SlideShare a Scribd company logo

Debugging TV Frame 0x1C

Dmitry Vostokov
Dmitry Vostokov

This episode shows process, kernel, complete and fibre bundle memory dump analysis using WinDbg and examples from Windows 8.1. Shows new changes in Explorer process. Covers Zombie Process, Spiking Thread, and Coincidental Symbolic Information memory analysis patterns.

Software
1 of 8
Download to read offline
Frame 0x1C Presenter: Dmitry Vostokov Sponsors Debugging.TV
• The life without LSASS • Fibre bundle memory dumps • Zero threads on Windows 8.1 • Windows 8.1 File Explorer threads Topics © 2013 Software Diagnostics Institute
Fibre Bundle © 2013 Software Diagnostics Institute KernelVirtualSpace Process Virtual User Space Process Virtual User Space Process Virtual User Space Process Virtual User Space
THREAD ffffe000006f4880 Cid 0214.063c Teb: 00007ff70c1a4000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable SuspendCount 1 ffffe000006f4b60 NotificationEvent Not impersonating DeviceMap ffffc00001c145c0 Owning Process ffffe000021fd900 Image: explorer.exe Attached Process N/A Image: N/A Wait Start TickCount 255497 Ticks: 32955 (0:00:08:34.921) Context Switch Count 2 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x00007ffe14aed6bc Stack Init ffffd00022119dd0 Current ffffd00022119500 Base ffffd0002211a000 Limit ffffd00022114000 Call 0 Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site ffffd000`22119540 fffff802`c572c90e nt!KiSwapContext+0x76 ffffd000`22119680 fffff802`c572c3a7 nt!KiSwapThread+0x14e ffffd000`22119720 fffff802`c56c39a8 nt!KiCommitThreadWait+0x127 ffffd000`22119780 fffff802`c577ce64 nt!KeWaitForSingleObject+0x248 ffffd000`22119820 fffff802`c572e289 nt!KiSchedulerApc+0x94 ffffd000`22119880 fffff802`c57daa23 nt!KiDeliverApc+0x209 ffffd000`22119900 fffff802`c5ac325c nt!KiApcInterrupt+0xc3 (TrapFrame @ ffffd000`22119900) ffffd000`22119a90 fffff802`c57dc3f5 nt!PspUserThreadStartup+0x18 ffffd000`22119b00 fffff802`c57dc377 nt!KiStartUserThread+0x16 ffffd000`22119c40 00007ffe`1e2a43b4 nt!KiStartUserThreadReturn (TrapFrame @ ffffd000`22119c40) 00000000`0d49fcb8 00000000`00000000 0x00007ffe`1e2a43b4 74 Id: 214.63c Suspend: 1 Teb: 00007ff7`0c1a4000 Unfrozen Child-SP RetAddr Call Site 00000000`0d49fcb8 00000000`00000000 ntdll!RtlUserThreadStart Zero Threads © 2013 Software Diagnostics Institute
T0:000> !runaway User Mode Time Thread Time 44:1ec 0 days 0:00:20.312 32:790 0 days 0:00:02.640 […] 0:000> ~44kc Call Site gdi32!NtGdiStretchBlt gdi32!StretchBlt GdiPlus!EpScanGdiDci::ProcessBatch_Gdi_Batch GdiPlus!EpScanGdiDci::EmptyBatch GdiPlus!EpScanBufferNative<unsigned long>::~EpScanBufferNative<unsigned long> GdiPlus!DpDriver::FillPath GdiPlus!DriverGdi::FillPath GdiPlus!GpGraphics::DrvFillPath GdiPlus!GpGraphics::RenderFillPath GdiPlus!GpGraphics::FillPolygon GdiPlus!GdipFillPolygon GdiPlus!GdipFillPolygonI chartv!CvPaintSurface::Polyline chartv!CvLine::Render chartv!CvLineChart::Render chartv!CvWindow::WindowMessages user32!UserCallWinProcCheckWow user32!CallWindowProcW duser!WndBridge::RawWndProc user32!UserCallWinProcCheckWow user32!SendMessageWorker user32!SendMessageW shell32!COperationStatusTileRateChart::_DrawChart shell32!COperationStatusTileRateChart::_PaintOverlay shell32!COperationStatusTileRateChart::_OverlayBufferedPaint shell32!COperationStatusTileRateChart::_OverlayWindowProcedure shell32!COperationStatusTileRateChart::s_OverlayWindowProcedure […] When CPU Spike is Normal © 2013 Software Diagnostics Institute
0:000> ~1kc ; Windows 8.0 Call Site user32!NtUserWaitAvailableMessageEx explorer!CTray::_MessageLoop explorer!CTray::MainThreadProc SHCore!COplockFileHandle::v_GetHandlerCLSID kernel32!BaseThreadInitThunk ntdll!RtlUserThreadStart 0:000> ~2kc ; Windows 8.1 – coincidental symbolic information Call Site user32!NtUserWaitAvailableMessageEx explorer!CTray::_MessageLoop explorer!CTray::MainThreadProc SHCore!Microsoft::WRL::Details::ImplementsHelper<Microsoft::WRL::RuntimeClassFlags <3>,Microsoft::WRL::Details::InterfaceList<Microsoft::WRL::CloakedIid<IInputStream Priv>,Microsoft::WRL::Details::InterfaceList<Microsoft::WRL::CloakedIid<CFTMCrossP rocServer>,Microsoft::WRL::Details::Nil> >,1,0>::CanCastTo kernel32!BaseThreadInitThunk ntdll!RtlUserThreadStart WRL © 2013 Software Diagnostics Institute
!Ad Hardcore Software Diagnostics Training 2014 Psychology of Software Diagnostics (FREE) Semiotics of Debugging (FREE) Generative Software Narratology (FREE) Software Diagnostics: Requirements, Architecture, Design, Implementation and Improvement (FREE) December 6-9, 2013 Advanced Windows Memory Dump Analysis with Data Structures December 13-16, 2013 Deep Down C++ January 6, 2014 Pattern-Oriented Software Forensics © 2013 Software Diagnostics Institute
Debugging.TV Now on YouTube! http://www.youtube.com/DebuggingTV

Recommended

Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
DefconRussia
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
Mattia Salvi
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel Debugging
Thomas Roccia
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeering
Kent Huang
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
Debugging TV Frame 0x16
Debugging TV Frame 0x16Debugging TV Frame 0x16
Debugging TV Frame 0x16
Dmitry Vostokov
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysis
mooyix
 
Ghosterr
GhosterrGhosterr
Ghosterr
abelino22
 

Recommended

Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
DefconRussia
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
Mattia Salvi
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel Debugging
Thomas Roccia
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeering
Kent Huang
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
Debugging TV Frame 0x16
Debugging TV Frame 0x16Debugging TV Frame 0x16
Debugging TV Frame 0x16
Dmitry Vostokov
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysis
mooyix
 
Ghosterr
GhosterrGhosterr
Ghosterr
abelino22
 
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Dmitry Vostokov
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
Dmitry Vostokov
 
Debugging TV Frame 0x34
Debugging TV Frame 0x34Debugging TV Frame 0x34
Debugging TV Frame 0x34
Dmitry Vostokov
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
SdE2 - Pilot Tock
SdE2 - Pilot TockSdE2 - Pilot Tock
SdE2 - Pilot Tock
Alexandru Radovici
 
Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labs
losalamos
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Dmitry Vostokov
 
Positive Hack Days. Oleksyuk. Automatic Search for Vulnerabilities in Program...
Positive Hack Days. Oleksyuk. Automatic Search for Vulnerabilities in Program...Positive Hack Days. Oleksyuk. Automatic Search for Vulnerabilities in Program...
Positive Hack Days. Oleksyuk. Automatic Search for Vulnerabilities in Program...
Positive Hack Days
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
Sourcefire VRT
 
Windows 10 IoT Core
Windows 10 IoT CoreWindows 10 IoT Core
Windows 10 IoT Core
Canada's Technology Triangle .NET User Group
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
Arno Huetter
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Yulia Tsisyk
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB device
Lubomir Rintel
 
Debugging TV Frame 0x15
Debugging TV Frame 0x15Debugging TV Frame 0x15
Debugging TV Frame 0x15
Dmitry Vostokov
 
Dx diag 21102014
Dx diag 21102014Dx diag 21102014
Dx diag 21102014
Febryan Arif Pratama
 
Network operating systems
Network operating systemsNetwork operating systems
Network operating systems
Ankit Kumar
 
Network operating systems
Network operating systemsNetwork operating systems
Network operating systems
SMK Informatika Wonosobo
 
Final
FinalFinal
Final
siddhu1992
 
Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slides
Dmitry Vostokov
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slides
Dmitry Vostokov
 

More Related Content

Similar to Debugging TV Frame 0x1C

Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Yulia Tsisyk
 
Network operating systems
Network operating systemsNetwork operating systems
Network operating systems
Ankit Kumar
 

Similar to Debugging TV Frame 0x1C (20)

Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
 
Debugging TV Frame 0x34
Debugging TV Frame 0x34Debugging TV Frame 0x34
Debugging TV Frame 0x34
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
SdE2 - Pilot Tock
SdE2 - Pilot TockSdE2 - Pilot Tock
SdE2 - Pilot Tock
 
Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labs
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump Analysis
 
Positive Hack Days. Oleksyuk. Automatic Search for Vulnerabilities in Program...
Positive Hack Days. Oleksyuk. Automatic Search for Vulnerabilities in Program...Positive Hack Days. Oleksyuk. Automatic Search for Vulnerabilities in Program...
Positive Hack Days. Oleksyuk. Automatic Search for Vulnerabilities in Program...
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
Windows 10 IoT Core
Windows 10 IoT CoreWindows 10 IoT Core
Windows 10 IoT Core
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB device
 
Debugging TV Frame 0x15
Debugging TV Frame 0x15Debugging TV Frame 0x15
Debugging TV Frame 0x15
 
Dx diag 21102014
Dx diag 21102014Dx diag 21102014
Dx diag 21102014
 
Network operating systems
Network operating systemsNetwork operating systems
Network operating systems
 
Network operating systems
Network operating systemsNetwork operating systems
Network operating systems
 
Final
FinalFinal
Final
 

More from Dmitry Vostokov

Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slides
Dmitry Vostokov
 

More from Dmitry Vostokov (20)

Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slides
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slides
 
Debugging TV Frame 0x1A
Debugging TV Frame 0x1ADebugging TV Frame 0x1A
Debugging TV Frame 0x1A
 
Debugging TV Frame 0x33
Debugging TV Frame 0x33Debugging TV Frame 0x33
Debugging TV Frame 0x33
 
Debugging TV Frame 0x31
Debugging TV Frame 0x31Debugging TV Frame 0x31
Debugging TV Frame 0x31
 
Debugging TV Frame 0x25
Debugging TV Frame 0x25Debugging TV Frame 0x25
Debugging TV Frame 0x25
 
Debugging TV Frame 0x24
Debugging TV Frame 0x24Debugging TV Frame 0x24
Debugging TV Frame 0x24
 
Debugging TV Frame 0x21
Debugging TV Frame 0x21Debugging TV Frame 0x21
Debugging TV Frame 0x21
 
Debugging TV Frame 0x20
Debugging TV Frame 0x20Debugging TV Frame 0x20
Debugging TV Frame 0x20
 
Debugging TV Frame 0x19
Debugging TV Frame 0x19Debugging TV Frame 0x19
Debugging TV Frame 0x19
 
Debugging TV Frame 0x18
Debugging TV Frame 0x18Debugging TV Frame 0x18
Debugging TV Frame 0x18
 
Debugging TV Frame 0x17
Debugging TV Frame 0x17Debugging TV Frame 0x17
Debugging TV Frame 0x17
 
Debugging TV Frame 0x14
Debugging TV Frame 0x14Debugging TV Frame 0x14
Debugging TV Frame 0x14
 
Debugging TV Frame 0x13
Debugging TV Frame 0x13Debugging TV Frame 0x13
Debugging TV Frame 0x13
 
Debugging TV Frame 0x12
Debugging TV Frame 0x12Debugging TV Frame 0x12
Debugging TV Frame 0x12
 
Debugging TV Frame 0x11
Debugging TV Frame 0x11Debugging TV Frame 0x11
Debugging TV Frame 0x11
 
Debugging TV Frame 0x10
Debugging TV Frame 0x10Debugging TV Frame 0x10
Debugging TV Frame 0x10
 
Debugging TV Frame 0x0F
Debugging TV Frame 0x0FDebugging TV Frame 0x0F
Debugging TV Frame 0x0F
 
Debugging TV Frame 0x0D
Debugging TV Frame 0x0DDebugging TV Frame 0x0D
Debugging TV Frame 0x0D
 
Debugging TV Frame 0x0C
Debugging TV Frame 0x0CDebugging TV Frame 0x0C
Debugging TV Frame 0x0C
 

Recently uploaded

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 

Recently uploaded (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 

Debugging TV Frame 0x1C

  • 1. Frame 0x1C Presenter: Dmitry Vostokov Sponsors Debugging.TV
  • 2. • The life without LSASS • Fibre bundle memory dumps • Zero threads on Windows 8.1 • Windows 8.1 File Explorer threads Topics © 2013 Software Diagnostics Institute
  • 3. Fibre Bundle © 2013 Software Diagnostics Institute KernelVirtualSpace Process Virtual User Space Process Virtual User Space Process Virtual User Space Process Virtual User Space
  • 4. THREAD ffffe000006f4880 Cid 0214.063c Teb: 00007ff70c1a4000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable SuspendCount 1 ffffe000006f4b60 NotificationEvent Not impersonating DeviceMap ffffc00001c145c0 Owning Process ffffe000021fd900 Image: explorer.exe Attached Process N/A Image: N/A Wait Start TickCount 255497 Ticks: 32955 (0:00:08:34.921) Context Switch Count 2 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x00007ffe14aed6bc Stack Init ffffd00022119dd0 Current ffffd00022119500 Base ffffd0002211a000 Limit ffffd00022114000 Call 0 Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site ffffd000`22119540 fffff802`c572c90e nt!KiSwapContext+0x76 ffffd000`22119680 fffff802`c572c3a7 nt!KiSwapThread+0x14e ffffd000`22119720 fffff802`c56c39a8 nt!KiCommitThreadWait+0x127 ffffd000`22119780 fffff802`c577ce64 nt!KeWaitForSingleObject+0x248 ffffd000`22119820 fffff802`c572e289 nt!KiSchedulerApc+0x94 ffffd000`22119880 fffff802`c57daa23 nt!KiDeliverApc+0x209 ffffd000`22119900 fffff802`c5ac325c nt!KiApcInterrupt+0xc3 (TrapFrame @ ffffd000`22119900) ffffd000`22119a90 fffff802`c57dc3f5 nt!PspUserThreadStartup+0x18 ffffd000`22119b00 fffff802`c57dc377 nt!KiStartUserThread+0x16 ffffd000`22119c40 00007ffe`1e2a43b4 nt!KiStartUserThreadReturn (TrapFrame @ ffffd000`22119c40) 00000000`0d49fcb8 00000000`00000000 0x00007ffe`1e2a43b4 74 Id: 214.63c Suspend: 1 Teb: 00007ff7`0c1a4000 Unfrozen Child-SP RetAddr Call Site 00000000`0d49fcb8 00000000`00000000 ntdll!RtlUserThreadStart Zero Threads © 2013 Software Diagnostics Institute
  • 5. T0:000> !runaway User Mode Time Thread Time 44:1ec 0 days 0:00:20.312 32:790 0 days 0:00:02.640 […] 0:000> ~44kc Call Site gdi32!NtGdiStretchBlt gdi32!StretchBlt GdiPlus!EpScanGdiDci::ProcessBatch_Gdi_Batch GdiPlus!EpScanGdiDci::EmptyBatch GdiPlus!EpScanBufferNative<unsigned long>::~EpScanBufferNative<unsigned long> GdiPlus!DpDriver::FillPath GdiPlus!DriverGdi::FillPath GdiPlus!GpGraphics::DrvFillPath GdiPlus!GpGraphics::RenderFillPath GdiPlus!GpGraphics::FillPolygon GdiPlus!GdipFillPolygon GdiPlus!GdipFillPolygonI chartv!CvPaintSurface::Polyline chartv!CvLine::Render chartv!CvLineChart::Render chartv!CvWindow::WindowMessages user32!UserCallWinProcCheckWow user32!CallWindowProcW duser!WndBridge::RawWndProc user32!UserCallWinProcCheckWow user32!SendMessageWorker user32!SendMessageW shell32!COperationStatusTileRateChart::_DrawChart shell32!COperationStatusTileRateChart::_PaintOverlay shell32!COperationStatusTileRateChart::_OverlayBufferedPaint shell32!COperationStatusTileRateChart::_OverlayWindowProcedure shell32!COperationStatusTileRateChart::s_OverlayWindowProcedure […] When CPU Spike is Normal © 2013 Software Diagnostics Institute
  • 6. 0:000> ~1kc ; Windows 8.0 Call Site user32!NtUserWaitAvailableMessageEx explorer!CTray::_MessageLoop explorer!CTray::MainThreadProc SHCore!COplockFileHandle::v_GetHandlerCLSID kernel32!BaseThreadInitThunk ntdll!RtlUserThreadStart 0:000> ~2kc ; Windows 8.1 – coincidental symbolic information Call Site user32!NtUserWaitAvailableMessageEx explorer!CTray::_MessageLoop explorer!CTray::MainThreadProc SHCore!Microsoft::WRL::Details::ImplementsHelper<Microsoft::WRL::RuntimeClassFlags <3>,Microsoft::WRL::Details::InterfaceList<Microsoft::WRL::CloakedIid<IInputStream Priv>,Microsoft::WRL::Details::InterfaceList<Microsoft::WRL::CloakedIid<CFTMCrossP rocServer>,Microsoft::WRL::Details::Nil> >,1,0>::CanCastTo kernel32!BaseThreadInitThunk ntdll!RtlUserThreadStart WRL © 2013 Software Diagnostics Institute
  • 7. !Ad Hardcore Software Diagnostics Training 2014 Psychology of Software Diagnostics (FREE) Semiotics of Debugging (FREE) Generative Software Narratology (FREE) Software Diagnostics: Requirements, Architecture, Design, Implementation and Improvement (FREE) December 6-9, 2013 Advanced Windows Memory Dump Analysis with Data Structures December 13-16, 2013 Deep Down C++ January 6, 2014 Pattern-Oriented Software Forensics © 2013 Software Diagnostics Institute