The slides from Software Diagnostics Services Accelerated Disassembly, Reconstruction and Reversing training. The training description: "Learn disassembly, execution history reconstruction and binary reversing techniques for better software diagnostics. troubleshooting and debugging on x64 Windows platforms. We use a unique and innovative pattern-driven analysis approach to speed up the learning curve. The training consists of practical step-by-step hands-on exercises using WinDbg and memory dumps. Covered more than 25 ADDR patterns and many concepts are illustrated with Memory Cell Diagrams. The prerequisites for this training are working knowledge of C and C++ programming languages. Operating system internals and assembly language concepts are explained when necessary. The main audience for this training are software technical support and escalation engineers who analyze memory dumps from complex software environments and need to go deeper in their analysis of abnormal software structure and behavior. The course will also be useful for software engineers, quality assurance and software maintenance engineers who debug their software running on diverse computer environments, security researchers and malware analysts who have never used WinDbg for analysis of computer memory."

1. Dmitry Vostokov
Software Diagnostics ServicesFacebook LinkedIn Twitter

2. Prerequisites
 Working C or C++ knowledge
 Basic assembly language knowledge
© 2013 Software Diagnostics Services

3. Audience
 Novices
Learn x64 assembly language
 Experts
Learn the new pattern approach
© 2013 Software Diagnostics Services

4. Pattern-Oriented RDR
 Complex crashes and hangs (victimware
analysis)
 Malware analysis
 Studying new products
© 2013 Software Diagnostics Services

5. Training Goals
 Review fundamentals
 Learn patterns and techniques
© 2013 Software Diagnostics Services

6. Training Principles
 Talk only about what I can show
 Lots of pictures
 Lots of examples
 Original content and examples
© 2013 Software Diagnostics Services

7. Course Idea
 Implicit memory leak resulted from wrong
API call parameter
 www.Debugging.tv episode 0x31
© 2013 Software Diagnostics Services

8. Schedule Summary
Day 1
 Theory
 Exercise R1
Day 2
 Exercises R2 – R4
Day 3
 Exercises R5 – R6
 Q&A
© 2013 Software Diagnostics Services

9. Part 1: Theory
© 2013 Software Diagnostics Services

10. Computation
© 2013 Software Diagnostics Services
CPU
Data Code
Memory Changes

11. Disassembly
© 2013 Software Diagnostics Services
Data/Code numbers
Data/Code symbolic
488d0d2cce0000 lea rcx,[CPUx64+0xe2f8 (00000001`3f85e2f8)] ; "Hello World!"
Annotated Disassembly memory analysis pattern

12. The Problem of Reversing
 Compilation to Machine LanguageM
Language1 LanguageM Language2
 Decompilation
LanguageM ?
© 2013 Software Diagnostics Services

13. The Solution to Reversing
 Memory LanguageM Semantics
Language1 LanguageM Language2
 Decompilation
Understanding of LanguageM
© 2013 Software Diagnostics Services

14. The Reversing Tool
© 2013 Software Diagnostics Services
RSP
8
10
18
20
28
30
38
40
48
50
RAX
Memory Cell Diagrams

15. Re(De)construction
 Time dimension: sequence diagrams
 Space dimension: component diagrams
How does it work temporally and
structurally?
© 2013 Software Diagnostics Services

16. ADDR Patterns
 Accelerated
 Disassembly patterns
 De(Re)construction patterns
 Reversing patterns
© 2013 Software Diagnostics Services

17. ADDR Patterns (II)
 Accelerated
 Disassembly patterns
 Decompilation patterns
 Reconstruction patterns
© 2013 Software Diagnostics Services

18. ADDR Schemas
 Function Prologue -> Function Epilogue
 Call Prologue -> Function Call -> Call Epilogue
 Potential Functionality -> Call Skeleton -> Call
Path
 Call Parameter -> Function Parameter -> Local
Variable
© 2013 Software Diagnostics Services

19. ADDR Implementations
© 2013 Software Diagnostics Services
ADDR Pattern Catalogue
Windows Mac OS X Linux

20. Pattern Catalogues
 Elementary Software Diagnostics Patterns
 Memory Analysis Patterns
 Trace and Log Analysis Patterns
 Unified Debugging Patterns
 ADDR Patterns
© 2013 Software Diagnostics Services

21. Pattern Orientation
 Pattern-Driven ADDR
 Pattern-Based ADDR
© 2013 Software Diagnostics Services

22. Part 2: Practice Exercises
© 2013 Software Diagnostics Services

23. Links
 Memory dumps:
Not available in preview version
 Exercise Transcripts:
Not available in preview version
© 2013 Software Diagnostics Services

24. Exercise 0
 Goal: Install Debugging Tools for Windows and learn how to
set up symbols correctly
© 2013 Software Diagnostics Services

25. Main CPU Registers
© 2013 Software Diagnostics Services
Illustrated on memory cell diagrams in ADDRMCD-R1.xlsx
 RAX ⊃ EAX ⊃ AX ⊇ {AH, AL}
 ALU: RAX, RDX
 Counter: RCX
 Memory copy: RSI (src), RDI (dst)
 Stack: RSP
 Next instruction: RIP
 New: R8 – R15, Rx(D|W|B)

26. Exercise R1
 Goal: Review x64 assembly fundamentals; learn how to
reconstruct stack trace manually
 ADDR Patterns: Universal Pointer, Symbolic Pointer S2,
Interpreted Pointer S3, Context Pyramid
 Memory Cell Diagrams: Register, Pointer, Stack Frame
© 2013 Software Diagnostics Services

27. Stack Reconstruction
© 2013 Software Diagnostics Services
1. Top frame from the current RIP1, RSP1 (r)
2. Disassemble around the current RIPn (u[f] RIPn)
3. Find out the beginning of the function prologue
4. Check RSPn usage (sub, push) and count offsets
5. Get RIPn+1 for the next frame (dps @rspn + offset
6. Get RSPn+1 for the next frame (RSPn+8)
7. ++n
8. goto #2

28. Exercise R2
 Goal: Learn how to map source code to disassembly
 ADDR Patterns: Potential Functionality, Function Skeleton,
Function Call, Call Path, Local Variable, Static Variable,
Pointer Dereference
 Memory Cell Diagrams: Pointer Dereference
© 2013 Software Diagnostics Services

29. Exercise R3
 Goal: Learn a function structure and associated memory
operations
 ADDR Patterns: Function Prologue, Function Epilogue,
Variable Initialization, Memory Copy
 Memory Cell Diagrams: Function Prologue, Function
Epilogue
© 2013 Software Diagnostics Services

30. Exercise R4
 Goal: Learn how to recognize call and function parameters
and track their data flow
 ADDR Patterns: Call Prologue, Call Parameter, Call
Epilogue, Call Result, Control Path, Function Parameter,
Structure Field
© 2013 Software Diagnostics Services

31. Exercise R5
 Goal: Master memory cell diagrams as an aid to
understanding complex disassembly logic
 ADDR Patterns: Last Call, Loop, Memory Copy
 Memory Cell Diagrams: Memory Copy
© 2013 Software Diagnostics Services

32. Exercise R6
 Goal: Learn how to to map code to execution residue and
reconstruct past behaviour; recognise previously introduced
ADDR patterns in the context of compiled C++ code
 ADDR Patterns: Separator Frames, Virtual Call
 Memory Cell Diagrams: Virtual Call
© 2013 Software Diagnostics Services

33. Live Debugging Techniques
 ADDR Patterns: Component Dependencies, API Trace,
Fibre Bundle (trace analysis pattern)
 Some dependencies can be learnt from crash dump stack
traces (example)
 Debugging.TV / YouTube
 Live debugging training: Accelerated Windows Debugging3
© 2013 Software Diagnostics Services

34. Custom Tracing
 WinDbg logging extension
 www.Debugging.tv episode 0x8 YouTube
© 2013 Software Diagnostics Services

35. Resources
 WinDbg Help / WinDbg.org (quick links)
 DumpAnalysis.org
 Debugging.TV / DebuggingTV YouTube Channel
 Windows Debugging: Practical Foundations
 x64 Windows Debugging: Practical Foundations
 Software Diagnostics Library
 Memory Dump Analysis Anthology
© 2013 Software Diagnostics Services
x86 disassembly/reversing:
Hackers Disassembly Uncovered by Kris Kaspersky

36. Q&A
Please send your feedback using the contact
form on PatternDiagnostics.com
© 2013 Software Diagnostics Services

37. Thank you for attendance!
© 2013 Software Diagnostics Services