discrete time labels and structure via Trace Schema:

Having ATIDs, we can use the Adjoint Thread of Activity analysis pattern.

Since we know that top frames existed at the time of the memory snapshot, we can also group them at the end of the trace:

Exception indicators (like exception processing frames) can be highlighted as Error Message and Periodic Error. We can also use Exception Stack Trace:

We can also add other debugger log output to such diagrams for Intra-Correlation.

We now start using Dia|gram in our memory dump analysis training courses and reference materials.

Available for sale in PDF format from Software Diagnostics Services.

The full transcript of Software Diagnostics Services training with 12 step-by-step exercises. Learn how to analyze app crashes and freezes, navigate through process core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. We use a unique and innovative pattern-driven analysis approach to speed up the learning curve. The training consists of practical step-by-step exercises using Xcode and LLDB environments, highlighting more than 30 analysis patterns from Software Diagnostics Institute diagnosed in ARM64 process core memory dumps. The training also includes an overview of relevant similarities and differences between Windows and macOS user space memory dump analysis useful for engineers with a Wintel background and the relevant ARM64 disassembly tutorial. The course is thoroughly updated for the latest macOS version and M2 platform. The primary audience for this training is software technical support and escalation engineers who analyze crash reports and memory dumps, quality assurance and software engineers who test and debug macOS software, security and vulnerability researchers, and malware and memory forensics analysts who have never used LLDB for the analysis of computer memory.

• Title: Accelerated macOS Core Dump Analysis, Third Edition: Training Course Transcript with LLDB Practice Exercises
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (December 2022)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 250 pages
• ISBN-13: 978-1912636754

Table of Contents and Sample Exercise
Slides from the training

The following direct links can be used to order the book now:

Buy PDF from Leanpub

Also available in PDF format from Software Diagnostics Services as a part of Accelerated Windows Memory Forensics and Malware Analysis with Memory Dumps training course and Pattern-Oriented Windows Memory Forensics Training Pack

The original edition is available for SkillSoft Books24x7 subscribers

This short book is a fully revised transcript of a lecture introducing a pattern language for memory forensics - an investigation of past software behavior in memory snapshots. It provides a unified language for discussing and communicating detection and analysis results despite the proliferation of operating systems and tools, a base language for checklists, and aid in accelerated learning. The lecture has a short theoretical part and then illustrates various patterns seen in crash dumps by using WinDbg debugger from Microsoft Debugging Tools for Windows.

• Title: Pattern-Oriented Memory Forensics: A Pattern Language Approach, Revised Edition
• Author: Dmitry Vostokov, Software Diagnostics Institute, Software Diagnostics Services
• Publisher: OpenTask (October 2022)
• Language: English
• Product Dimensions: 28.0 x 21.6
• Paperback: 97 pages
• ISBN-13: 978-1912636761

Presentation Slides

The following direct links can be used to order the book now:

Available in PDF format from Software Diagnostics Technology and Services.

The full transcript of Software Diagnostics Services training with 9 step-by-step exercises, notes, and source code of specially created modeling applications. The course covers 19 .NET memory dump analysis patterns plus additional 19 unmanaged patterns. Learn how to analyze .NET Core 5/6 application and service crashes and freezes, navigate through memory dump space (managed and unmanaged code) and diagnose corruption, leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and much more. The training consists of practical step-by-step exercises using Microsoft WinDbg debugger to diagnose patterns in 64-bit process memory dumps. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The book is based on the previous fourth edition of Accelerated .NET Memory Dump Analysis that covered .NET Core 5 and Windows 10. It is updated for the latest WinDbg from Windows 11 SDK and has a new .NET Core 6 exercise with a memory dump from Windows 11. This edition also includes a possibility to use a Docker WinDbg image with required symbol files instead of a local Debugging Tools for Windows installation. Prerequisites: Basic .NET programming and debugging. Audience: Software technical support and escalation engineers, system administrators, DevOps, performance and reliability engineers, software developers, and quality assurance engineers. The book may also interest security researchers, reverse engineers, malware and memory forensics analysts. The revised edition uses the latest WinDbg Preview for all exercise transcripts.

• Title: Accelerated .NET Core Memory Dump Analysis, Revised Edition: Training Course Transcript and WinDbg Practice Exercises
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (October 2022)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 203 pages
• ISBN-13: 978-1912636648

Table of Contents and Sample Exercise

Available in PDF format from Software Diagnostics Technology and Services

The first edition is also available for SkillSoft Books24x7 subscribers

The Korean second edition is available from Acorn publisher.

The full transcript of Software Diagnostics Services training. Learn how to navigate process, kernel, and physical spaces and diagnose various malware patterns in Windows memory dump files. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step hands-on exercises using WinDbg, process, kernel and complete memory dumps. Covered more than 20 malware analysis patterns. The main audience is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible malware presence in cases of abnormal software behavior. The course will also be useful for software engineers, quality assurance and software maintenance engineers, security researchers, malware and memory forensics analysts who have never used WinDbg for analysis of computer memory. The third edition uses the latest WinDbg Preview version with some exercises updated to Windows 11 and is optionally containerized.

• Title: Accelerated Windows Malware Analysis with Memory Dumps: Training Course Transcript and WinDbg Practice Exercises, Third Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (July 2022)
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 324 pages
• ISBN-13: 978-1912636969

Table of Contents

Available in PDF format from Software Diagnostics Services

This training course is a combined, reformatted, improved, and modernized version of the two previous books Windows Debugging: Practical Foundations and x64 Windows Debugging: Practical Foundations, that drew inspiration from the original lectures we developed almost 18 years ago to train support and escalation engineers in debugging and crash dump analysis of memory dumps from Windows applications, services, and systems. At that time, when thinking about what material to deliver, we realized that a solid understanding of fundamentals like pointers is needed to analyze stack traces beyond a few WinDbg commands. Therefore, this book is not about bugs or debugging techniques but about the background knowledge everyone needs to start experimenting with WinDbg and learn from practical experience and read other advanced debugging books. This body of knowledge is what the author of this book possessed before starting memory dump analysis using WinDbg 18 years ago, which resulted in the number one debugging bestseller: multi-volume Memory Dump Analysis Anthology. Now, in retrospection, we see these practical foundations as relevant and necessary to acquire for beginners as they were 18 years ago because operating systems internals, assembly language, and compiler architecture haven't changed much in those years.

The book contains two separate sets of chapters and corresponding illustrations. They are named Chapter x86.NN and Chapter x64.NN respectively. The new format makes switching between and comparing x86 and x64 versions easy. There is some repetition of content due to the shared nature of x64 and x86 platforms. Both sets of chapters can be read independently. We included x86 chapters because many 3rd-party Windows applications are still 32-bit and executed in 32-bit compatibility mode on x64 Windows systems. The course consistently uses WinDbg (X86) for 32-bit examples and WinDbg (X64) for 64-bit examples. The book also has a larger format similar to other training courses from Software Diagnostics Services.

Almost 5 years have passed since the first edition of the combined training course that used the earlier version of Windows 10. Since then, we have also published "Practical Foundations of Linux Debugging, Disassembling, Reversing" and "Practical Foundations of ARM64 Linux Debugging, Disassembling, Reversing" books. At that time, we thought about revising our Windows course. Since then, Windows 11 appeared, and we also added Docker support for most of our Windows memory dump analysis courses. While working on the "Accelerated Windows Debugging 4D "course, we decided to make the second edition of Practical Foundations of Windows Debugging based on WinDbg from Windows 11 SDK and Visual Studio 2022 build tools and an optional Docker support for the exercise environment. We also changed the ":=" operator to "<-" in our pseudo-code for Intel disassembly syntax flavor to align with our recent Linux Practical Foundations books, which use "->" in pseudo-code for x64 AT&T disassembly syntax flavor and "<-" in pseudo-code for ARM64 disassembly syntax. All sample projects were recompiled, and many diagrams were redone for the new edition to reflect changes in code generation. WinDbg syntax and code highlighting were also improved. There are also minor additions for C++11 and C++20.

The book is useful for:

• Software technical support and escalation engineers
• Software engineers coming from managed code or JVM background
• Software testers
• Engineers coming from non-Wintel environments
• Windows C/C++ software engineers without assembly language background
• Security researchers without x86/x64 assembly language background
• Beginners learning Windows software reverse engineering techniques

This introductory training course can complement the more advanced course Accelerated Disassembly, Reconstruction and Reversing, Revised Edition. It may also help with advanced exercises in Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 1, Revised, Process User Space and Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 2, Revised, Kernel and Complete Spaces. This book can also be used as an Intel assembly language and Windows debugging supplement for relevant undergraduate-level courses.

Product information:

• Title: Practical Foundations of Windows Debugging, Disassembling, Reversing: Training Course, Second Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Language: English
• Product Dimensions: 28.0 x 21.6
• Paperback: 338 pages
• Publisher: OpenTask (April 2022)
• ISBN-13: 978-1-912636-35-8

Table of Contents

When we interact with a debugger, we use the so-called REPL, Read-Execute-Print-Loop (where we replace Eval in traditional REPL). We type some command, it is executed by a debugger engine against a memory dump, the results are printed, and we repeat. However, the results can be streamed for further processing, for example, to automate certain analysis patterns, for example, Structure Sheaves (as distributed logs), Region Profiles, and Region Clusters (we list recently added analysis patterns). In the background, the stream processing results are provided back to the debugger Print phase (or in parallel as a further diagnostic aid).

In the case of software traces and logs, streaming is a natural part of processing. But CoTraces fit into REPLS (processed results can also form Message Annotations), and generally, Diags.

REPLS is an architectural pattern, and it is now added to our catalog of software diagnostics architecture patterns.

Systematic Software Diagnostics attempts to unify various disorganized and fragmentary individual software diagnostic approaches for software construction and post-construction phases.

Initially, when working on software diagnostics foundations, we recognized the need for systematicity by including some of our books and training courses in the Systematic Software Fault Analysis Series. Over the following years, our many practical books became supplemented by theory and a series of seminars.

Now, after more than 15 years, coherent and complete theoretical, practical, and factual knowledge is systematically unified and ordered into pattern catalogs according to first principles after being integrated across individual observations as fully as possible at this time of the discipline development. In addition to systematicity, software diagnostics is also highly interdisciplinary and systemic, crossing boundaries of other disciplines. Its fundamental methodology is a pattern-oriented analysis of artifacts. Every artifact is considered a trace, log, text, and narrative. Diagnostic analysis patterns, common recurrent analysis techniques and methods in specific contexts, organized into catalogs, are used to identify structural and behavioral patterns, common recurrent problems (sets of indicators, symptoms, signs) together with recommendations and possible solutions to apply in specific contexts.

Consider, for example, a typical diagnostic procedure called measurement. It is an analysis pattern itself applied to artifacts or used to generate other artifacts to which analysis patterns are applied. Systematic Software Diagnostics is equally applicable to software development processes where the same analysis patterns are applied to development artifacts, repositories, documentation, management operations, monitoring, team structure, and dynamics. Even a diagnostic analysis is considered an artifact to apply analysis patterns. Where Systematic Software Diagnostic overlaps with other development and engineering activities, it offers additional pattern languages for software data analysis, troubleshooting, debugging, root cause analysis, performance analysis, writing tools, software and memory forensics, memory dump analysis, network trace analysis, static and dynamic malware analysis, reversing, vulnerability analysis, software internals, and cloud computing.

This training course is a Linux ARM64 (A64) version of the previous Practical Foundations of Linux Debugging, Disassembly, Reversing book. It also complements Accelerated Linux Core Dump Analysis training course.

The book skeleton is the same as its x64 Linux predecessor, but the content was revised entirely because of a different Linux distribution and CPU architecture.

The course is useful for:

• Software support and escalation engineers, cloud security engineers, SRE, and DevSecOps
• Software engineers coming from JVM background
• Software testers
• Engineers coming from non-Linux environments, for example, Windows or Mac OS X
• Engineers coming from non-ARM environments, for example, x86/x64
• Linux C/C++ software engineers without assembly language background
• Security researchers without assembly language background
• Beginners learning Linux software reverse engineering techniques

This book can also be used as an ARM64 assembly language and Linux debugging supplement for relevant undergraduate-level courses.

Product information:

• Title: Practical Foundations of ARM64 Linux Debugging, Disassembling, Reversing: Training Course
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Language: English
• Product Dimensions: 28.0 x 21.6
• PDF: 176 pages
• Publisher: OpenTask (January 2022)
• ISBN-13: 978-1-912636-37-2

Table of Contents

The following direct links can be used to order the book:

Buy Kindle print replica from Amazon

Buy PDF from Leanpub

Also available in PDF format from Software Diagnostics Technology and Services

This book is a revised edition of the original Accelerated Windows Software Trace Analysis training course. General trace and log analysis pattern language covers any execution artifact from a small debugging trace to a distributed log with billions of messages from hundreds of computers, thousands of software components, threads, and processes. It also allows the application of uniform diagnostics and anomaly detection across diverse software environments, troubleshooting and debugging Windows, Mac OS X, Linux, Android, iOS, and any other possible computer platform including networking and IoT. Part 1 covers fundamentals and explains more than 60 basic trace and log analysis patterns, which are now cross-referenced in this improved and less Windows-centric edition. It can also serve as a reference.

• Title: Accelerated Software Trace Analysis, Revised Edition, Part 1: Fundamentals and Basic Patterns
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (December 2021)
• Language: English
• Product Dimensions: 28.0 x 21.6
• Paperback: 110 pages
• ISBN-13: 978-1912636310

Revised slides from the book

We are adding quantum computing to our research agenda now by coining "Quantum Software Diagnostics" as a way to analyze different parts of very large software execution artifacts simultaneously, make sense of entire software traces and logs, and predict software behavior (software prognostics). It contains two adjoint phrases centered around Software: left adjoint Quantum Software Diagnostics and right adjoint Quantum Software Diagnostics. The former is about diagnosing quantum software, and the latter is about applying quantum methods to problems of software diagnostics.

In June 2009, we wrote in Memory Dump Analysis Anthology, Volume 3:

"Quantum computation, quantum memory, and quantum information are hot topics today. Unfortunately, quantum mechanics forbids perfect (ideal) memory dumps due to the so-called no-cloning theorem. Still, it is possible to get inconsistent (imperfect) memory dumps, and perfect memory dumps can be made from quantum computer simulators. The analysis of quantum memory snapshots is the domain of Quantum Memoretics."

Since then, we have added traces and logs, text, narrative, data to our pattern-oriented analysis approach. Now we broaden the application of quantum ideas and algorithms and add quantum information processing to our decades' long interest in contemporary mathematics, quantum theory foundations and applications to various domains, logic, semiotics, categories, and recently, in ML/AI, unconventional computing, conceptual mathematics, topos theory, and functional programming.

The current full set in either PDF or paperback or both is available for purchase from Software Diagnostics Services

Download Sample Pages and Index

Concepts from category theory were used as metaphors for some trace and log analysis patterns (see Mathematical Concepts in Software Diagnostics and Software Data Analysis) and also as a foundation of software diagnostics (see Categorical Foundations of Software Diagnostics) as a part of Theoretical Software Diagnostics. However, category theory abstractions are very challenging to apprehend correctly, require a steep learning curve for non-mathematicians, and, for people with traditional naïve set theory education, a paradigm shift in thinking. The book utilizes a novel approach to teach category theory and abstract mathematics in general by using LEGO® bricks. This method was discovered when applying the same technique to teach machine learning, its data structures and algorithms, particularly directed graphs.

Part 0 (ISBN-13: 978-1912636396) covers universe and sets, set-builder notation, set membership, set inclusion, subsets as members, membership vs. subset, powerset, relations, functions, domain, codomain, range, injection, surjection, bijection, product, union, intersection, set difference, symmetric set difference, sets of functions, function composition, inverse functions.

Download Free Part 0

In order to facilitate earlier adoption and feedback, the book was split into small manageable parts. Part 1 (ISBN-13: 978-1912636402) is currently available on Leanpub and Amazon Kindle Store. It covers the definition of categories, arrows, the composition and associativity of arrows, retracts, equivalence, covariant and contravariant functors, natural transformations, and 2-categories.

Book Sample

CoPart 1 (ISBN-13: 978-1912636815) is a dual complement to Visual Category Theory Brick by Brick, Part 1. It is currently available on Leanpub and Amazon Kindle Store. The original series translated abstract categorical concepts into the language of LEGO® bricks, and the CoPart series implement the opposite way of translating brick constructions to the standard diagram language of category theory that should benefit comprehension of definitions. Since usual categorical diagrams are black and white and occupy less space on paper, CoParts include additional color-enhanced diagrams in the spirit of brick constructions when arrow source and target parts use different colors. These CoParts from CoSeries (named after opposite categories with reversed arrows) keep the same 1-to-1 page correspondence between Parts and CoParts. Page layout is also similar: location of explanatory notes (written using standard mathematical notation) is the same — only bricks are replaced by letters, dots, and arrows. Therefore, this CoSeries can be used independently from the original series or together.

Book Sample

Part 2 (ISBN-13: 978-1912636419) is currently available on Leanpub and Amazon Kindle Store. It covers duality, products, coproducts, biproducts, initial and terminal objects, pointed categories, matrix representation of morphisms, and monoids.

Book Sample

CoPart 2 (ISBN-13: 978-1912636822) is a dual complement to Visual Category Theory Brick by Brick, Part 2. It is currently available on Leanpub and Amazon Kindle Store.

Book Sample

Part 3 (ISBN-13: 978-1912636426) is currently available on Leanpub and Amazon Kindle Store. It covers adjoint functors, diagram shapes and categories, cones and cocones, limits and colimits, pullbacks and pushouts.

Book Sample

CoPart 3 (ISBN-13: 978-1912636839) is a dual complement to Visual Category Theory Brick by Brick, Part 3. It is currently available on Leanpub.

Book Sample

Part 4 (ISBN-13: 978-1912636433) is currently available on Leanpub and Amazon Kindle Store. It covers non-concrete categories, group objects, monoid, group, opposite, arrow, slice, and coslice categories, forgetful functors, monomorphisms, epimorphisms, and isomorphisms.

Book Sample

Part 5 (ISBN-13: 978-1912636440) is currently available on Leanpub and Amazon Kindle Store. It covers exponentials and evaluation in sets and categories, subobjects, equalizers, equivalence classes and quotients, coequalizers, congruence categories, morphism functors, and presheaves.

Book Sample

Part 6 (ISBN-13: 978-1912636457) is currently available on Leanpub and Amazon Kindle Store. It covers ideas that require a leap of abstraction: vertical and whisker compositions of natural transformations, identity and isomorphism of functors, equivalence, isomorphism, and adjoint equivalence of categories, functor and morphism categories, natural transformations as functors, representable functors, category of presheaves, Yoneda embedding and lemma. It also includes an index for parts 1 - 6.

Book Sample

Part 7 (ISBN-13: 978-1912636464) is currently available on Leanpub and Amazon Kindle Store. It covers ideas related to functional programming: exponentials, disjoint unions, endofunctors and natural transformations, partial and total functions, monads.

Book Sample

The first 5 parts are available as Visual Category Theory bundle on Leanpub.

Amazon 9-book Kindle bundle

All 8 parts together are now available in paperback format:

• Title: Visual Category Theory Brick by Brick: Diagrammatic LEGO® Reference
• Authors: Dmitry Vostokov
• Publisher: OpenTask (October 2021)
• Language: English
• Product Dimensions: 16.5 x 16.5 cm (6.5 x 6.5 in)
• Paperback: 172 pages
• ISBN-13: 978-1912636389

Also available on Amazon and Barnes&Noble.

Applications of category theory to software diagnostics also include Software Codiagnostics and Diagnostic Operads.

Reviews with author's comments

The following direct links can be used to order the book now:

Buy PDF from Leanpub

Buy Kindle print replica edition from Amazon

Also available in PDF format from Software Diagnostics Services

The first edition is available for SkillSoft Books24x7 subscribers

This reference reprints with corrections, additional comments, and classification more than 370 alphabetically arranged and cross-referenced memory analysis patterns originally published in Memory Dump Analysis Anthology volumes 1 – 13. This pattern catalog is a part of pattern-oriented software diagnostics, forensics, prognostics, root cause analysis, and debugging developed by Software Diagnostics Institute. Most of the analysis patterns are illustrated with examples for WinDbg from Debugging Tools for Windows with a few examples from Mac OS X and Linux for GDB. The third edition includes more than 40 new analysis patterns, more than 30 new examples and comments for analysis patterns published in the previous editions, updated bibliography and links, improved illustrations and debugger output snippets with extra visual highlighting.

Product information:

• Title: Encyclopedia of Crash Dump Analysis Patterns: Detecting Abnormal Software Structure and Behavior in Computer Memory, Third Edition
• Authors: Dmitry Vostokov, Software Diagnostics Institute
• Language: English
• Product Dimensions: 24.6 x 18.9
• PDF: 1,326 pages
• Publisher: OpenTask (September 2020)
• ISBN-13: 978-1-912636303

Table of Contents

Recently we noticed the increased usage of -nomicon Ancient Greek suffix that signifies books with some length, prominence within, and importance to some field of knowledge, or simply, "pertaining to rules," or "book of." It is a combination of nomos (νόμος, law), and icon (εἰκών eikon, image). At the same time, We've been using the Memory Dump Analysis Anthology phrase for more than 15 years and used to abbreviate it as MDAA. Over the years, this massive book sequence accumulated almost 5,000 pages and now includes writing on trace and log analysis and diagnostics in general. We found that the word Diagnomicon was never used before (perhaps we even coined it), and we took it as an extra MDAA book name. We also acquired the Diagnomicon.com domain that currently points to Software Diagnostics Institute, but we plan to make it a separate website soon dedicated to marketing the MDAA collection entirely.

The new Revised Edition is available!

Available in PDF format from Software Diagnostics Services

This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in February 2010 - October 2010. In addition to various corrections, this major revision updates relevant links and removes obsolete references. Some articles are preserved for historical reasons. Most of the content, especially memory analysis and trace and log analysis pattern languages, is still relevant today and for the foreseeable future. The output of WinDbg commands is also remastered to include color highlighting. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog. The fifth volume features:

- 25 new crash dump analysis patterns
- 11 new pattern interaction case studies (including software tracing)
- 16 new trace analysis patterns
- 7 structural memory patterns
- 4 modeling case studies for memory dump analysis patterns
- Discussion of 3 common analysis mistakes
- Malware analysis case study
- Computer independent architecture of crash analysis report service
- Expanded coverage of software narratology
- Metaphysical and theological implications of memory dump worldview
- More pictures of memory space and physicalist art
- Classification of memory visualization tools
- Memory visualization case studies
- Close reading of the stories of Sherlock Holmes: Dr. Watson’s observational patterns
- Fully cross-referenced with Volumes 1 - 4

The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. Trace and log analysis articles may be of interest to users of other platforms.

Product information:

• Title: Memory Dump Analysis Anthology, Volume 5, Revised Edition
• Author: Dmitry Vostokov
• Language: English
• Product Dimensions: 22.86 x 15.24
• PDF: 431 pages
• Publisher: Opentask (September 2021)
• ISBN-13: 978-1912636259

Table of Contents

Back cover features memory space art image Hot Computation: Memory on Fire.

Available in PDF format from Software Diagnostics Services

This reference volume consists of revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute (DumpAnalysis.org + TraceAnalysis.org) and Software Diagnostics Library (former Crash Dump Analysis blog, DumpAnalysis.org/blog) about software diagnostics, root cause analysis, debugging, crash and hang dump analysis, software trace and log analysis written in August 2020 - 14 August 2021 for software engineers developing and maintaining products on Windows and Linux platforms, quality assurance engineers testing software, technical support, escalation and site reliability engineers dealing with complex software issues, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. This volume is fully cross-referenced with volumes 1 – 13 and features:

- 7 new crash dump analysis patterns with selected downloadable example memory dumps
- New crash dump analysis case study not previously published anywhere
- 14 new software trace and log analysis patterns
- Introduction to cloud analysis patterns
- Introduction to the fractal nature of software traces and logs
- Introduction to the general architecture of analysis pattern networks
- Lists of recommended books

Product information:

• Title: Memory Dump Analysis Anthology, Volume 14
• Authors: Dmitry Vostokov, Software Diagnostics Institute
• Language: English
• Product Dimensions: 22.86 x 15.24
• Paperback: 189 pages
• Publisher: OpenTask (August 2021)
• ISBN-13: 978-1-912636-14-3

Table of Contents

Years ago, I bought the book in Russia whose title is “Literature of Formal Constraints: Form and Games from Antiquity to Present Days” by Tatiana Bonch-Osmolovskaya if I translate it to English. Such literary techniques and patterns are also known under the term constrained writing. The reason why this book caught my attention in the bookshop is that at that time, I was developing software narratology as a foundation of trace and log analysis patterns. So, I planned to mine it for pattern writing. However, due to other pressures, I put it in a reading list until very recently, when reading a preface to Exercises in Programming Style, Second Edition, by Cristina Videira Lopes (ISBN-13: 978-0367350208), I learned about the Oulipo movement (writing under constraints). I immediately realized that software traces and logs are software narratives under constraints. I plan to explore such constraints by providing creative examples of trace and log statements and messages. As a metanarrative template, I chose a variation of narrative from Exercises in Style book by Raymond Queneau:

The software narrator “S” is a rule-based system tracing process, and it notices a long-running process that had loaded hat.dll and got into resource contention difficulties with another process. Two hours later, the software narrator notices the same process and a debugger process that gives some advice regarding the functionality of an extra GUI button.

Another variation I chose is the frequent message found in logs on the “access denied” theme. Such constraints may be personal and organizational preferences and styles, programming language, execution environment, and technology stack limitations, different coding phases (development, maintenance, early vs. mature code), external constraints such as source code scope, tracing and logging configuration and rules, timing, the need for a quick debugging fix, or understanding program state and behavior.

In writing these exercises in tracing style, I also plan to reference trace and log analysis patterns where appropriate.

I add links to variations as soon as they are published. I also consider them a part of the modeling activities I do while working on the Writing Bad Code book.

This month, www.DumpAnalysis.org turns 15 (F). Initially, in March 2006, it started as Crash Dump Analysis and Debugging Forum (now frozen at https://www.dumpanalysis.org/forum/ where old posts are available). In August 2006, it became Crash Dump Analysis Blog, later moved to https://www.dumpanalysis.org/blog/ and renamed to Software Diagnostics Library as only posts about analysis patterns became added to it. When the blog was moved, the root URL (https://dumpanalysis.org/) became Crash Dump Analysis Portal, later renamed to Software Diagnostics Institute in 2012.

The new Revised Edition is available!

Available in PDF format from Software Diagnostics Services

This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in July 2009 - January 2010. In addition to various corrections, this major revision updates relevant links and removes obsolete references. Some articles are preserved for historical reasons. Most of the content, especially memory analysis and trace and log analysis pattern languages, is still relevant today and for the foreseeable future. The output of WinDbg commands is also remastered to include color highlighting. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog. The fourth volume features:

- 15 new crash dump analysis patterns
- 13 new pattern interaction case studies
- 10 new trace analysis patterns
- 6 new Debugware patterns and case study
- Workaround patterns
- Updated checklist
- Fully cross-referenced with Volumes 1-3
- Memory visualization tutorials
- Memory space art

The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. Trace and log analysis articles may be of interest to users of other platforms.

Product information:

• Title: Memory Dump Analysis Anthology, Volume 4, Revised Edition
• Authors: Dmitry Vostokov, Software Diagnostics Institute
• Publisher: OpenTask (March 2021)
• Language: English
• Product Dimensions: 22.86 x 15.24
• PDF: 423 pages
• ISBN-13: 978-1912636242

Table of Contents

Back cover features memory space art image: Internal Process Combustion.

We wrote a short post about added complexities of virtualization almost 15 years ago and then about orbifold memory space (named cloud memory space initially) 10 years ago, reflecting cloud internals as a multi-VM/bare metal or multi-process distributed system.

At that time, memory dump analysis patterns were added for several types of memory space, including fiber bundle and manifold memory spaces, and we also held a webinar on cloud memory dump analysis:

In addition to the process/kernel dichotomy, managed space abstracts runtime environments such as .NET CLR.
This picture of complete and cloud spaces is somewhat simplified as it does not reflect the complexities of hypervisor types and some nested spaces, as in Hyperdumps.

Also, at that time, trace and log analysis patterns were being extensively developed and later split into general and special analysis patterns, resulting in the current overall picture:

Memory dump types we can get from VM and traditional OS concepts such as threads and processes that span memory spaces are shown in this picture (spanning means that information about them can be found in all those memory dumps and associated spaces):

If we consider native cloud space as additional abstraction beyond the simple collection of memory spaces, we get the new native cloud memory space with corresponding cloud equivalents for traditional OS concepts:

The advent of container orchestration platforms such as Kubernetes provides a similar hierarchy of concepts with containers corresponding to threads as units of execution, pods to processes as resource containers, kernel to control plane and kubelets, and operators to device drivers:

From the traditional memory perspective, Kubernetes concepts cut across the same spaces since they are implemented as collections of processes:

Our next step here is to adapt memory analysis pattern language to native cloud diagnostics and cloud problem analysis and provide analysis pattern specializations. The other part of software diagnostics, trace analysis pattern language, naturally extends to native cloud analysis, but from container environments, we recently discerned a few new log analysis patterns we plan to publish soon.

For the orchestration abstraction, we may add cluster space for nodes and pods in place of complete space and replace orbifold memory space with the native cloud space:

In the diagram above, nodes, containers, and pods have a different conceptual meaning instead of memory. They are more like spaces of relations between various objects/structures than spaces of objects/structures like memory spaces.

Now, having all these new abstract spaces, the next step is to consider this diagram where we replaced memory analysis patterns altogether with cloud analysis patterns:

Memory analysis patterns are not gone but are at the lower level of abstraction, where individual spaces for cloud analysis patterns may require analysis of specific memory spaces if necessary. It is possible to represent both abstractions as Trace Quilt:

This description is preliminary and may have some modifications in the future. The corresponding analysis pattern language catalog is being developed now.

Click on an individual book to see its description and table of contents:

This 1,600-page dense reference set includes:

1. Encyclopedia of Crash Dump Analysis Patterns, Third Edition
2. Trace, Log, Text, Narrative: An Analysis Pattern Reference for Data Mining, Diagnostics, Anomaly Detection, Fourth Edition

You can buy this reference set from Software Diagnostics Services with a discount.

The following direct links can be used to order the book now:

Buy Hardcover from Amazon

Buy Hardcover from Barnes & Noble

Buy Hardcover from Book Depository

Also available in PDF format from Software Diagnostics Services.

This is a collection of Software Diagnostics Services webinar transcripts about memory dump analysis methodology developed by Software Diagnostics Institute. Includes 6 seminars on physical memory dump analysis, cloud memory dump analysis, patterns, tools, processes and best practices for software trace and memory dump analysis, pattern-oriented software forensics, a pattern language for memory forensics, and mobile software diagnostics.

Now includes Fundamentals of Physical Memory Analysis: Anniversary Edition.

• Title: Principles of Memory Dump Analysis: The Collected Seminars
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (September 2014)
• Language: English
• Product Dimensions: 28.0 x 21.6
• Hardback: 284 pages
• ISBN-13: 978-1906717667