Windows Crash Dump Analysis

1,492 views
1,398 views

Published on

More info on http://www.techdays.be.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,492
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
60
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Windows Crash Dump Analysis

  1. 1. Understanding Windows CrashesAnalyzing Windows CrashesIntroducing Driver VerifierPerforming Manual AnalysisAdvanced Debugging Techniques
  2. 2. 7 years working at Microsoft3 years at Digital Equipment CorporationInstructor with David Solomon
  3. 3. Why analyze aWindows crash?
  4. 4. The result of an unhandled exceptionA device driver detects an unrecoverableconditionThe result of a hardware failure
  5. 5. KeBugCheckEx, the Windows kernel API iscalled
  6. 6. Disables all interruptsFreezes all CPUs and notifies any registereddriversWrites a crash dump to disk and restarts
  7. 7. Documented in the Windows Driver KitReference included with the Debugging ToolsViewable using the kernel debugger
  8. 8. Small memory dumpKernel memory dumpComplete memory dump
  9. 9. Use any one of the Microsoft kernel debuggersConfigure the debugger to point to symbolsTroubleshoot symbol loading errors with !symnoisy
  10. 10. The debugger performs basic crash analysisThe result of executing the !analyze commandCan be disabled if desired
  11. 11. Demo
  12. 12. Registers, small areas of extremely fast storageUsually measured by the number of bits they holdx86 architecture provides 16 basic programregistersx64 adds an additional 8 general–purposeregisters
  13. 13. Registers, small areas of extremely fast storageUsually measured by the number of bits they holdx86 architecture provides 16 basic programregistersx64 adds an additional 8 general–purposeregisters
  14. 14. Demo
  15. 15. Useful for identifying code defects in driversIncluded as part of the operating systemRequired for Windows logo certification
  16. 16. Configurable using the Driver Verifier toolContains standard settings for common defectsSupport for using a command line interface
  17. 17. Demo
  18. 18. !analyze doesn’t always offer resultsSeveral useful commands and techniquesAdditional manual analysis techniques
  19. 19. Demo
  20. 20. Support for attaching a kernel debuggerThe system must be started in debugging modeRequired for debugging initialization failures
  21. 21. Possible for systems to become unresponsiveInstant system lockupSlow grinding to a halt
  22. 22. Using a PS/2 keyboardUsing a built in NMI buttonUsing the kernel debugger
  23. 23. Demo
  24. 24. Windows Internals, 5th EditionMemory Dump, Software Trace, Debugging,Malware and Intelligence Analysis PortalAdvanced Windows Debugging andTroubleshooting

×