Multiple Exceptions (user mode) - Modeling Example
Multiple Exceptions (kernel mode)
Multiple Exceptions (managed space)- Multiple Exceptions (stowed)
Dynamic Memory Corruption (process heap)
Dynamic Memory Corruption (kernel pool)- Dynamic Memory Corruption (managed heap)
False Positive Dump
Lateral Damage (general)- Lateral Damage (CPU mode)
Optimized Code (function parameter reuse)
Invalid Pointer (general)- Invalid Pointer (objects)
NULL Pointer (code)
NULL Pointer (data)
Inconsistent Dump
Hidden Exception (user space)- Hidden Exception (kernel space)
- Hidden Exception (managed space)
Deadlock (critical sections)
Deadlock (executive resources)
Deadlock (mixed objects, user space)
Deadlock (LPC)
Deadlock (mixed objects, kernel space)
Deadlock (self)- Deadlock (managed space)
- Deadlock (.NET Finalizer)
Changed Environment
Incorrect Stack Trace
OMAP Code Optimization
No Component Symbols
Insufficient Memory (committed memory)
Insufficient Memory (handle leak)
Insufficient Memory (kernel pool)
Insufficient Memory (PTE)
Insufficient Memory (module fragmentation)
Insufficient Memory (physical memory)
Insufficient Memory (control blocks)- Insufficient Memory (reserved virtual memory)
- Insufficient Memory (session pool)
- Insufficient Memory (stack trace database)
- Insufficient Memory (region)
- Insufficient Memory (stack)
Spiking Thread
Module Variety
Stack Overflow (kernel mode)
Stack Overflow (user mode)
Stack Overflow (software implementation)- Stack Overflow (insufficient memory)
- Stack Overflow (managed space)
Managed Code Exception- Managed Code Exception (Scala)
- Managed Code Exception (Python)
Truncated Dump
Waiting Thread Time (kernel dumps)
Waiting Thread Time (user dumps)
Memory Leak (process heap) - Modeling Example
Memory Leak (.NET heap)- Memory Leak (page tables)
- Memory Leak (I/O completion packets)
- Memory Leak (regions)
Missing Thread
Unknown Component
Double Free (process heap)
Double Free (kernel pool)
Coincidental Symbolic Information
Stack Trace- Stack Trace (I/O request)
- Stack Trace (file system filters)
- Stack Trace (database)
- Stack Trace (I/O devices)
Virtualized Process (WOW64)
Stack Trace Collection (unmanaged space)- Stack Trace Collection (managed space)
- Stack Trace Collection (predicate)
- Stack Trace Collection (I/O requests)
- Stack Trace Collection (CPUs)
Coupled Processes (strong)
Coupled Processes (weak)
Coupled Processes (semantics)
High Contention (executive resources)
High Contention (critical sections)
High Contention (processors)- High Contention (.NET CLR monitors)
- High Contention (.NET heap)
- High Contention (sockets)
Accidental Lock
Passive Thread (user space)
Passive System Thread (kernel space)
Main Thread
Busy System
Historical Information
Object Distribution Anomaly (IRP)- Object Distribution Anomaly (.NET heap)
Local Buffer Overflow (user space)- Local Buffer Overflow (kernel space)
Early Crash Dump
Hooked Functions (user space)
Hooked Functions (kernel space)- Hooked Modules
Custom Exception Handler (user space)
Custom Exception Handler (kernel space)
Special Stack Trace
Manual Dump (kernel)
Manual Dump (process)
Wait Chain (general)
Wait Chain (critical sections)
Wait Chain (executive resources)
Wait Chain (thread objects)
Wait Chain (LPC/ALPC)
Wait Chain (process objects)
Wait Chain (RPC)
Wait Chain (window messaging)
Wait Chain (named pipes)- Wait Chain (mutex objects)
- Wait Chain (pushlocks)
- Wait Chain (CLR monitors)
- Wait Chain (RTL_RESOURCE)
- Wait Chain (modules)
- Wait Chain (nonstandard synchronization)
- Wait Chain (C++11, condition variable)
- Wait Chain (SRW lock)
Corrupt Dump
Dispatch Level Spin
No Process Dumps
No System Dumps
Suspended Thread
Special Process
Frame Pointer Omission
False Function Parameters
Message Box
Self-Dump
Blocked Thread (software)
Blocked Thread (hardware)- Blocked Thread (timeout)
Zombie Processes
Wild Pointer
Wild Code
Hardware Error
Handle Limit (GDI, kernel space)- Handle Limit (GDI, user space)
Missing Component (general)
Missing Component (static linking, user mode)
Execution Residue (unmanaged space, user)- Execution Residue (unmanaged space, kernel)
- Execution Residue (managed space)
Optimized VM Layout- Invalid Handle (general)
- Invalid Handle (managed space)
- Overaged System
- Thread Starvation (realtime priority)
- Thread Starvation (normal priority)
- Duplicated Module
- Not My Version (software)
- Not My Version (hardware)
- Data Contents Locality
- Nested Exceptions (unmanaged code)
- Nested Exceptions (managed code)
- Affine Thread
- Self-Diagnosis (user mode)
- Self-Diagnosis (kernel mode)
- Self-Diagnosis (registry)
- Inline Function Optimization (unmanaged code)
- Inline Function Optimization (managed code)
- Critical Section Corruption
- Lost Opportunity
- Young System
- Last Error Collection
- Hidden Module
- Data Alignment (page boundary)
- C++ Exception
- Divide by Zero (user mode)
- Divide by Zero (kernel mode)
- Swarm of Shared Locks
- Process Factory
- Paged Out Data
- Semantic Split
- Pass Through Function
- JIT Code (.NET)
- JIT Code (Java)
- Ubiquitous Component (user space)
- Ubiquitous Component (kernel space)
- Nested Offender
- Virtualized System
- Effect Component
- Well-Tested Function
- Mixed Exception
- Random Object
- Missing Process
- Platform-Specific Debugger
- Value Deviation (stack trace)
- Value Deviation (structure field)
- Runtime Thread (CLR)
- Runtime Thread (Python, Linux)
- Coincidental Frames
- Fault Context
- Hardware Activity
- Incorrect Symbolic Information
- Message Hooks - Modeling Example
- Coupled Machines
- Abridged Dump
- Exception Stack Trace
- Distributed Spike
- Instrumentation Information
- Template Module
- Invalid Exception Information
- Shared Buffer Overwrite
- Pervasive System
- Problem Exception Handler
- Same Vendor
- Crash Signature
- Blocked Queue (LPC/ALPC)
- Fat Process Dump
- Invalid Parameter (process heap)
- Invalid Parameter (runtime function)
- String Parameter
- Well-Tested Module
- Embedded Comment
- Hooking Level
- Blocking Module
- Dual Stack Trace
- Environment Hint
- Top Module
- Livelock
- Technology-Specific Subtrace (COM interface invocation)
- Technology-Specific Subtrace (dynamic memory)
- Technology-Specific Subtrace (JIT .NET code)
- Technology-Specific Subtrace (COM client call)
- Dialog Box
- Instrumentation Side Effect
- Semantic Structure (PID.TID)
- Directing Module
- Least Common Frame
- Truncated Stack Trace
- Data Correlation (function parameters)
- Data Correlation (CPU times)
- Module Hint
- Version-Specific Extension
- Cloud Environment
- No Data Types
- Managed Stack Trace
- Managed Stack Trace (Scala)
- Managed Stack Trace (Python)
- Coupled Modules
- Thread Age
- Unsynchronized Dumps
- Pleiades
- Quiet Dump
- Blocking File
- Problem Vocabulary
- Activation Context
- Stack Trace Set
- Double IRP Completion
- Caller-n-Callee
- Annotated Disassembly (JIT .NET code)
- Handled Exception (user space)
- Handled Exception (.NET CLR)
- Handled Exception (kernel space)
- Duplicate Extension
- Special Thread (.NET CLR)
- Hidden Parameter
- FPU Exception
- Module Variable
- System Object
- Value References
- Debugger Bug
- Empty Stack Trace
- Problem Module
- Disconnected Network Adapter
- Network Packet Buildup
- Unrecognizable Symbolic Information
- Translated Exception
- Regular Data
- Late Crash Dump
- Blocked DPC
- Coincidental Error Code
- Punctuated Memory Leak
- No Current Thread
- Value Adding Process
- Activity Resonance
- Stored Exception
- Spike Interval
- Stack Trace Change
- Unloaded Module
- Deviant Module
- Paratext
- Incomplete Session
- Error Reporting Fault
- First Fault Stack Trace
- Frozen Process
- Disk Packet Buildup
- Hidden Process
- Active Thread (Mac OS X)
- Active Thread (Windows)
- Critical Stack Trace
- Handle Leak
- Module Collection
- Module Collection (predicate)
- Deviant Token
- Step Dumps
- Broken Link
- Debugger Omission
- Glued Stack Trace
- Reduced Symbolic Information
- Injected Symbols
- Distributed Wait Chain
- One-Thread Process
- Module Product Process
- Crash Signature Invariant
- Small Value
- Shared Structure
- Thread Cluster
- False Effective Address
- Screwbolt Wait Chain
- Design Value
- Hidden IRP
- Tampered Dump
- Memory Fluctuation (process heap)
- Last Object
- Rough Stack Trace (unmanaged space)
- Rough Stack Trace (managed space)
- Past Stack Trace
- Ghost Thread
- Dry Weight
- Exception Module
- Reference Leak
- Origin Module
- Hidden Call
- Corrupt Structure
- Software Exception
- Crashed Process
- Variable Subtrace
- User Space Evidence
- Internal Stack Trace
- Distributed Exception (managed code)
- Thread Poset
- Stack Trace Surface
- Hidden Stack Trace
- Evental Dumps
- Clone Dump
- Parameter Flow
- Critical Region
- Diachronic Module
- Constant Subtrace
- Not My Thread
- Window Hint
- Place Trace
- Stack Trace Signature
- Relative Memory Leak
- Quotient Stack Trace
- Module Stack Trace
- Foreign Module Frame
- Unified Stack Trace
- Mirror Dump Set
- Memory Fibration
- Aggregated Frames
- Frame Regularity
- Stack Trace Motif
- System Call
- Stack Trace Race
- Hyperdump
- Disassembly Ambiguity
- Exception Reporting Thread
- Active Space
- Subsystem Modules
- Region Profile
- Region Clusters
- Source Stack Trace
- Hidden Stack
- Interrupt Stack
- False Memory
- Frame Trace
- Pointer Cone
- Context Pointer
- Pointer Class
- False Frame
- Procedure Call Chain
- C++ Object
- COM Exception
- Structure Sheaf
- Saved Exception Context (.NET)
- Shared Thread
- Spiking Interrupts
- Structure Field Collection
- Black Box
- Rough Stack Trace Collection (unmanaged space)
- COM Object
- Shared Page
- Exception Collection
Book: Advanced Windows Memory Dump Analysis with Data Structures, Fourth Edition, Revised
Available in PDF and paperback format from Software Diagnostics Technology and Services.
The full transcript of Software Diagnostics Services training course with 15 step-by-step exercises, notes, and selected questions and answers. Learn how to navigate through memory dump space and Windows data structures to diagnose, troubleshoot and debug complex software incidents. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. It consists of practical step-by-step exercises using WinDbg to diagnose structural and behavioral patterns in the 64-bit kernel and complete (physical) memory dumps. Additional topics include memory search, kernel linked list navigation, practical WinDbg scripting, registry, system variables and objects, device drivers, and I/O. Prerequisites are basic and intermediate level Windows memory dump analysis: the ability to list processors, processes, threads, modules, apply symbols, walk through stack traces and raw stack data, diagnose patterns such as heap corruption, CPU spike, memory leaks, access violation, wait chains and deadlocks. If you don't feel comfortable with prerequisites then Accelerated Windows Memory Dump Analysis training book is recommended before purchasing and reading this book course. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers. The 4th edition was fully reworked to use the latest WinDbg and now covers memory dumps from Windows 11. Three new exercises were added and the previous ones now have improved command syntax and color highlighting. This edition also includes a possibility to use a Docker WinDbg image with required symbol files instead of a local Debugging Tools for Windows installation. The current revision 4.1 uses WinDbg Preview for all exercise transcripts.
- Title: Advanced Windows Memory Dump Analysis with Data Structures: Training Course Transcript and WinDbg Practice Exercises with Notes, Fourth Edition, Revised
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (October 2022)
- Language: English
- Product Dimensions: 28.0 x 21.6
- Paperback: 293 pages
- ISBN-13: 978-1912636778
Book: Accelerated .NET Core Memory Dump Analysis, Revised Edition
The following direct links can be used to order the book now:
Available in PDF format from Software Diagnostics Technology and Services.
The full transcript of Software Diagnostics Services training with 9 step-by-step exercises, notes, and source code of specially created modeling applications. The course covers 19 .NET memory dump analysis patterns plus additional 19 unmanaged patterns. Learn how to analyze .NET Core 5/6 application and service crashes and freezes, navigate through memory dump space (managed and unmanaged code) and diagnose corruption, leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and much more. The training consists of practical step-by-step exercises using Microsoft WinDbg debugger to diagnose patterns in 64-bit process memory dumps. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The book is based on the previous fourth edition of Accelerated .NET Memory Dump Analysis that covered .NET Core 5 and Windows 10. It is updated for the latest WinDbg from Windows 11 SDK and has a new .NET Core 6 exercise with a memory dump from Windows 11. This edition also includes a possibility to use a Docker WinDbg image with required symbol files instead of a local Debugging Tools for Windows installation. Prerequisites: Basic .NET programming and debugging. Audience: Software technical support and escalation engineers, system administrators, DevOps, performance and reliability engineers, software developers, and quality assurance engineers. The book may also interest security researchers, reverse engineers, malware and memory forensics analysts. The revised edition uses the latest WinDbg Preview for all exercise transcripts.
- Title: Accelerated .NET Core Memory Dump Analysis, Revised Edition: Training Course Transcript and WinDbg Practice Exercises
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (October 2022)
- Language: English
- Product Dimensions: 28.0 x 21.6
- PDF: 203 pages
- ISBN-13: 978-1912636648
Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 2, Revision 3: Kernel and Complete Spaces
The following direct links can be used to order the book:
Buy PDF from Leanpub
Also available in PDF format from Software Diagnostics Services
The full-color transcript of Software Diagnostics Services training sessions with 14 step-by-step exercises, notes, source code of specially created modeling applications, and 45 questions and answers. Covers more than 35 crash dump analysis patterns from x64 kernel and complete (physical) memory dumps. Learn how to analyze system crashes and freezes, navigate through kernel and complete spaces, and diagnose patterns of abnormal software behavior with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve. Prerequisites: Basic Windows troubleshooting. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers and quality assurance engineers, site reliability engineers. The 5th edition was fully reworked with new memory dumps, additional slides, exercises, and analysis patterns. It was further revised with some exercises updated to Windows 11, expanded Q&A, and optional Docker image. The current revision 5.7 uses WinDbg Preview for all exercise transcripts.
- Title: Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 2, Revision 3, Kernel and Complete Spaces: Training Course Transcript and WinDbg Practice Exercises with Notes
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (October 2022)
- Language: English
- PDF: 372 pages
- ISBN-13: 978-1912636983
Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 1, Revision 3: Process User Space
The following direct links can be used to order the book:
Buy PDF from Leanpub
Also available in PDF format from Software Diagnostics Services
The full-color transcript of Software Diagnostics Services training sessions with 20 step-by-step exercises, notes, source code of specially created modeling applications, and more than 70 questions and answers. Covers more than 50 crash dump analysis patterns from x86 and x64 process memory dumps. Learn how to analyze application and service crashes and freezes, navigate through process user space and diagnose heap corruption, memory and handle leaks, CPU spikes, blocked threads, deadlocks, wait chains, and many more patterns of abnormal software behavior with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve. Prerequisites: Basic Windows troubleshooting. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers and quality assurance engineers, site reliability engineers. The 5th edition was fully reworked with new memory dumps, additional slides, exercises, and analysis patterns. It was further revised with some exercises updated to Windows 11, expanded Q&A, and an optional Docker image. The current revision 5.7 uses WinDbg Preview for all exercise transcripts.
- Title: Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 1, Revision 3, Process User Space: Training Course Transcript and WinDbg Practice Exercises with Notes
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (October 2022)
- Language: English
- Paperback: 350 pages
- ISBN-13: 978-1912636976
Accelerated Linux Disassembly, Reconstruction and Reversing
The following direct links can be used to order the book now:
Buy PDF from Leanpub
Available in PDF and recording formats from Software Diagnostics Services.
The book contains the full transcript of Software Diagnostics Services training. Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, debugging, memory forensics, vulnerability and malware analysis on x64 and ARM64 Linux platforms. The course uses a unique and innovative pattern language approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using GDB and Linux core memory dumps. Covered more than 25 ADDR patterns originally introduced for the x64 Windows platform, and many concepts are illustrated with Memory Cell Diagrams. The prerequisites for this training are working knowledge of C and C++ programming languages. Operating system internals and assembly language concepts are explained when necessary. The primary audience for this training is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to go deeper in their analysis of abnormal software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse cloud and endpoint computer environments, SRE and DevSecOps, security and vulnerability researchers, malware and memory forensics analysts who have never used GDB for analysis of computer memory. The book also features ADDR pattern descriptions summarized after each exercise.
- Title: Accelerated Linux Disassembly, Reconstruction and Reversing: Training Course Transcript and GDB Practice Exercises with Memory Cell Diagrams
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (October 2022)
- Language: English
- Product Dimensions: 28.0 x 21.6
- PDF: 248 pages
- ISBN-13: 978-1912636785
Table of Contents and sample exercise
Slides from the training
Online Training: Accelerated Linux Disassembly, Reconstruction, and Reversing (WinDbg Version)
Software Diagnostics Services (PatternDiagnostics.com) organizes a training course.
New dates/times TBD
Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, debugging, memory forensics, vulnerability and malware analysis on x64 and ARM64 Linux platforms. The course uses a unique and innovative pattern language approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using WinDbg and Linux core memory dumps. Covered more than 25 ADDR patterns originally introduced for the x64 Windows platform, and many concepts are illustrated with Memory Cell Diagrams. The training also features additional diagrams adapted from Linux Practical Foundations books to WinDbg context.
Selected slides of the previous Windows-based training
Level: Intermediate/Advanced.
Prerequisites: Working knowledge of C and C++. Operating system internals and assembly language concepts are explained when necessary.
Audience: Software technical support and escalation engineers who analyze core dumps from complex software environments and need to go deeper in their analysis of abnormal and malicious software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse cloud and endpoint computer environments, SRE and DevSecOps, security and vulnerability researchers, malware and memory forensics analysts who have never used WinDbg for analysis of computer memory.
The training consists of 3 two-hour sessions.
Before the training, you get:
- Access to Software Diagnostics Library
After the training, you also get:
- The PDF book version of the training
- Personalized Certificate of Attendance with unique CID
- Optional Personalized Certificate of Completion with unique CID (after the tests)
- Answers to questions during training sessions
- Recording
Book: Extended Windows Memory Dump Analysis
Available in PDF format from Software Diagnostics Services.
The book contains the full transcript of Software Diagnostics Services training with 16 hands-on exercises. This training course extends pattern-oriented analysis introduced in Accelerated Windows Memory Dump Analysis, Accelerated .NET Core Memory Dump Analysis, and Advanced Windows Memory Dump Analysis with Data Structures courses with:
- Surveying the current landscape of WinDbg extensions with analysis pattern mappings
- Writing WinDbg extensions in C and C++
- Connecting WinDbg to NoSQL databases
- Connecting WinDbg to streaming and log processing platforms
- Querying and visualizing WinDbg output data
Prerequisites: Working knowledge of WinDbg. Working knowledge of C or C++ is optional (required only for some exercises). Other concepts are explained when necessary.
Audience: Software developers, software maintenance engineers, escalation engineers, quality assurance engineers, security and vulnerability researchers, malware and memory forensics analysts who want to build memory analysis pipelines.
- Title: Extended Windows Memory Dump Analysis: Using and Writing WinDbg Extensions, Database and Event Stream Processing, Visualization
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (September 2022)
- Language: English
- Product Dimensions: 28.0 x 21.6
- PDF: 274 pages
- ISBN-13: 978-1912636686
Table of Contents and sample exercise
Slides from the training
Book: Accelerated Disassembly, Reconstruction and Reversing, Second Revised Edition
Available in PDF format from Software Diagnostics Services.
The original first edition is available for SkillSoft Books24x7 subscribers
The book contains the full transcript of Software Diagnostics Services training. Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, debugging, memory forensics, vulnerability and malware analysis on x64 Windows platforms. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step hands-on exercises using WinDbg and memory dumps. Covered more than 25 ADDR patterns, and many concepts are illustrated with Memory Cell Diagrams. The prerequisites for this training are working knowledge of C and C++ programming languages. Operating system internals and assembly language concepts are explained when necessary. The primary audience for this training is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to go deeper in their analysis of abnormal software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse computer environments, security researchers, malware and memory forensics analysts who have never used WinDbg for analysis of computer memory. The second revised edition uses the latest WinDbg Preview version, is optionally containerized, has three exercises completely redone with Windows 10 memory dumps, includes full source code projects ported to Visual Studio 2022 with corresponding additional Windows 11 process dumps, and also includes reprinted memory and trace analysis patterns and techniques from Memory Dump Analysis Anthology referenced in the book. This new edition also features ADDR pattern descriptions summarized after each exercise.
- Title: Accelerated Disassembly, Reconstruction and Reversing: Training Course Transcript and WinDbg Practice Exercises with Memory Cell Diagrams, Second Revised Edition
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (September 2022)
- Language: English
- Product Dimensions: 28.0 x 21.6
- PDF: 253 pages
- ISBN-13: 978-1912636693
Table of Contents and sample exercise
Slides from the training
Online Training: Accelerated Linux Debugging 4D
Software Diagnostics Services organizes this online training course.
October 24 - 25 2023 6.30pm - 8.30pm (GMT+1) Price 99 USD Registration
Learn live local and remote debugging techniques and tricks in the kernel and user process spaces using the GDB debugger. The unique and innovative Debugging 4D course teaches unified debugging patterns applied to real problems from complex software environments. The training consists of practical step-by-step hands-on exercises.
Before the training, you get:
- Access to Software Diagnostics Library
After the training, you also get:
- The PDF book version of the training: Accelerated Linux Debugging 4D
- Personalized Certificate of Attendance with unique CID
- Optional Personalized Certificate of Completion with unique CID (after the tests)
- Answers to questions during training sessions
- Recording
Prerequisites:
Working knowledge of one of these languages: C, C++. Operating system internals and assembly language concepts are explained when necessary.
Audience:
Software engineers, software maintenance engineers, escalation engineers, security and vulnerability researchers, malware and memory forensics analysts who want to learn live memory inspection techniques.
If you are interested in live Windows debugging there is another training course available.
Online Training: Accelerated Windows Memory Forensics and Malware Analysis with Memory Dumps
Software Diagnostics Services organizes this online training course.
New dates/times TBD
Learn how to navigate the process, kernel, physical memory spaces, and corresponding Windows data structures, discover forensic artifacts and diagnose structural and behavioral patterns in Windows memory dump files. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of more than 20 practical step-by-step, hands-on exercises using WinDbg, process, kernel, and complete memory dumps. In addition to malware patterns, topics include process and thread navigation, past execution, memory search, kernel linked list navigation, practical WinDbg scripting including built-in language and JavaScript, registry, system variables and objects, device drivers, I/O, file system filters, and security. The training is based on the Pattern-Oriented Memory Forensics: A Pattern Language Approach, the 3rd edition of Accelerated Windows Malware Analysis with Memory Dumps, and the 4th edition of Advanced Windows Memory Dump Analysis with Data Structures books. This course also covers patterns of memory acquisition. It uses the latest WinDbg Preview and is optionally containerized.
Example slides for days 1-3
Example slides for days 4-5
Before the training, you get:
- Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
- Pattern-Oriented Memory Forensics: A Pattern Language Approach PDF book
- Advanced Windows Memory Dump Analysis with Data Structures, Fourth Edition PDF book
- Accelerated Windows Malware Analysis with Memory Dumps, Third Edition PDF book
- The previous training recording
- Access to Software Diagnostics Library with more than 370 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies
After the training, you also get:
- The updated PDF books
- Personalized Certificate of Attendance with unique CID
- Optional Personalized Certificate of Completion with unique CID (after the tests)
- Answers to questions during training sessions
- Current training sessions recording
Prerequisites: Working knowledge of Windows troubleshooting. Operating system internals concepts are explained when necessary.
Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.
Book: Accelerated Windows Malware Analysis with Memory Dumps, Third Edition
Available in PDF format from Software Diagnostics Technology and Services
The first edition is also available for SkillSoft Books24x7 subscribers
The Korean second edition is available from Acorn publisher.
The full transcript of Software Diagnostics Services training. Learn how to navigate process, kernel, and physical spaces and diagnose various malware patterns in Windows memory dump files. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step hands-on exercises using WinDbg, process, kernel and complete memory dumps. Covered more than 20 malware analysis patterns. The main audience is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible malware presence in cases of abnormal software behavior. The course will also be useful for software engineers, quality assurance and software maintenance engineers, security researchers, malware and memory forensics analysts who have never used WinDbg for analysis of computer memory. The third edition uses the latest WinDbg Preview version with some exercises updated to Windows 11 and is optionally containerized.
- Title: Accelerated Windows Malware Analysis with Memory Dumps: Training Course Transcript and WinDbg Practice Exercises, Third Edition
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (July 2022)
- Language: English
- Product Dimensions: 28.0 x 21.6
- PDF: 324 pages
- ISBN-13: 978-1912636969
Online Training: Accelerated Windows Postmortem Diagnostics and Debugging
Software Diagnostics Services organizes this online training course.
This comprehensive training includes more than 40 step-by-step exercises and covers more than 85 crash dump analysis patterns from x86 and x64 process, kernel, and complete (physical) memory dumps. Learn how to analyze application (native and .NET Core), service, and system crashes and freezes, navigate through memory dump space (managed and unmanaged code) and diagnose corruption, memory and handle leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and much more with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute< to speed up the learning curve, and it is based on the latest edition of Accelerated Windows Memory Dump Analysis and Accelerated .NET Core Memory Dump Analysis books. It uses the latest WinDbg Preview and is optionally containerized.
Outline slides
Slides from Days 1-3
Slides from Days 4-6
Slides from Days 7-8
The difference between this training and the current book version:
- You can ask questions
- .NET Core exercises use the latest WinDbg Preview
- Certificates and tests
Training outline:
- Day 1 (2 hours): Overview. Native process memory dump analysis.
- Day 2 (2 hours): Native process memory dump analysis.
- Day 3 (2 hours): Native process memory dump analysis.
- Day 4 (2 hours): .NET Core process memory dump analysis.
- Day 5 (2 hours): .NET Core process memory dump analysis.
- Day 6 (2 hours). Kernel memory dump analysis.
- Day 7 (2 hours). Complete (physical) memory dump analysis.
- Day 8 (Optional 2 hours): Additional Q&A and memory dump analysis if necessary. Tests.
Before the training, you get:
- Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book (+300 pages)
- The current PDF books (+900 pages)
- The previous training recording
- Access to Software Diagnostics Library with more than 370 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies
After the training, you also get:
- The updated PDF books (including the new edition of .NET Core book)
- Personalized Certificate of Attendance with unique CID
- Optional Personalized Certificate of Completion with unique CID (after the tests)
- Answers to questions during training sessions
- Current training sessions recording
Prerequisites: Basic Windows troubleshooting
Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.
If you are interested in Linux memory dump analysis there is another forthcoming training: Accelerated Linux Core Dump Analysis
Training: Accelerated Windows Malware Analysis with Memory Dumps
Software Diagnostics Services organizes this online training course.
New dates/times TBD
Learn how to navigate process, kernel, and physical spaces and diagnose various malware patterns in Windows memory dump files. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using WinDbg, process, kernel, and complete memory dumps. The training covers more than 20 malware analysis patterns. The main audience is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible malware presence in cases of abnormal software behavior. The course will also be useful for software engineers, quality assurance and software maintenance engineers, security researchers, malware and memory forensics analysts who have never used WinDbg for analysis of computer memory. The new version uses the latest WinDbg Preview and is optionally containerized.
Slides from the previous training
Before the training, you get:
- Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
- The previous PDF book version of the training
- Access to Software Diagnostics Library
After the training, you also get:
- The new 3rd edition PDF book of the training
- Personalized Certificate of Attendance with unique CID
- Optional Personalized Certificate of Completion with unique CID (after the tests)
- Answers to questions during training sessions
- Recording
Book: Accelerated Windows Debugging 4D, Third Edition
The following direct links can be used to order the third edition:
Buy PDF from Leanpub
Also is available in PDF format from Software Diagnostics Technology and Services.
The first edition is also available for SkillSoft Books24x7 subscribers
The full transcript of Software Diagnostics Services training with 15 step-by-step exercises, notes, and source code of specially created modeling applications. Learn live local and remote debugging techniques in kernel, user process, and managed .NET spaces using WinDbg debugger. The unique and innovative course teaches unified debugging patterns applied to real problems from complex software environments. The third edition was fully reworked and updated to use Windows 11, Hyper-V, WinDbg Preview, and includes exercises for .NET Core and Time Travel Debugging.
Prerequisites: Working knowledge of one of these languages: C, C++, C#. Operating system internals and assembly language concepts are explained when necessary.
Audience: Software engineers, software maintenance engineers, escalation engineers, security and vulnerability researchers, malware and memory forensics analysts who want to learn live memory inspection techniques.
- Title: Accelerated Windows Debugging4: Training Course Transcript and WinDbg Practice Exercises, Third Edition
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (May 2022)
- Language: English
- Product Dimensions: 28.0 x 21.6
- PDF: 332 pages
- ISBN-13: 978-1912636532
Online Training: Advanced Windows Memory Dump Analysis with Data Structures
Software Diagnostics Services organizes this online training course.
New dates/times TBD
Learn how to navigate through memory dump space and Windows data structures to diagnose, troubleshoot and debug complex software incidents. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. It consists of more than 15 practical step-by-step exercises using WinDbg to diagnose structural and behavioral patterns in the 64-bit kernel and complete (physical) memory dumps. Additional topics include memory search, kernel linked list navigation, practical WinDbg scripting including built-in language and JavaScript, registry, system variables and objects, device drivers, I/O, file system filters, and security. The training is based on the 4th edition of the Advanced Windows Memory Dump Analysis with Data Structures book. It is also optionally containerized.
The difference between this training and the current book version:
- Uses WinDbg Preview instead of WinDbg from SDK
- You can ask questions
- New additional exercises are based on Windows 11
- Certificates and tests
Before the training, you get:
- Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book (+300 pages)
- The current PDF book version
- The previous training recording
- Access to Software Diagnostics Library with more than 370 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies
- On some days before training sessions, you also get new exercise materials not included in the current book version
After the training, you also get:
- The updated PDF book version
- Additional slides and updated exercise transcripts not included in the book
- Personalized Certificate of Attendance with unique CID
- Optional Personalized Certificate of Completion with unique CID (after the tests)
- Answers to questions during training sessions
- Current training sessions recording
Prerequisites: Basic and intermediate level Windows memory dump analysis: the ability to list processors, processes, threads, modules, apply symbols, walk through stack traces and raw stack data, diagnose patterns such as heap corruption, CPU spike, memory leaks, access violation, wait chains and deadlocks. If you don't feel comfortable with prerequisites then Accelerated Windows Memory Dump Analysis training or the corresponding book is recommended before attending this training.
Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.
Book: Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition
Available in PDF format from Software Diagnostics Services
This training course is a combined, reformatted, improved, and modernized version of the two previous books Windows Debugging: Practical Foundations and x64 Windows Debugging: Practical Foundations, that drew inspiration from the original lectures we developed almost 18 years ago to train support and escalation engineers in debugging and crash dump analysis of memory dumps from Windows applications, services, and systems. At that time, when thinking about what material to deliver, we realized that a solid understanding of fundamentals like pointers is needed to analyze stack traces beyond a few WinDbg commands. Therefore, this book is not about bugs or debugging techniques but about the background knowledge everyone needs to start experimenting with WinDbg and learn from practical experience and read other advanced debugging books. This body of knowledge is what the author of this book possessed before starting memory dump analysis using WinDbg 18 years ago, which resulted in the number one debugging bestseller: multi-volume Memory Dump Analysis Anthology. Now, in retrospection, we see these practical foundations as relevant and necessary to acquire for beginners as they were 18 years ago because operating systems internals, assembly language, and compiler architecture haven't changed much in those years.
The book contains two separate sets of chapters and corresponding illustrations. They are named Chapter x86.NN and Chapter x64.NN respectively. The new format makes switching between and comparing x86 and x64 versions easy. There is some repetition of content due to the shared nature of x64 and x86 platforms. Both sets of chapters can be read independently. We included x86 chapters because many 3rd-party Windows applications are still 32-bit and executed in 32-bit compatibility mode on x64 Windows systems. The course consistently uses WinDbg (X86) for 32-bit examples and WinDbg (X64) for 64-bit examples. The book also has a larger format similar to other training courses from Software Diagnostics Services.
Almost 5 years have passed since the first edition of the combined training course that used the earlier version of Windows 10. Since then, we have also published "Practical Foundations of Linux Debugging, Disassembling, Reversing" and "Practical Foundations of ARM64 Linux Debugging, Disassembling, Reversing" books. At that time, we thought about revising our Windows course. Since then, Windows 11 appeared, and we also added Docker support for most of our Windows memory dump analysis courses. While working on the "Accelerated Windows Debugging 4D "course, we decided to make the second edition of Practical Foundations of Windows Debugging based on WinDbg from Windows 11 SDK and Visual Studio 2022 build tools and an optional Docker support for the exercise environment. We also changed the ":=" operator to "<-" in our pseudo-code for Intel disassembly syntax flavor to align with our recent Linux Practical Foundations books, which use "->" in pseudo-code for x64 AT&T disassembly syntax flavor and "<-" in pseudo-code for ARM64 disassembly syntax. All sample projects were recompiled, and many diagrams were redone for the new edition to reflect changes in code generation. WinDbg syntax and code highlighting were also improved. There are also minor additions for C++11 and C++20.
The book is useful for:
- Software technical support and escalation engineers
- Software engineers coming from managed code or JVM background
- Software testers
- Engineers coming from non-Wintel environments
- Windows C/C++ software engineers without assembly language background
- Security researchers without x86/x64 assembly language background
- Beginners learning Windows software reverse engineering techniques
This introductory training course can complement the more advanced course Accelerated Disassembly, Reconstruction and Reversing, Revised Edition. It may also help with advanced exercises in Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 1, Revised, Process User Space and Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 2, Revised, Kernel and Complete Spaces. This book can also be used as an Intel assembly language and Windows debugging supplement for relevant undergraduate-level courses.
Product information:
- Title: Practical Foundations of Windows Debugging, Disassembling, Reversing: Training Course, Second Edition
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Language: English
- Product Dimensions: 28.0 x 21.6
- Paperback: 338 pages
- Publisher: OpenTask (April 2022)
- ISBN-13: 978-1-912636-35-8
REPL Streaming (REPLS)
When we interact with a debugger, we use the so-called REPL, Read-Execute-Print-Loop (where we replace Eval in traditional REPL). We type some command, it is executed by a debugger engine against a memory dump, the results are printed, and we repeat. However, the results can be streamed for further processing, for example, to automate certain analysis patterns, for example, Structure Sheaves (as distributed logs), Region Profiles, and Region Clusters (we list recently added analysis patterns). In the background, the stream processing results are provided back to the debugger Print phase (or in parallel as a further diagnostic aid).
In the case of software traces and logs, streaming is a natural part of processing. But CoTraces fit into REPLS (processed results can also form Message Annotations), and generally, Diags.
REPLS is an architectural pattern, and it is now added to our catalog of software diagnostics architecture patterns.
Systematic Software Diagnostics
Systematic Software Diagnostics attempts to unify various disorganized and fragmentary individual software diagnostic approaches for software construction and post-construction phases.
Initially, when working on software diagnostics foundations, we recognized the need for systematicity by including some of our books and training courses in the Systematic Software Fault Analysis Series. Over the following years, our many practical books became supplemented by theory and a series of seminars.
Now, after more than 15 years, coherent and complete theoretical, practical, and factual knowledge is systematically unified and ordered into pattern catalogs according to first principles after being integrated across individual observations as fully as possible at this time of the discipline development. In addition to systematicity, software diagnostics is also highly interdisciplinary and systemic, crossing boundaries of other disciplines. Its fundamental methodology is a pattern-oriented analysis of artifacts. Every artifact is considered a trace, log, text, and narrative. Diagnostic analysis patterns, common recurrent analysis techniques and methods in specific contexts, organized into catalogs, are used to identify structural and behavioral patterns, common recurrent problems (sets of indicators, symptoms, signs) together with recommendations and possible solutions to apply in specific contexts.
Consider, for example, a typical diagnostic procedure called measurement. It is an analysis pattern itself applied to artifacts or used to generate other artifacts to which analysis patterns are applied. Systematic Software Diagnostics is equally applicable to software development processes where the same analysis patterns are applied to development artifacts, repositories, documentation, management operations, monitoring, team structure, and dynamics. Even a diagnostic analysis is considered an artifact to apply analysis patterns. Where Systematic Software Diagnostic overlaps with other development and engineering activities, it offers additional pattern languages for software data analysis, troubleshooting, debugging, root cause analysis, performance analysis, writing tools, software and memory forensics, memory dump analysis, network trace analysis, static and dynamic malware analysis, reversing, vulnerability analysis, software internals, and cloud computing.
Book: Practical Foundations of ARM64 Linux Debugging, Disassembling, Reversing
This training course is a Linux ARM64 (A64) version of the previous Practical Foundations of Linux Debugging, Disassembly, Reversing book. It also complements Accelerated Linux Core Dump Analysis training course.
The book skeleton is the same as its x64 Linux predecessor, but the content was revised entirely because of a different Linux distribution and CPU architecture.
The course is useful for:
- Software support and escalation engineers, cloud security engineers, SRE, and DevSecOps
- Software engineers coming from JVM background
- Software testers
- Engineers coming from non-Linux environments, for example, Windows or Mac OS X
- Engineers coming from non-ARM environments, for example, x86/x64
- Linux C/C++ software engineers without assembly language background
- Security researchers without assembly language background
- Beginners learning Linux software reverse engineering techniques
This book can also be used as an ARM64 assembly language and Linux debugging supplement for relevant undergraduate-level courses.
Product information:
- Title: Practical Foundations of ARM64 Linux Debugging, Disassembling, Reversing: Training Course
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Language: English
- Product Dimensions: 28.0 x 21.6
- PDF: 176 pages
- Publisher: OpenTask (January 2022)
- ISBN-13: 978-1-912636-37-2
Book: Accelerated Windows Memory Dump Analysis, Fifth Edition, Revised
The following direct links can be used to order the book now:
Buy PDF from Leanpub
Also available for sale in PDF format from Software Diagnostics Services.
The second edition is available for SkillSoft Books24x7 subscribers
The full-color transcript of Software Diagnostics Services training sessions with 32 step-by-step exercises, notes, source code of specially created modeling applications, and more than 120 questions and answers. Covers more than 65 crash dump analysis patterns from x86 and x64 process, kernel, and complete (physical) memory dumps. Learn how to analyze application, service and system crashes and freezes, navigate through memory dump space and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve. Prerequisites: Basic Windows troubleshooting. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers. The 5th edition was fully reworked with new memory dumps, additional slides, exercises, and analysis patterns. It was further revised with some exercises updated to Windows 11, expanded Q&A, and optional Docker image.
The course consists of two parts:
- Title: Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 1, Revised, Process User Space: Training Course Transcript and WinDbg Practice Exercises with Notes
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (December 2021)
- Language: English
- PDF: 410 pages
- ISBN-13: 978-1912636051
- Table of Contents
- Title: Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 2, Revised, Kernel and Complete Spaces: Training Course Transcript and WinDbg Practice Exercises with Notes
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (December 2021)
- Language: English
- PDF: 370 pages
- ISBN-13: 978-1912636082
- Table of Contents
Accelerated Software Trace Analysis, Revised Edition, Part 1: Fundamentals and Basic Patterns
The following direct links can be used to order the book:
Buy Kindle print replica from Amazon
Buy PDF from Leanpub
Also available in PDF format from Software Diagnostics Technology and Services
This book is a revised edition of the original Accelerated Windows Software Trace Analysis training course. General trace and log analysis pattern language covers any execution artifact from a small debugging trace to a distributed log with billions of messages from hundreds of computers, thousands of software components, threads, and processes. It also allows the application of uniform diagnostics and anomaly detection across diverse software environments, troubleshooting and debugging Windows, Mac OS X, Linux, Android, iOS, and any other possible computer platform including networking and IoT. Part 1 covers fundamentals and explains more than 60 basic trace and log analysis patterns, which are now cross-referenced in this improved and less Windows-centric edition. It can also serve as a reference.
- Title: Accelerated Software Trace Analysis, Revised Edition, Part 1: Fundamentals and Basic Patterns
- Authors: Dmitry Vostokov, Software Diagnostics Services
- Publisher: OpenTask (December 2021)
- Language: English
- Product Dimensions: 28.0 x 21.6
- Paperback: 110 pages
- ISBN-13: 978-1912636310
The Dream of Quantum Software Diagnostics
We are adding quantum computing to our research agenda now by coining "Quantum Software Diagnostics" as a way to analyze different parts of very large software execution artifacts simultaneously, make sense of entire software traces and logs, and predict software behavior (software prognostics). It contains two adjoint phrases centered around Software: left adjoint Quantum Software Diagnostics and right adjoint Quantum Software Diagnostics. The former is about diagnosing quantum software, and the latter is about applying quantum methods to problems of software diagnostics.
In June 2009, we wrote in Memory Dump Analysis Anthology, Volume 3:
"Quantum computation, quantum memory, and quantum information are hot topics today. Unfortunately, quantum mechanics forbids perfect (ideal) memory dumps due to the so-called no-cloning theorem. Still, it is possible to get inconsistent (imperfect) memory dumps, and perfect memory dumps can be made from quantum computer simulators. The analysis of quantum memory snapshots is the domain of Quantum Memoretics."
Since then, we have added traces and logs, text, narrative, data to our pattern-oriented analysis approach. Now we broaden the application of quantum ideas and algorithms and add quantum information processing to our decades' long interest in contemporary mathematics, quantum theory foundations and applications to various domains, logic, semiotics, categories, and recently, in ML/AI, unconventional computing, conceptual mathematics, topos theory, and functional programming.
Online Training: Accelerated .NET Core Memory Dump Analysis
Software Diagnostics Services organizes this online training course.
New dates/times TBD
Learn how to analyze .NET Core application and service crashes and freezes, navigate through memory dump space (managed and unmanaged code) and diagnose corruption, leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and much more. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve, includes 10 practical step-by-step exercises using the latest Microsoft WinDbg debugger to diagnose patterns in 64-bit process memory dumps, notes, source code of specially created modeling applications, and selected Q&A. It covers more than 20 .NET memory dump analysis patterns plus additional 15 unmanaged patterns and is based on the fourth edition of the Accelerated .NET Memory Dump Analysis book with additional and revised exercises updated for Windows 11.
Slides from the previous training version
The training consists of 2 two-hour sessions. When you finish the training you additionally get:
- The updated PDF book version
- Practical Foundations of Windows Debugging, Disassembling, Reversing PDF book
- Access to Software Diagnostics Library with more than 370 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies
- Personalized Certificate of Attendance with unique CID
- Optional Personalized Certificate of Completion with unique CID (after the tests)
- Answers to questions during training sessions
- Recording
Prerequisites: Basic .NET programming and debugging.
Audience: Software technical support and escalation engineers, system administrators, DevOps, performance and reliability engineers, software developers, and quality assurance engineers.
If you are mainly interested in unmanaged Windows desktop and server memory dump analysis there is another course available: Accelerated Windows Memory Dump Analysis training or the corresponding book.
Visual Category Theory
The current full set in either PDF or paperback or both is available for purchase from Software Diagnostics Services
Download Sample Pages and Index
Concepts from category theory were used as metaphors for some trace and log analysis patterns (see Mathematical Concepts in Software Diagnostics and Software Data Analysis) and also as a foundation of software diagnostics (see Categorical Foundations of Software Diagnostics) as a part of Theoretical Software Diagnostics. However, category theory abstractions are very challenging to apprehend correctly, require a steep learning curve for non-mathematicians, and, for people with traditional naïve set theory education, a paradigm shift in thinking. The book utilizes a novel approach to teach category theory and abstract mathematics in general by using LEGO® bricks. This method was discovered when applying the same technique to teach machine learning, its data structures and algorithms, particularly directed graphs.
Part 0 (ISBN-13: 978-1912636396) covers universe and sets, set-builder notation, set membership, set inclusion, subsets as members, membership vs. subset, powerset, relations, functions, domain, codomain, range, injection, surjection, bijection, product, union, intersection, set difference, symmetric set difference, sets of functions, function composition, inverse functions.
In order to facilitate earlier adoption and feedback, the book was split into small manageable parts. Part 1 (ISBN-13: 978-1912636402) is currently available on Leanpub and Amazon Kindle Store. It covers the definition of categories, arrows, the composition and associativity of arrows, retracts, equivalence, covariant and contravariant functors, natural transformations, and 2-categories.
CoPart 1 (ISBN-13: 978-1912636815) is a dual complement to Visual Category Theory Brick by Brick, Part 1. It is currently available on Leanpub and Amazon Kindle Store. The original series translated abstract categorical concepts into the language of LEGO® bricks, and the CoPart series implement the opposite way of translating brick constructions to the standard diagram language of category theory that should benefit comprehension of definitions. Since usual categorical diagrams are black and white and occupy less space on paper, CoParts include additional color-enhanced diagrams in the spirit of brick constructions when arrow source and target parts use different colors. These CoParts from CoSeries (named after opposite categories with reversed arrows) keep the same 1-to-1 page correspondence between Parts and CoParts. Page layout is also similar: location of explanatory notes (written using standard mathematical notation) is the same — only bricks are replaced by letters, dots, and arrows. Therefore, this CoSeries can be used independently from the original series or together.
Part 2 (ISBN-13: 978-1912636419) is currently available on Leanpub and Amazon Kindle Store. It covers duality, products, coproducts, biproducts, initial and terminal objects, pointed categories, matrix representation of morphisms, and monoids.
CoPart 2 (ISBN-13: 978-1912636822) is a dual complement to Visual Category Theory Brick by Brick, Part 2. It is currently available on Leanpub and Amazon Kindle Store.
Part 3 (ISBN-13: 978-1912636426) is currently available on Leanpub and Amazon Kindle Store. It covers adjoint functors, diagram shapes and categories, cones and cocones, limits and colimits, pullbacks and pushouts.
CoPart 3 (ISBN-13: 978-1912636839) is a dual complement to Visual Category Theory Brick by Brick, Part 3. It is currently available on Leanpub.
Part 4 (ISBN-13: 978-1912636433) is currently available on Leanpub and Amazon Kindle Store. It covers non-concrete categories, group objects, monoid, group, opposite, arrow, slice, and coslice categories, forgetful functors, monomorphisms, epimorphisms, and isomorphisms.
Part 5 (ISBN-13: 978-1912636440) is currently available on Leanpub and Amazon Kindle Store. It covers exponentials and evaluation in sets and categories, subobjects, equalizers, equivalence classes and quotients, coequalizers, congruence categories, morphism functors, and presheaves.
Part 6 (ISBN-13: 978-1912636457) is currently available on Leanpub and Amazon Kindle Store. It covers ideas that require a leap of abstraction: vertical and whisker compositions of natural transformations, identity and isomorphism of functors, equivalence, isomorphism, and adjoint equivalence of categories, functor and morphism categories, natural transformations as functors, representable functors, category of presheaves, Yoneda embedding and lemma. It also includes an index for parts 1 - 6.
Part 7 (ISBN-13: 978-1912636464) is currently available on Leanpub and Amazon Kindle Store. It covers ideas related to functional programming: exponentials, disjoint unions, endofunctors and natural transformations, partial and total functions, monads.
The first 5 parts are available as Visual Category Theory bundle on Leanpub.
All 8 parts together are now available in paperback format:
- Title: Visual Category Theory Brick by Brick: Diagrammatic LEGO® Reference
- Authors: Dmitry Vostokov
- Publisher: OpenTask (October 2021)
- Language: English
- Product Dimensions: 16.5 x 16.5 cm (6.5 x 6.5 in)
- Paperback: 172 pages
- ISBN-13: 978-1912636389
Also available on Amazon and Barnes&Noble.
Applications of category theory to software diagnostics also include Software Codiagnostics and Diagnostic Operads.
Encyclopedia of Crash Dump Analysis Patterns, Third Edition
The following direct links can be used to order the book now:
Buy PDF from Leanpub
Buy Kindle print replica edition from Amazon
Also available in PDF format from Software Diagnostics Services
The first edition is available for SkillSoft Books24x7 subscribers
This reference reprints with corrections, additional comments, and classification more than 370 alphabetically arranged and cross-referenced memory analysis patterns originally published in Memory Dump Analysis Anthology volumes 1 – 13. This pattern catalog is a part of pattern-oriented software diagnostics, forensics, prognostics, root cause analysis, and debugging developed by Software Diagnostics Institute. Most of the analysis patterns are illustrated with examples for WinDbg from Debugging Tools for Windows with a few examples from Mac OS X and Linux for GDB. The third edition includes more than 40 new analysis patterns, more than 30 new examples and comments for analysis patterns published in the previous editions, updated bibliography and links, improved illustrations and debugger output snippets with extra visual highlighting.
Product information:
- Title: Encyclopedia of Crash Dump Analysis Patterns: Detecting Abnormal Software Structure and Behavior in Computer Memory, Third Edition
- Authors: Dmitry Vostokov, Software Diagnostics Institute
- Language: English
- Product Dimensions: 24.6 x 18.9
- PDF: 1,326 pages
- Publisher: OpenTask (September 2020)
- ISBN-13: 978-1-912636303
Introducing Diagnomicon
Recently we noticed the increased usage of -nomicon Ancient Greek suffix that signifies books with some length, prominence within, and importance to some field of knowledge, or simply, "pertaining to rules," or "book of." It is a combination of nomos (νόμος, law), and icon (εἰκών eikon, image). At the same time, We've been using the Memory Dump Analysis Anthology phrase for more than 15 years and used to abbreviate it as MDAA. Over the years, this massive book sequence accumulated almost 5,000 pages and now includes writing on trace and log analysis and diagnostics in general. We found that the word Diagnomicon was never used before (perhaps we even coined it), and we took it as an extra MDAA book name. We also acquired the Diagnomicon.com domain that currently points to Software Diagnostics Institute, but we plan to make it a separate website soon dedicated to marketing the MDAA collection entirely.
Memory Dump Analysis Anthology, Volume 5, Revised Edition
The new Revised Edition is available!
Available in PDF format from Software Diagnostics Services
This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in February 2010 - October 2010. In addition to various corrections, this major revision updates relevant links and removes obsolete references. Some articles are preserved for historical reasons. Most of the content, especially memory analysis and trace and log analysis pattern languages, is still relevant today and for the foreseeable future. The output of WinDbg commands is also remastered to include color highlighting. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog. The fifth volume features:
- 25 new crash dump analysis patterns
- 11 new pattern interaction case studies (including software tracing)
- 16 new trace analysis patterns
- 7 structural memory patterns
- 4 modeling case studies for memory dump analysis patterns
- Discussion of 3 common analysis mistakes
- Malware analysis case study
- Computer independent architecture of crash analysis report service
- Expanded coverage of software narratology
- Metaphysical and theological implications of memory dump worldview
- More pictures of memory space and physicalist art
- Classification of memory visualization tools
- Memory visualization case studies
- Close reading of the stories of Sherlock Holmes: Dr. Watson’s observational patterns
- Fully cross-referenced with Volumes 1 - 4
The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. Trace and log analysis articles may be of interest to users of other platforms.
Product information:
- Title: Memory Dump Analysis Anthology, Volume 5, Revised Edition
- Author: Dmitry Vostokov
- Language: English
- Product Dimensions: 22.86 x 15.24
- PDF: 431 pages
- Publisher: Opentask (September 2021)
- ISBN-13: 978-1912636259
Back cover features memory space art image Hot Computation: Memory on Fire.
Memory Dump Analysis Anthology, Volume 14
Available in PDF format from Software Diagnostics Services
This reference volume consists of revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute (DumpAnalysis.org + TraceAnalysis.org) and Software Diagnostics Library (former Crash Dump Analysis blog, DumpAnalysis.org/blog) about software diagnostics, root cause analysis, debugging, crash and hang dump analysis, software trace and log analysis written in August 2020 - 14 August 2021 for software engineers developing and maintaining products on Windows and Linux platforms, quality assurance engineers testing software, technical support, escalation and site reliability engineers dealing with complex software issues, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. This volume is fully cross-referenced with volumes 1 – 13 and features:
- 7 new crash dump analysis patterns with selected downloadable example memory dumps
- New crash dump analysis case study not previously published anywhere
- 14 new software trace and log analysis patterns
- Introduction to cloud analysis patterns
- Introduction to the fractal nature of software traces and logs
- Introduction to the general architecture of analysis pattern networks
- Lists of recommended books
Product information:
- Title: Memory Dump Analysis Anthology, Volume 14
- Authors: Dmitry Vostokov, Software Diagnostics Institute
- Language: English
- Product Dimensions: 22.86 x 15.24
- Paperback: 189 pages
- Publisher: OpenTask (August 2021)
- ISBN-13: 978-1-912636-14-3
Exercises in Logging Style
Years ago, I bought the book in Russia whose title is “Literature of Formal Constraints: Form and Games from Antiquity to Present Days” by Tatiana Bonch-Osmolovskaya if I translate it to English. Such literary techniques and patterns are also known under the term constrained writing. The reason why this book caught my attention in the bookshop is that at that time, I was developing software narratology as a foundation of trace and log analysis patterns. So, I planned to mine it for pattern writing. However, due to other pressures, I put it in a reading list until very recently, when reading a preface to Exercises in Programming Style, Second Edition, by Cristina Videira Lopes (ISBN-13: 978-0367350208), I learned about the Oulipo movement (writing under constraints). I immediately realized that software traces and logs are software narratives under constraints. I plan to explore such constraints by providing creative examples of trace and log statements and messages. As a metanarrative template, I chose a variation of narrative from Exercises in Style book by Raymond Queneau:
The software narrator “S” is a rule-based system tracing process, and it notices a long-running process that had loaded hat.dll and got into resource contention difficulties with another process. Two hours later, the software narrator notices the same process and a debugger process that gives some advice regarding the functionality of an extra GUI button.
Another variation I chose is the frequent message found in logs on the “access denied” theme. Such constraints may be personal and organizational preferences and styles, programming language, execution environment, and technology stack limitations, different coding phases (development, maintenance, early vs. mature code), external constraints such as source code scope, tracing and logging configuration and rules, timing, the need for a quick debugging fix, or understanding program state and behavior.
In writing these exercises in tracing style, I also plan to reference trace and log analysis patterns where appropriate.
I add links to variations as soon as they are published. I also consider them a part of the modeling activities I do while working on the Writing Bad Code book.
We are 15
This month, www.DumpAnalysis.org turns 15 (F). Initially, in March 2006, it started as Crash Dump Analysis and Debugging Forum (now frozen at https://www.dumpanalysis.org/forum/ where old posts are available). In August 2006, it became Crash Dump Analysis Blog, later moved to https://www.dumpanalysis.org/blog/ and renamed to Software Diagnostics Library as only posts about analysis patterns became added to it. When the blog was moved, the root URL (https://dumpanalysis.org/) became Crash Dump Analysis Portal, later renamed to Software Diagnostics Institute in 2012.
