SlideShare a Scribd company logo

Debugging TV Frame 0x09

Dmitry Vostokov
Dmitry Vostokov

This episode teaches how to catch data corruption using the combination of software and hardware breakpoints.

Software
1 of 8
Download to read offline
Frame 0x09 Presenter: Dmitry Vostokov Sponsors Debugging.TV
• Catching data corruption • Software and hardware breakpoints • Breakpoint strategy • Disabling and enabling breakpoints Topics © 2012 DumpAnalysis.org + TraceAnalysis.org
// Worker thread periodically writes a command to a controller // The controller is implemented as an address in memory // Corruption of controller memory value is modelled as an exception DWORD WINAPI WorkItemNormal(LPVOID lpParameter) { Controller = COMMAND; while(1) { Sleep(WAIT); if (Controller != COMMAND) { RaiseException(0xBADC, 0, 1, (const ULONG_PTR *)&Controller); } Controller = COMMAND; // we remember the address of this instruction } } Data Corruption © 2012 DumpAnalysis.org + TraceAnalysis.org
// Enable hardware write access breakpoint DWORD WINAPI WorkItemNormal(LPVOID lpParameter) { Controller = COMMAND; // expect a breakpoint hit here, ignore while(1) { Sleep(WAIT); if (Controller != COMMAND) { RaiseException(0xBADC, 0, 1, (const ULONG_PTR *)&Controller); } // Disable hardware write access breakpoint, ignore Controller = COMMAND; // Enable hardware write access breakpoint, resume } } Breakpoint Strategy © 2012 DumpAnalysis.org + TraceAnalysis.org
0:001> ba w4 Controller 0:001> bp MixedBreakpoints!WorkItemNormal+0x4a “bd 0; t“ * disable, skip 0:001> u MixedBreakpoints!WorkItemNormal+0x4a MixedBreakpoints!WorkItemNormal+0x4a: 00000001`3fe414ea c705ecaa000010000000 mov dword ptr [MixedBreakpoints!Controller (00000001`3fe4bfe0)],10h 00000001`3fe414f4 ebbd [...] 0:001> bp 00000001`3fe414f4 “be 0; g“ * enable, resume 0:001> bl 0 e 00000001`3f03bfe0 w 4 0001 (0001) 0:**** MixedBreakpoints!Controller 1 e 00000001`3f0314ea 0001 (0001) 0:**** MixedBreakpoints!WorkItemNormal+0x4a "bd 0; t" 2 e 00000001`3f0314f4 0001 (0001) 0:**** MixedBreakpoints!WorkItemNormal+0x54 "be 0; g" 0:001> g; g * we skip the first write Breakpoint 0 hit Breakpoint 0 hit MixedBreakpoints!WorkItemDefect+0x12: 00000001`3fdc1512 33c0 xor eax,eax 0:002> k Child-SP RetAddr Call Site 00000000`02f8fda8 00000000`02f8fdb0 00000000`76d5c521 kernel32!BaseThreadInitThunk+0xd 00000000`02f8fde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d Debugger Output © 2012 DumpAnalysis.org + TraceAnalysis.org
Commands © 2012 DumpAnalysis.org + TraceAnalysis.org ba – set hardware access breakpoint bp – set software code breakpoint bl – list breakpoints bd – disable breakpoint be – enable breakpoint t - trace one instruction
!Ad Hardcore Technical Support Training © 2012 DumpAnalysis.org + TraceAnalysis.org Advanced Windows Memory Dump Analysis Accelerated Windows Memory Dump AnalysisApril 11-16, 2012: April 20-23, 2012: Training Schedule Accelerated Software Trace AnalysisApril 27-30, 2012: Accelerated Mac OS X Core Dump Analysis Forthcoming: Linux Core Dump Analysis Introduction to Software Narratology (free)April 2, 2012:
Debugging.TV

Recommended

Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1ArcBlock
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
主機自保指南
主機自保指南主機自保指南
主機自保指南維泰 蔡
 

Recommended

Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1ArcBlock
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
主機自保指南
主機自保指南主機自保指南
主機自保指南維泰 蔡
 
Osol Pgsql
Osol PgsqlOsol Pgsql
Osol PgsqlEmanuel Calvo
 
Elixir @ Paris.rb
Elixir @ Paris.rbElixir @ Paris.rb
Elixir @ Paris.rbGregoire Lejeune
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment isc2-hellenic
 
E nodeb useful commands for rf engineer
E nodeb useful commands for rf engineerE nodeb useful commands for rf engineer
E nodeb useful commands for rf engineerVishal Padhya
 
370410176 moshell-commands
370410176 moshell-commands370410176 moshell-commands
370410176 moshell-commandsnanker phelge
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingJungMinSEO5
 
One definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим житьOne definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим житьPlatonov Sergey
 
Bytes in the Machine: Inside the CPython interpreter
Bytes in the Machine: Inside the CPython interpreterBytes in the Machine: Inside the CPython interpreter
Bytes in the Machine: Inside the CPython interpreterakaptur
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSDGiovanni Bechis
 
Rich and Snappy Apps (No Scaling Required)
Rich and Snappy Apps (No Scaling Required)Rich and Snappy Apps (No Scaling Required)
Rich and Snappy Apps (No Scaling Required)Thomas Fuchs
 
Ceph OSD Op trace
Ceph OSD Op traceCeph OSD Op trace
Ceph OSD Op trace畅 刘
 
Inspector - Node.js : Notes
Inspector - Node.js : NotesInspector - Node.js : Notes
Inspector - Node.js : NotesSubhajit Sahu
 
System Calls
System CallsSystem Calls
System CallsDavid Evans
 
Zone IDA Proc
Zone IDA ProcZone IDA Proc
Zone IDA ProcTzung-Bi Shih
 
Os Practical Assignment 1
Os Practical Assignment 1Os Practical Assignment 1
Os Practical Assignment 1Emmanuel Garcia
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Gavin Guo
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기Ji Hun Kim
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 

More Related Content

What's hot

Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment isc2-hellenic
 
E nodeb useful commands for rf engineer
E nodeb useful commands for rf engineerE nodeb useful commands for rf engineer
E nodeb useful commands for rf engineerVishal Padhya
 
370410176 moshell-commands
370410176 moshell-commands370410176 moshell-commands
370410176 moshell-commandsnanker phelge
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingJungMinSEO5
 
One definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим житьOne definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим житьPlatonov Sergey
 
Bytes in the Machine: Inside the CPython interpreter
Bytes in the Machine: Inside the CPython interpreterBytes in the Machine: Inside the CPython interpreter
Bytes in the Machine: Inside the CPython interpreterakaptur
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
Rich and Snappy Apps (No Scaling Required)
Rich and Snappy Apps (No Scaling Required)Rich and Snappy Apps (No Scaling Required)
Rich and Snappy Apps (No Scaling Required)Thomas Fuchs
 
Ceph OSD Op trace
Ceph OSD Op traceCeph OSD Op trace
Ceph OSD Op trace畅 刘
 
Inspector - Node.js : Notes
Inspector - Node.js : NotesInspector - Node.js : Notes
Inspector - Node.js : NotesSubhajit Sahu
 
Os Practical Assignment 1
Os Practical Assignment 1Os Practical Assignment 1
Os Practical Assignment 1Emmanuel Garcia
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Gavin Guo
 

What's hot (20)

Osol Pgsql
Osol PgsqlOsol Pgsql
Osol Pgsql
 
Elixir @ Paris.rb
Elixir @ Paris.rbElixir @ Paris.rb
Elixir @ Paris.rb
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment
 
E nodeb useful commands for rf engineer
E nodeb useful commands for rf engineerE nodeb useful commands for rf engineer
E nodeb useful commands for rf engineer
 
370410176 moshell-commands
370410176 moshell-commands370410176 moshell-commands
370410176 moshell-commands
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friends
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
One definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим житьOne definition rule - что это такое, и как с этим жить
One definition rule - что это такое, и как с этим жить
 
Bytes in the Machine: Inside the CPython interpreter
Bytes in the Machine: Inside the CPython interpreterBytes in the Machine: Inside the CPython interpreter
Bytes in the Machine: Inside the CPython interpreter
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
Rich and Snappy Apps (No Scaling Required)
Rich and Snappy Apps (No Scaling Required)Rich and Snappy Apps (No Scaling Required)
Rich and Snappy Apps (No Scaling Required)
 
Ceph OSD Op trace
Ceph OSD Op traceCeph OSD Op trace
Ceph OSD Op trace
 
Inspector - Node.js : Notes
Inspector - Node.js : NotesInspector - Node.js : Notes
Inspector - Node.js : Notes
 
System Calls
System CallsSystem Calls
System Calls
 
Zone IDA Proc
Zone IDA ProcZone IDA Proc
Zone IDA Proc
 
Os Practical Assignment 1
Os Practical Assignment 1Os Practical Assignment 1
Os Practical Assignment 1
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
 

Similar to Debugging TV Frame 0x09

Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기Ji Hun Kim
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 
Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6fisher.w.y
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeupnkslides
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Hot Code is Faster Code - Addressing JVM Warm-up
Hot Code is Faster Code - Addressing JVM Warm-upHot Code is Faster Code - Addressing JVM Warm-up
Hot Code is Faster Code - Addressing JVM Warm-upMark Price
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...Andrey Karpov
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
Realization of an 8 bit pipelined microprocessor in verilog hdl
Realization of an 8 bit pipelined microprocessor in verilog hdlRealization of an 8 bit pipelined microprocessor in verilog hdl
Realization of an 8 bit pipelined microprocessor in verilog hdlAlexander Decker
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 

Similar to Debugging TV Frame 0x09 (20)

Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-Slides
 
3
33
3
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5
 
Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6
 
8051 MC.pptx
8051 MC.pptx8051 MC.pptx
8051 MC.pptx
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeup
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Lampiran 1.programdocx
Lampiran 1.programdocxLampiran 1.programdocx
Lampiran 1.programdocx
 
Hot Code is Faster Code - Addressing JVM Warm-up
Hot Code is Faster Code - Addressing JVM Warm-upHot Code is Faster Code - Addressing JVM Warm-up
Hot Code is Faster Code - Addressing JVM Warm-up
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
Realization of an 8 bit pipelined microprocessor in verilog hdl
Realization of an 8 bit pipelined microprocessor in verilog hdlRealization of an 8 bit pipelined microprocessor in verilog hdl
Realization of an 8 bit pipelined microprocessor in verilog hdl
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 

More from Dmitry Vostokov

Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesDmitry Vostokov
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesDmitry Vostokov
 

More from Dmitry Vostokov (20)

Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slides
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slides
 
Debugging TV Frame 0x1C
Debugging TV Frame 0x1CDebugging TV Frame 0x1C
Debugging TV Frame 0x1C
 
Debugging TV Frame 0x1A
Debugging TV Frame 0x1ADebugging TV Frame 0x1A
Debugging TV Frame 0x1A
 
Debugging TV Frame 0x34
Debugging TV Frame 0x34Debugging TV Frame 0x34
Debugging TV Frame 0x34
 
Debugging TV Frame 0x33
Debugging TV Frame 0x33Debugging TV Frame 0x33
Debugging TV Frame 0x33
 
Debugging TV Frame 0x31
Debugging TV Frame 0x31Debugging TV Frame 0x31
Debugging TV Frame 0x31
 
Debugging TV Frame 0x25
Debugging TV Frame 0x25Debugging TV Frame 0x25
Debugging TV Frame 0x25
 
Debugging TV Frame 0x24
Debugging TV Frame 0x24Debugging TV Frame 0x24
Debugging TV Frame 0x24
 
Debugging TV Frame 0x21
Debugging TV Frame 0x21Debugging TV Frame 0x21
Debugging TV Frame 0x21
 
Debugging TV Frame 0x20
Debugging TV Frame 0x20Debugging TV Frame 0x20
Debugging TV Frame 0x20
 
Debugging TV Frame 0x19
Debugging TV Frame 0x19Debugging TV Frame 0x19
Debugging TV Frame 0x19
 
Debugging TV Frame 0x18
Debugging TV Frame 0x18Debugging TV Frame 0x18
Debugging TV Frame 0x18
 
Debugging TV Frame 0x17
Debugging TV Frame 0x17Debugging TV Frame 0x17
Debugging TV Frame 0x17
 
Debugging TV Frame 0x16
Debugging TV Frame 0x16Debugging TV Frame 0x16
Debugging TV Frame 0x16
 
Debugging TV Frame 0x15
Debugging TV Frame 0x15Debugging TV Frame 0x15
Debugging TV Frame 0x15
 
Debugging TV Frame 0x14
Debugging TV Frame 0x14Debugging TV Frame 0x14
Debugging TV Frame 0x14
 
Debugging TV Frame 0x13
Debugging TV Frame 0x13Debugging TV Frame 0x13
Debugging TV Frame 0x13
 
Debugging TV Frame 0x12
Debugging TV Frame 0x12Debugging TV Frame 0x12
Debugging TV Frame 0x12
 
Debugging TV Frame 0x11
Debugging TV Frame 0x11Debugging TV Frame 0x11
Debugging TV Frame 0x11
 

Recently uploaded

Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 

Recently uploaded (20)

Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 

Debugging TV Frame 0x09

  • 1. Frame 0x09 Presenter: Dmitry Vostokov Sponsors Debugging.TV
  • 2. • Catching data corruption • Software and hardware breakpoints • Breakpoint strategy • Disabling and enabling breakpoints Topics © 2012 DumpAnalysis.org + TraceAnalysis.org
  • 3. // Worker thread periodically writes a command to a controller // The controller is implemented as an address in memory // Corruption of controller memory value is modelled as an exception DWORD WINAPI WorkItemNormal(LPVOID lpParameter) { Controller = COMMAND; while(1) { Sleep(WAIT); if (Controller != COMMAND) { RaiseException(0xBADC, 0, 1, (const ULONG_PTR *)&Controller); } Controller = COMMAND; // we remember the address of this instruction } } Data Corruption © 2012 DumpAnalysis.org + TraceAnalysis.org
  • 4. // Enable hardware write access breakpoint DWORD WINAPI WorkItemNormal(LPVOID lpParameter) { Controller = COMMAND; // expect a breakpoint hit here, ignore while(1) { Sleep(WAIT); if (Controller != COMMAND) { RaiseException(0xBADC, 0, 1, (const ULONG_PTR *)&Controller); } // Disable hardware write access breakpoint, ignore Controller = COMMAND; // Enable hardware write access breakpoint, resume } } Breakpoint Strategy © 2012 DumpAnalysis.org + TraceAnalysis.org
  • 5. 0:001> ba w4 Controller 0:001> bp MixedBreakpoints!WorkItemNormal+0x4a “bd 0; t“ * disable, skip 0:001> u MixedBreakpoints!WorkItemNormal+0x4a MixedBreakpoints!WorkItemNormal+0x4a: 00000001`3fe414ea c705ecaa000010000000 mov dword ptr [MixedBreakpoints!Controller (00000001`3fe4bfe0)],10h 00000001`3fe414f4 ebbd [...] 0:001> bp 00000001`3fe414f4 “be 0; g“ * enable, resume 0:001> bl 0 e 00000001`3f03bfe0 w 4 0001 (0001) 0:**** MixedBreakpoints!Controller 1 e 00000001`3f0314ea 0001 (0001) 0:**** MixedBreakpoints!WorkItemNormal+0x4a "bd 0; t" 2 e 00000001`3f0314f4 0001 (0001) 0:**** MixedBreakpoints!WorkItemNormal+0x54 "be 0; g" 0:001> g; g * we skip the first write Breakpoint 0 hit Breakpoint 0 hit MixedBreakpoints!WorkItemDefect+0x12: 00000001`3fdc1512 33c0 xor eax,eax 0:002> k Child-SP RetAddr Call Site 00000000`02f8fda8 00000000`02f8fdb0 00000000`76d5c521 kernel32!BaseThreadInitThunk+0xd 00000000`02f8fde0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d Debugger Output © 2012 DumpAnalysis.org + TraceAnalysis.org
  • 6. Commands © 2012 DumpAnalysis.org + TraceAnalysis.org ba – set hardware access breakpoint bp – set software code breakpoint bl – list breakpoints bd – disable breakpoint be – enable breakpoint t - trace one instruction
  • 7. !Ad Hardcore Technical Support Training © 2012 DumpAnalysis.org + TraceAnalysis.org Advanced Windows Memory Dump Analysis Accelerated Windows Memory Dump AnalysisApril 11-16, 2012: April 20-23, 2012: Training Schedule Accelerated Software Trace AnalysisApril 27-30, 2012: Accelerated Mac OS X Core Dump Analysis Forthcoming: Linux Core Dump Analysis Introduction to Software Narratology (free)April 2, 2012: