Software Diagnostics Institute

Software Diagnostics Services organizes this online training course.

Memory Thinking for Rust training reviews memory-related topics from the perspective of software structure and behavior analysis and teaches Rust language aspects in parallel while demonstrating relevant code internals using WinDbg and GDB on Windows (x64) and Linux (x64 and ARM64) platforms:

• Relevant language constructs
• Memory layout of structures
• References, ownership, borrowing, and lifecycle
• Unsafe pointers
• Local, static, and dynamic memory
• Functions, closures
• Object-oriented and functional features
• Windows and Linux specifics
• … and much more

The following audiences may benefit from the training:

• Rust developers who want to deepen their knowledge
• Non-C and C++ developers (for example, Java, Scala, Python) who want to learn more about pointer and reference internals
• C and C++ developers who want to port their memory thinking to Rust quickly

The new training version updates and extends the existing topics, adding some missing in the first edition. The updated PDF book will also have a new format similar to our second edition of memory thinking books for C and C++.

For more detailed content, please see the first 15 slides from the previous training (there are more than 200 slides for the previous training and 2,000 lines of Rust code) and Table of Contents from the previous reference book.

System programming on Windows and Linux using Rust is unthinkable without OS API. To avoid repeating some topics and save time, the training includes the Accelerated Windows and Linux API for Software Diagnostics books as a follow-up or additional references. A necessary x64 and ARM64 review for some topics is also included.

Before the training, you also get:

• The current version of the Memory Thinking for Rust PDF book
• Accelerated Windows API for Software Diagnostics PDF book
• Accelerated Linux API for Software Diagnostics PDF book
• Access to Software Diagnostics Library with more than 440 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies
• Previous recording

After the training, you also get:

• The second edition of Memory Thinking for Rust PDF book
• Personalized Certificate of Attendance with unique CID
• Answers to questions during training sessions
• The new recording

Software Diagnostics Services organizes this online training course.

TBD

Learn how to analyze Linux process and kernel crashes and hangs, navigate through core memory dump space, and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This training uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of more than 70 practical step-by-step exercises using GDB and WinDbg debuggers, highlighting more than 50 memory analysis patterns diagnosed in 64-bit core memory dumps from x64 and ARM64 platforms. The training also includes source code of modeling applications (C, C++), a catalog of relevant patterns from the Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux memory dump analysis useful for engineers with a Wintel background. This fully revised and updated training is based on the 3rd edition of the bestselling Accelerated Linux Core Dump Analysis book and adds new material, such as defect mechanism patterns and WinDbg Linux kernel dump analysis exercises.

Prerequisites: Basic Linux user skills.

Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, cloud engineers, DevSecOps and SRE, and quality assurance engineers.

Slides from the previous training version

Before the training you get:

• The current 3rd edition PDF book version of the training.
• The previous version training recording.
• Access to Software Diagnostics Library.

After the training, you also get:

• The new 4th edition PDF book version of the training.
• Personalized Certificate of Attendance with unique CID.
• Answers to questions during training sessions.
• New recording

Software Diagnostics Services organizes this online training course.

Registration: TBD

Slides from the previous training sessions

Knowledge of Windows API is necessary for:

• Development
• Malware analysis
• Vulnerability analysis and exploitation
• Reversing
• Diagnostics
• Debugging
• Memory forensics
• Crash and hang analysis
• Secure coding
• Static code analysis
• Trace and log analysis

The training uses a unique and innovative pattern-oriented analysis approach and provides:

• Overview
• Classification
• Patterns
• Internals
• Development examples
• Analysis examples

Before the training, you get:

• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
• The current PDF book version of the training
• The previous recording
• Access to Software Diagnostics Library

After the training, you also get:

• The updated PDF book version of the training
• Personalized Certificate of Attendance with unique CID
• Recording

Software Diagnostics Services organizes this online training course.

This training includes step-by-step exercises and covers dozens of crash dump analysis patterns from the x64 process, kernel, and complete (physical) memory dumps. Learn how to analyze Rust applications, services, and system crashes and freezes, navigate through memory dump space, and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by the Software Diagnostics Institute to speed up the learning curve, and it is structurally based on the latest 6th revised edition of the bestselling Accelerated Windows Memory Dump Analysis book with the focus on safe and unsafe Rust code and its interfacing with the Windows OS. The training is useful whether you come to Rust from C and C++ or interpreted languages like Python and facilitates memory thinking when programming in Rust.

Slides from the first two sessions

Registration: TBD

Before the training, you get:

• Memory Thinking for Rust PDF book (+300 pages)
• Access to Software Diagnostics Library with more than 370 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies

After the training, you also get:

• The training PDF book edition
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• Current training sessions recording

Prerequisites: Basic Windows troubleshooting.

Audience: Software technical support and escalation engineers, system administrators, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts, DevSecOps and SRE, software developers, system programmers, and quality assurance engineers.

Slides from the structurally similar C and C++ training version, Part 1
Slides from the structurally similar C and C++ training version, Part 2

If you are mainly interested in C and C++ Windows memory dump analysis, there is another training: Accelerated Windows Memory Dump Analysis

If you are mainly interested in .NET memory dump analysis, there is another training: Accelerated .NET Core Memory Dump Analysis

If you are interested in C and C++ Linux memory dump analysis, there is another training: Accelerated Linux Core Dump Analysis

Software Diagnostics Services organizes this online training course.

The second version adds 45 projects with more than 5,500 lines of code.

For approximate training content of the new, fully revamped version, please see the first 45 slides (there are 295 slides in total) and TOC from the corresponding Windows Memory Thinking book. The Linux book will be updated correspondingly.

Solid C and C++ knowledge is a must to fully understand Linux diagnostic artifacts such as core dumps and do diagnostic, forensic, and root cause analysis beyond listing backtraces. Accelerated C and C++ for Linux Software Diagnostics training reviews memory-related topics from the perspective of software structure and behavior analysis and teaches C and C++ languages in parallel while demonstrating relevant code internals using GDB:

• a tour of relevant language(s) constructs - classic/legacy C++, C++11, and later standards including C++23
• Linux specifics
• pointers and references
• memory layout of structures and objects
• local, static, and dynamic memory
• object lifecycle
• templates and standard library
• functions, function objects, and lambdas
• compilation and linkage
• multithreading and synchronization
• bad and insecure code
• … and much more

System programming on Linux using C and C++ is unthinkable without Linux API. To avoid repeating some topics and save time, the training includes the Accelerated Linux API for Software Diagnostics book as a follow-up or additional reference. A necessary x64 and ARM64 review for some topics is also included.

Before the training, you get the following:

• The current version of Memory Thinking for C & C++ Linux Diagnostics PDF book of the training
• Accelerated Linux API for Software Diagnostics PDF book
• Access to Software Diagnostics Library
• Recording of the previous training

After the training, you also get the following:

• The new edition of the Memory Thinking PDF book with additional C and C++ examples
• Personalized Certificate of Attendance with unique CID
• The new recording

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course:

Registration: TBD

Extended Windows Memory Dump Analysis: Using and Writing WinDbg Extensions, Database and Event Stream Processing, Visualization training course extends pattern-oriented analysis introduced in Accelerated Windows Memory Dump Analysis, Accelerated .NET Core Memory Dump Analysis, Advanced Windows Memory Dump Analysis with Data Structures, and Accelerated Windows Malware Analysis with Memory Dumps courses with elements of programming, data engineering, data science, and machine learning engineering:

• Surveying the current landscape of WinDbg extensions with analysis pattern mappings
• Writing WinDbg extensions in C, C++, and Rust (new)
• Connecting WinDbg to NoSQL databases
• Connecting WinDbg to streaming and log processing platforms
• Querying and visualizing WinDbg output data
• Using Data Science, Machine Learning, and AI for diagnostics and postmortem debugging (new)

The new version of the training updates existing and includes new exercises.

Slides from the previous training

Before the training, you get:

• The current PDF book version and recording of the training
• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
• Access to Software Diagnostics Library

After the training, you also get:

• The new edition of the PDF book version of the training
• Personalized Certificate of Attendance with unique CID
• Answers to questions during training sessions
• New recording

Prerequisites: Working knowledge of WinDbg. Working knowledge of Python, C, C++, or Rust is optional (required only for some exercises). Other concepts are explained when necessary.

Audience: Software developers, software maintenance engineers, escalation engineers, quality assurance engineers, security and vulnerability researchers, malware and memory forensics analysts who want to build memory analysis pipelines.

Software Diagnostics Services organizes this online training course.

Learn live local and remote debugging techniques and tricks in the kernel and user process spaces using GDB and LLDB debuggers for C, C++, and Rust code. The unique and innovative Debugging 4D course teaches unified debugging patterns applied to real problems from complex software environments. The training consists of practical, step-by-step, hands-on exercises.

Before the training, you get:

• Access to Software Diagnostics Library

After the training, you also get:

• The PDF book version of the training: Accelerated Linux Debugging 4D
• Personalized Certificate of Attendance with unique CID
• Answers to questions during training sessions
• Recording

Prerequisites:

Working knowledge of one of these languages: C, C++, Rust. Operating system internals and assembly language concepts are explained when necessary.

Audience:

Software engineers, software maintenance engineers, escalation engineers, security and vulnerability researchers, malware and memory forensics analysts who want to learn live memory inspection techniques.

If you are interested in live Windows debugging, there is another training course available.

Software Diagnostics Services organizes this online training course.

For approximate training content, please see the first 56 slides (there are 289 slides in total) and TOC from the corresponding Memory Thinking book.

Solid C and C++ knowledge is a must to fully understand Windows diagnostic artifacts such as memory dumps and do diagnostic, forensic, and root cause analysis beyond listing stack traces, DLL, and driver information. C and C++ for Windows Software Diagnostics training reviews the following topics from the perspective of software structure and behavior analysis and teaches C and C++ languages in parallel while demonstrating relevant code internals using WinDbg:

• a tour of relevant language(s) constructs - classic/legacy C++, C++11, and later standards
• Windows specifics
• pointers and references
• memory layout of structures and objects
• local, static, and dynamic memory
• object lifecycle
• standard library
• compilation, static and dynamic linkage
• multithreading and synchronization
• bad and insecure code
• … and more

System and desktop application programming on Windows using C and C++ is unthinkable without Windows API. To avoid repeating some topics and save time, the training includes the Accelerated Windows API for Software Diagnostics book as a follow-up or additional reference. There is also a necessary x64 review for some topics, but if you are never used to reading assembly language, Practical Foundations of Windows Debugging, Disassembling, Reversing book is also included.

Before the training, you get the following:

• The current Memory Thinking for C & C++ Windows Diagnostics PDF book (250 pages)
• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book (+300 pages)
• Accelerated Windows API for Software Diagnostics PDF book (+300 pages)
• Access to Software Diagnostics Library with more than 440 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies
• Recording of the previous training

After the training, you also get the following:

• The new edition of the Memory Thinking PDF book with additional C and C++ examples
• Personalized Certificate of Attendance with unique CID
• The new recording

Software Diagnostics Services organizes this online training course.

TBD

Learn how to navigate through memory dump space and Windows data structures to diagnose, troubleshoot, and debug complex software incidents. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. It consists of 15 practical step-by-step exercises using WinDbg to diagnose structural and behavioral patterns in the 64-bit kernel and complete (physical) memory dumps. Additional topics include memory search, kernel linked list navigation, practical WinDbg scripting including built-in language and JavaScript, registry, system variables and objects, device drivers, I/O, file system filters, and security. The training is based on the 4th revised edition of the Advanced Windows Memory Dump Analysis with Data Structures book. It is also optionally containerized. The new version uses the latest WinDbg and includes additional scripting and memory topics.

Slides from the previous training sessions

Before the training, you get:

• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book (+300 pages)
• The current PDF book version
• The previous training recording
• Access to Software Diagnostics Library with more than 380 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies

After the training, you also get:

• The new PDF book edition
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• Current training sessions recording

Prerequisites: Basic and intermediate level Windows memory dump analysis: the ability to list processors, processes, threads, modules, apply symbols, walk through stack traces and raw stack data, diagnose patterns such as heap corruption, CPU spike, memory leaks, access violation, wait chains and deadlocks. If you don't feel comfortable with prerequisites, then Accelerated Windows Memory Dump Analysis training or the corresponding book is recommended before attending this training.

Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course:

Learn live local and remote debugging techniques and tricks in the kernel, user process, and managed .NET spaces using the WinDbg debugger. The unique and innovative Debugging⁵ course teaches unified debugging patterns applied to real problems from complex software environments. The training consists of practical, step-by-step, hands-on exercises. The new edition extends the previous version with the additional discussion of the pattern-oriented debugging process and the unified debugging patterns, uses the latest WinDbg, and adds Rust language to the existing C/C++ and C# exercises.

Slides from the previous Debugging⁴ training

Before the training, you get:

• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
• Accelerated Windows Debugging⁴ PDF book
• Access to Software Diagnostics Library

After the training, you also get the following:

• The new edition of the PDF book version of the training
• Personalized Certificate of Attendance with unique CID
• Answers to questions during training sessions
• Recording

Prerequisites: Working knowledge of one of these languages: C, C++, C#, Rust. Operating system internals and assembly language concepts are explained when necessary.

Audience: software engineers, software maintenance engineers, escalation engineers, security and vulnerability researchers, malware and memory forensics analysts who want to learn live memory inspection techniques.

If you are interested in Windows postmortem software diagnostics using memory dump files, there are other courses available:

Accelerated Windows Memory Dump Analysis

Accelerated .NET Core Memory Dump Analysis

Advanced Windows Memory Dump Analysis with Data Structures

Accelerated Windows Malware Analysis with Memory Dumps

We also extend our memory analysis pattern language to managed (interpreted) and native Python platforms in addition to Scala managed platform. The first analysis patterns we choose to extend are Managed Code Exception and Managed Stack Trace which are exceptions and stack traces from some virtual machine execution, not native platform exceptions and stack traces. To model it we created the following Python code:

def main():
    foo()

def foo():
    bar()

def bar():
    ref = []
    ref[0]

if __name__ == "__main__":
    main()

Its execution produces an exception and its stack trace (traceback):

Traceback (most recent call last):
  File ".\helloCrash.py", line 12, in 
    main()
  File ".\helloCrash.py", line 2, in main
    foo()
  File ".\helloCrash.py", line 5, in foo
    bar()
  File ".\helloCrash.py", line 9, in bar
    ref[0]
IndexError: list index out of range

Software Diagnostics Services organizes this online training course.

New dates/times TBD

For the approximate agenda please check slides from the similar Windows training

Knowledge of Linux API is necessary for:

• Development
• Malware analysis
• Vulnerability analysis and exploitation
• Reversing
• Diagnostics
• Debugging
• Memory forensics
• Core dump analysis
• Secure coding
• Static code analysis
• Trace and log analysis

The training uses a unique and innovative pattern-oriented analysis approach and provides:

• Overview
• Classification
• Patterns
• Internals
• Development examples
• Analysis examples
• Comparison with Windows API

Before the training you get:

• Access to Software Diagnostics Library

After the training, you also get:

• The PDF book version of the training
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• Recording

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course.

Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, debugging, memory forensics, vulnerability and malware analysis on x64 and ARM64 Linux platforms. The course uses a unique and innovative pattern language approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using GDB and Linux core memory dumps. Covered more than 25 ADDR patterns originally introduced for the x64 Windows platform, and many concepts are illustrated with Memory Cell Diagrams. This new training version includes a review of necessary x64 and ARM64 assembly language fundamentals.

Slides from the previous training

Level: Intermediate/Advanced.

Prerequisites: Working knowledge of C and C++. Operating system internals and assembly language concepts are explained when necessary.

Audience: Software technical support and escalation engineers who analyze core dumps from complex software environments and need to go deeper in their analysis of abnormal and malicious software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse cloud and endpoint computer environments, SRE and DevSecOps, security and vulnerability researchers, malware and memory forensics analysts who have never used GDB for analysis of computer memory.

The training consists of 4 two-hour sessions.

Before the training, you get the following:

• The current PDF book version
• The previous training recording
• Access to Software Diagnostics Library

After the training, you also get the following:

• The updated PDF book version of the training
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• The new recording

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course.

New dates/times TBD

Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, debugging, memory forensics, vulnerability and malware analysis on the ARM64 macOS platform. The course uses a unique and innovative pattern language approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using LLDB and macOS core memory dumps. Covered more than 25 ADDR patterns originally introduced for the x64 Windows platform and later expanded to x64 and ARM64 Linux, and many concepts are illustrated with Memory Cell Diagrams. The course builds upon and extends the basic patterns introduced in Practical Foundations of macOS Debugging, Disassembling, Reversing book.

Slides from the simialr Linux-based training

Level: Intermediate/Advanced.

Prerequisites: Working knowledge of C and C++. Operating system internals and assembly language concepts are explained when necessary.

Audience: Software technical support and escalation engineers who analyze core dumps from complex software environments and need to go deeper in their analysis of abnormal and malicious software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse endpoint computer environments, security and vulnerability researchers, malware and memory forensics analysts who have never used LLDB for analysis of computer memory.

The training consists of 3 two-hour sessions. Before the training, you get:

Before the training, you get:

• Access to Software Diagnostics Library
• Practical Foundations of macOS Debugging, Disassembling, Reversing PDF book (January 2023)

After the training, you also get:

• The PDF book version of the training
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• Recording

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course:

New dates/times TBD

Learn how to analyze app crashes and freezes, navigate through process core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. We use a unique and innovative pattern-driven analysis approach to speed up the learning curve. The training consists of practical step-by-step exercises using Xcode and LLDB environments, highlighting more than 30 patterns diagnosed in 64-bit process core memory dumps. The training also includes an overview of relevant similarities and differences between Windows and Mac OS X user space memory dump analysis useful for engineers with a Wintel background. The course is thoroughly updated for the latest macOS version and M2 platform.

Slides from the previous x64-based training

Level: Beginner/Intermediate.

Prerequisites: Prerequisites: Basic macOS troubleshooting and debugging.

Audience: Audience: Software technical support and escalation engineers, system administrators, software developers, security professionals, and quality assurance engineers.

The training consists of 2 two-hour sessions. Before the training, you get:

• The previous PDF edition of this course (Intel x64 LLDB and GDB)
• Access to Software Diagnostics Library

After the training, you also get:

• The new PDF book version of the training
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• Recording
• Practical Foundations of macOS Debugging, Disassembling, Reversing PDF book (January 2023)

Software Diagnostics Services organizes this online training course.

TBD

Feel frustrated when opening a software trace with millions of messages from hundreds of software components, threads, and processes? Go beyond simple CPU and disk hog monitoring or searching for errors in a text and learn how to efficiently and effectively analyze software traces and logs from complex software environments. In addition to a theoretical part, practical illustrations, examples, and exercises include Microsoft Event Tracing for Windows (ETW), Procmon, Windows Performance Analyzer, and PerfView. This course teaches trace and log analysis using pioneering and innovative pattern-oriented analysis of abnormal software behavior incidents developed by Software Diagnostics Institute.

Sample slides from a theoretical part

The training consists of 5 one-hour sessions. Before the training, you get:

1. The current version of Malware Narratives (PDF).
2. Trace, Log, Text, Narrative: An Analysis Pattern Reference for Data Mining, Diagnostics, Anomaly Detection, Fourth Edition (PDF).
3. Access to Software Diagnostics Library.

After the training, you also get:

1. The revised edition of Malware Narratives (PDF).
2. The new edition of Trace, Log, Text, Narrative (PDF).
3. Personalized Certificate of Attendance with unique CID.
4. Answers to questions during training sessions.
5. Recording.

Prerequisites: Basic Windows troubleshooting.

Audience: Software technical support and escalation engineers, system administrators, security researchers, incident response professionals, software developers, platform engineers, DevSecOps and SRE, and quality assurance engineers.

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course.

New dates/times TBD

Learn disassembly, execution history reconstruction, and binary reversing techniques for better software diagnostics, troubleshooting, debugging, memory forensics, vulnerability and malware analysis on x64 and ARM64 Linux platforms. The course uses a unique and innovative pattern language approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using WinDbg and Linux core memory dumps. Covered more than 25 ADDR patterns originally introduced for the x64 Windows platform, and many concepts are illustrated with Memory Cell Diagrams. The training also features additional diagrams adapted from Linux Practical Foundations books to WinDbg context.

Selected slides of the previous Windows-based training

Level: Intermediate/Advanced.

Prerequisites: Working knowledge of C and C++. Operating system internals and assembly language concepts are explained when necessary.

Audience: Software technical support and escalation engineers who analyze core dumps from complex software environments and need to go deeper in their analysis of abnormal and malicious software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse cloud and endpoint computer environments, SRE and DevSecOps, security and vulnerability researchers, malware and memory forensics analysts who have never used WinDbg for analysis of computer memory.

The training consists of 3 two-hour sessions.

Before the training, you get:

• Access to Software Diagnostics Library

After the training, you also get:

• The PDF book version of the training
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• Recording

Software Diagnostics Services organizes this online training course.

New dates/times TBD

Learn how to navigate the process, kernel, physical memory spaces, and corresponding Windows data structures, discover forensic artifacts and diagnose structural and behavioral patterns in Windows memory dump files. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of more than 20 practical step-by-step, hands-on exercises using WinDbg, process, kernel, and complete memory dumps. In addition to malware patterns, topics include process and thread navigation, past execution, memory search, kernel linked list navigation, practical WinDbg scripting including built-in language and JavaScript, registry, system variables and objects, device drivers, I/O, file system filters, and security. The training is based on the Pattern-Oriented Memory Forensics: A Pattern Language Approach, the 3rd edition of Accelerated Windows Malware Analysis with Memory Dumps, and the 4th edition of Advanced Windows Memory Dump Analysis with Data Structures books. This course also covers patterns of memory acquisition. It uses the latest WinDbg Preview and is optionally containerized.

Example slides for days 1-3
Example slides for days 4-5

Before the training, you get:

• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
• Pattern-Oriented Memory Forensics: A Pattern Language Approach PDF book
• Advanced Windows Memory Dump Analysis with Data Structures, Fourth Edition PDF book
• Accelerated Windows Malware Analysis with Memory Dumps, Third Edition PDF book
• The previous training recording
• Access to Software Diagnostics Library with more than 370 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies

After the training, you also get:

• The updated PDF books
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• Current training sessions recording

Prerequisites: Working knowledge of Windows troubleshooting. Operating system internals concepts are explained when necessary.

Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.

Software Diagnostics Services organizes this online training course.

This comprehensive training includes more than 40 step-by-step exercises and covers more than 85 crash dump analysis patterns from x86 and x64 process, kernel, and complete (physical) memory dumps. Learn how to analyze application (native and .NET Core), service, and system crashes and freezes, navigate through memory dump space (managed and unmanaged code) and diagnose corruption, memory and handle leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and much more with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute< to speed up the learning curve, and it is based on the latest edition of Accelerated Windows Memory Dump Analysis and Accelerated .NET Core Memory Dump Analysis books. It uses the latest WinDbg Preview and is optionally containerized.

Outline slides
Slides from Days 1-3
Slides from Days 4-6
Slides from Days 7-8

The difference between this training and the current book version:

• You can ask questions
• .NET Core exercises use the latest WinDbg Preview
• Certificates and tests

Training outline:

• Day 1 (2 hours): Overview. Native process memory dump analysis.
• Day 2 (2 hours): Native process memory dump analysis.
• Day 3 (2 hours): Native process memory dump analysis.
• Day 4 (2 hours): .NET Core process memory dump analysis.
• Day 5 (2 hours): .NET Core process memory dump analysis.
• Day 6 (2 hours). Kernel memory dump analysis.
• Day 7 (2 hours). Complete (physical) memory dump analysis.
• Day 8 (Optional 2 hours): Additional Q&A and memory dump analysis if necessary. Tests.

Before the training, you get:

• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book (+300 pages)
• The current PDF books (+900 pages)
• The previous training recording
• Access to Software Diagnostics Library with more than 370 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies

After the training, you also get:

• The updated PDF books (including the new edition of .NET Core book)
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• Current training sessions recording

Prerequisites: Basic Windows troubleshooting

Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.

If you are interested in Linux memory dump analysis there is another forthcoming training: Accelerated Linux Core Dump Analysis

Software Diagnostics Services organizes this online training course.

New dates/times TBD

Learn how to navigate process, kernel, and physical spaces and diagnose various malware patterns in Windows memory dump files. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step, hands-on exercises using WinDbg, process, kernel, and complete memory dumps. The training covers more than 20 malware analysis patterns. The main audience is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible malware presence in cases of abnormal software behavior. The course will also be useful for software engineers, quality assurance and software maintenance engineers, security researchers, malware and memory forensics analysts who have never used WinDbg for analysis of computer memory. The new version uses the latest WinDbg Preview and is optionally containerized.

Slides from the previous training

Before the training, you get:

• Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
• The previous PDF book version of the training
• Access to Software Diagnostics Library

After the training, you also get:

• The new 3rd edition PDF book of the training
• Personalized Certificate of Attendance with unique CID
• Optional Personalized Certificate of Completion with unique CID (after the tests)
• Answers to questions during training sessions
• Recording

From Meta Trace, Message Invariant, and Counter Value trace and log analysis patterns:

We resume our seasonal greetings in a memory dump analysis style. The new year number resembles Regular Data analysis pattern seen in corrupt structures, heap, and pool entries. In our greeting case, this means that 2020 is everywhere. To model this abnormal or anomaly condition, we created a simple C++ program that overwrites a structure which has a function pointer with a new year value in a hexadecimal format:

#include <vector>
#include <string>

using Execute = int (*)();

int ExecutePlans()
{
	return 0;
}

struct Plans 
{
	std::vector<std::wstring> readingList;
	Execute func{ ExecutePlans };
	wchar_t notes[256];
} newYearPlans{};

int wmain()
{
	short y2020{ 0x2020 };

	for (int i{ 0 }; i < sizeof(newYearPlans) / sizeof(y2020);
	   ++i)
	{
		*(reinterpret_cast<decltype(&y2020)>
		    (&newYearPlans) + i) = y2020;
	}

	return newYearPlans.func();
}

When we launch the application, it crashes:

Since we enabled LocalDumps, we got a crash dump which we open in WinDbg:

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\MemoryDumps\2020.exe.9512.dmp]
User Mini Dump File with Full Memory: 
Only application data is available

Symbol search path is: srv*
Executable search path is: 
Windows 10 Version 18362 MP (8 procs) Free x64
Product: WinNt, suite: SingleUserTS
18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Debug session time: Sun Dec 29 22:54:00.000 2019 (UTC + 4:00)
System Uptime: 0 days 22:33:17.949
Process Uptime: 0 days 0:00:05.000
....
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(2528.2024): Access violation - code c0000005 
(first/second chance not available)
For analysis of this file, run !analyze -v
ntdll!NtWaitForMultipleObjects+0x14:
00007fff`be27cc14 c3              ret

When looking at Stored Exception we see Invalid Pointer code pointer having Regular Data values:

0:000> dx newYearPlans
newYearPlans                 [Type: Plans]
    [+0x000] readingList      : { size=0 } 
        [Type: std::vector...]
    [+0x018] func             : 0x2020202020202020 
        [Type: int (__cdecl*)()]
    [+0x020] notes            :
"†††††††††††††††††††††††††††††††††††††††††
†††††††††††††††††††††††††††††††††††††††††††
†††††††††††††††††††††††††††††††††††††††††††
†††††††††††††††††††††††††††††††††††††††††††
†††††††††††††††††††††††††††††††††††††††††††
†††††††††††††††††††††††††††††††††††††††††††???" [Type: wchar_t [256]]

0:000> du newYearPlans
00007ff7`88355a10  "††††††††††††††††††††††††††††††††"
00007ff7`88355a50  "††††††††††††††††††††††††††††††††"
00007ff7`88355a90  "††††††††††††††††††††††††††††††††"
00007ff7`88355ad0  "††††††††††††††††††††††††††††††††"
00007ff7`88355b10  "††††††††††††††††††††††††††††††††"
00007ff7`88355b50  "††††††††††††††††††††††††††††††††"
00007ff7`88355b90  "††††††††††††††††††††††††††††††††"
00007ff7`88355bd0  "††††††††††††††††††††††††††††††††"
00007ff7`88355c10  "††††††††††††††††."

0:000> da newYearPlans
00007ff7`88355a10  "                                "
00007ff7`88355a30  "                                "
00007ff7`88355a50  "                                "
00007ff7`88355a70  "                                "
00007ff7`88355a90  "                                "
00007ff7`88355ab0  "                                "
00007ff7`88355ad0  "                                "
00007ff7`88355af0  "                                "
00007ff7`88355b10  "                                "
00007ff7`88355b30  "                                "
00007ff7`88355b50  "                                "
00007ff7`88355b70  "                                "

0:000> dw newYearPlans
00007ff7`88355a10  2020 2020 2020 2020 2020 2020 2020 2020
00007ff7`88355a20  2020 2020 2020 2020 2020 2020 2020 2020
00007ff7`88355a30  2020 2020 2020 2020 2020 2020 2020 2020
00007ff7`88355a40  2020 2020 2020 2020 2020 2020 2020 2020
00007ff7`88355a50  2020 2020 2020 2020 2020 2020 2020 2020
00007ff7`88355a60  2020 2020 2020 2020 2020 2020 2020 2020
00007ff7`88355a70  2020 2020 2020 2020 2020 2020 2020 2020
00007ff7`88355a80  2020 2020 2020 2020 2020 2020 2020 2020

What caught our attention during exploratory dump analysis (EDA) is UNICODE interpretation of the new year value cast in a hexadecimal format. This doesn’t look good for software behavior. We hope this just means RIP 2019. As a New Year gift, we include a collection of memory analysis patterns from the Encyclopedia of Crash Dump Analysis Patterns that mention Regular Data.

2017 was again a pivotal year for pattern-oriented software diagnostics with its software development turn, the birth of Software Diagnostics Engineering discipline and Diagnostics-Driven Development methodology. We look ahead to 2018 with more software engineering articles, descriptions of new DebugWare and DiagWare patterns, new projects, tools, training and reference books. The decade of 2010 – 2020 is the most prolific in software variety^* during the short course of software evolution, an analog of the Cambrian explosion with emerging new forms of AI machines capable of learning. These are the most exciting times for software diagnostics.

Happy New Year!
Software Diagnostics Institute

^* The Variety of Software: The Richness of Computation (ISBN: 978-1906717544, not yet published)

2016 was a pivotal year for pattern-oriented software diagnostics with its mathematical turn and the birth of theoretical software diagnostics discipline. We look ahead to 2017 with more theoretical articles, descriptions of diagnostic analysis patterns, and books already in the pipeline.

Happy New Year!
Software Diagnostics Institute

On the 26th of March 2006, 10 years ago, dumpanalysis.org was registered! It was still a long way towards pattern-oriented software diagnostics. The main product of our activity, Memory Dump Analysis Anthology, is now in 10 books.