SlideShare a Scribd company logo

Complete Crash and Hang Memory Dump Analysis Guide

Dmitry Vostokov
Dmitry Vostokov

This document provides an overview and agenda for a training on complete crash and hang memory dump analysis. The training will cover basics of dump generation and memory spaces, common analysis challenges, and commands. It will then discuss pattern-driven analysis, providing examples of common patterns like blocked threads, wait chains, resource consumption, corruption signs, and special processes. The agenda indicates there will be an exercise and discussions of additional techniques and tools.

Software
1 of 32
Download to read offline
Complete Crash and Hang Memory Dump Analysis Presenter: Dmitry Vostokov Memory Dump Analysis Services Revision 2
Prerequisites Working knowledge of:  WinDbg (installation, symbols)  Basic user process dump analysis  Basic kernel memory dump analysis To Be Discussed Later We use these boxes to introduce useful vocabulary to be discussed in later slides © 2011 Memory Dump Analysis Services
Agenda (Summary)  Basics  Patterns  Exercise  Guide © 2011 Memory Dump Analysis Services
Agenda (Basics)  Dump generation  Memory spaces  Major challenges  Common commands © 2011 Memory Dump Analysis Services
Dump Generation  Control Panel System Advanced system settings Startup and Recovery  Page file size should be greater than the amount of physical memory by a few MB  For small system partitions or virtual disk systems: DedicatedDumpFile (KB969028) To Be Discussed Later Truncated Dump pattern Manual Dump pattern © 2011 Memory Dump Analysis Services Troubleshooting note: HKLM SYSTEM CurrentControlSet Control CrashControl CrashDumpEnabled = 1 (DWORD)
Memory Spaces  Complete memory == Physical memory  We always see the current process space Context switch To Be Discussed Later WinDbg command to switch to a different process context: .process © 2011 Memory Dump Analysis Services
Major Challenges  Vast memory space to search  Multiple processes (user spaces) to examine  User space view needs to be correct when we examine another thread  Huge file size (x64) © 2011 Memory Dump Analysis Services User Space To Be Discussed Later WinDbg extension command to dump all stack traces: !process 0 ff
The name borrowed from mathematics (topology) Problem: mild freeze of a 64GB memory system Solution: dump domain specific processes and generate a kernel memory dump Fiber Bundles © 2011 Memory Dump Analysis Services User Space User Space User Space User Space User Space Kernel Space To Be Discussed Later Wait Chain patterns
Common Commands  .logopen <file> Opens a log file to save all subsequent output  View commands Dump everything or selected processes and threads (context changes automatically)  Switch commands Switch to a specific process or thread for a fine-grain analysis © 2011 Memory Dump Analysis Services
View Commands  !process 0 3f Lists all processes (including times, environment, modules) and their thread stack traces  !process 0 1f The same as the previous command but without PEB information (more secure)  !process <address> 3f or !process <address> 1f The same as the previous commands but only for an individual process  !thread <address> 1f Shows thread information and stack trace  !thread <address> 16 The same as the previous command but shows the first 3 parameters for every function © 2011 Memory Dump Analysis Services
Switch Commands  .process /r /p <address> Switches to a specified process. Its context becomes current. Reloads symbol files for user space. Now we can use commands like !cs 0: kd> .process /r /p fffffa80044d8b30 Implicit process is now fffffa80`044d8b30 Loading User Symbols .................................  .thread <address> Switches to a specified thread. Assumes the current process context Now we can use commands like k*  .thread /r /p <address> The same as the previous command but makes the thread process context current and reloads symbol files for user space: 0: kd> .thread /r /p fffffa80051b7060 Implicit thread is now fffffa80`051b7060 Implicit process is now fffffa80`044d8b30 Loading User Symbols ................................. © 2011 Memory Dump Analysis Services To Be Discussed Later x86 stack trace from WOW64 process: .thread /w
Agenda (Patterns)  Pattern-driven analysis  Pattern classification  Pattern examples  Common mistakes © 2011 Memory Dump Analysis Services
Pattern-driven Analysis © 2011 Memory Dump Analysis Services Information Collection (Scripts) Information Extraction (Checklists) Problem Identification (Patterns) Problem Resolution Troubleshooting Suggestions Debugging Strategy To Be Discussed Later CARE Crash Analysis Report Environment Note: we do not discuss BSOD crashes here as most of the time kernel memory dumps are sufficient for analysis Pattern: a common recurrent identifiable problem together with a set of recommendations and possible solutions to apply in a specific context
Pattern Classification  Blocked threads  Wait chains  Resource consumption  Corruption signs  Special processes © 2011 Memory Dump Analysis Services
Example: Blocked Thread THREAD fffffa80097f1660 Cid 154c.1570 Teb: 000007fffffd4000 Win32Thread: fffff900c06a83f0 WAIT: (WrUserRequest) UserMode Non-Alertable fffffa800447e8f0 SynchronizationEvent Not impersonating DeviceMap fffff8a001ce6b90 Owning Process fffffa8004451060 Image: ApplicationA.exe Attached Process N/A Image: N/A Wait Start TickCount 22248 Ticks: 47 (0:00:00:00.733) Context Switch Count 340 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.000 Win32 Start Address ApplicationA (0x000000013f2c1210) Stack Init fffff8800ec25c70 Current fffff8800ec25730 Base fffff8800ec26000 Limit fffff8800ec1d000 Call 0 Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0ec25770 fffff800`02ee6f32 nt!KiSwapContext+0x7a fffff880`0ec258b0 fffff800`02ee974f nt!KiCommitThreadWait+0x1d2 fffff880`0ec25940 fffff960`0013bc97 nt!KeWaitForSingleObject+0x19f fffff880`0ec259e0 fffff960`0013bd39 win32k!xxxRealSleepThread+0x257 fffff880`0ec25a80 fffff960`0014e7a6 win32k!xxxSleepThread+0x59 fffff880`0ec25ab0 fffff800`02ee0ed3 win32k!NtUserWaitMessage+0x46 fffff880`0ec25ae0 00000000`7709933a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0ec25ae0) 00000000`0275f308 00000000`770a4bc4 USER32!ZwUserWaitMessage+0xa 00000000`0275f310 00000000`770a4edd USER32!DialogBox2+0x274 00000000`0275f3a0 00000000`770f2920 USER32!InternalDialogBox+0x135 00000000`0275f400 00000000`770f1c15 USER32!SoftModalMessageBox+0x9b4 00000000`0275f530 00000000`770f146b USER32!MessageBoxWorker+0x31d 00000000`0275f6f0 00000000`770f1362 USER32!MessageBoxTimeoutW+0xb3 >>> 00000000`0275f7c0 00000001`3f2c1089 USER32!MessageBoxW+0x4e 00000000`0275f800 00000000`02135fd0 ApplicationA+0x1089 00000000`0275f808 00000000`00000000 0x2135fd0 © 2011 Memory Dump Analysis Services To Be Discussed Later Complete Dump Analysis Exercise
Example: Wait Chain THREAD fffffa8004514060 Cid 07f4.1470 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable >>> fffffa80044c53c0 Mutant - owning thread fffffa8004569750 Not impersonating DeviceMap fffff8a001ce6b90 Owning Process fffffa8004546060 Image: ApplicationC.exe Attached Process N/A Image: N/A Wait Start TickCount 14474 Ticks: 7821 (0:00:02:02.008) Context Switch Count 2 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ApplicationC (0x000000013f6c12a0) Stack Init fffff8800d196c70 Current fffff8800d1967c0 Base fffff8800d197000 Limit fffff8800d191000 Call 0 Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0d196800 fffff800`02ee6f32 nt!KiSwapContext+0x7a fffff880`0d196940 fffff800`02ee974f nt!KiCommitThreadWait+0x1d2 fffff880`0d1969d0 fffff800`031d844e nt!KeWaitForSingleObject+0x19f fffff880`0d196a70 fffff800`02ee0ed3 nt!NtWaitForSingleObject+0xde fffff880`0d196ae0 00000000`772f135a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0d196ae0) 00000000`0107f708 000007fe`fd9e10dc ntdll!NtWaitForSingleObject+0xa 00000000`0107f710 00000001`3f6c112e KERNELBASE!WaitForSingleObjectEx+0x79 00000000`0107f7b0 00000000`00586570 ApplicationC+0x112e 00000000`0107f7b8 00000000`00000000 0x586570 © 2011 Memory Dump Analysis Services To Be Discussed Later Complete Dump Analysis Exercise
Example: Consumption © 2011 Memory Dump Analysis Services To Be Discussed Later Complete Dump Analysis Exercise 1: kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS fffffa80042d5400 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00187000 ObjectTable: fffff8a0000017e0 HandleCount: 785. Image: System PROCESS fffffa8006fa8750 SessionId: none Cid: 0144 Peb: 7fffffda000 ParentCid: 0004 DirBase: 107226000 ObjectTable: fffff8a0002dcf90 HandleCount: 32. Image: smss.exe PROCESS fffffa80083cdb30 SessionId: 0 Cid: 01ec Peb: 7fffffdc000 ParentCid: 01a8 DirBase: 918c1000 ObjectTable: fffff8a0013b98a0 HandleCount: 679. Image: csrss.exe [...] PROCESS fffffa800442ab30 SessionId: 1 Cid: 1418 Peb: 7fffffde000 ParentCid: 0840 >>> DirBase: 11e2c5000 ObjectTable: fffff8a004cc3b50 HandleCount: 20014. Image: ApplicationE.exe [...]
Example: Corruption THREAD fffffa80044e2720 Cid 06fc.15c0 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa8009a5bb30 ProcessObject Not impersonating DeviceMap fffff8a001ce6b90 Owning Process fffffa8004364060 Image: ApplicationD.exe [...] Win32 Start Address ApplicationD (0x000000013f061318) Stack Init fffff8800ec10c70 Current fffff8800ec107c0 Base fffff8800ec11000 Limit fffff8800ec0b000 Call 0 Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0ec10800 fffff800`02ee6f32 nt!KiSwapContext+0x7a fffff880`0ec10940 fffff800`02ee974f nt!KiCommitThreadWait+0x1d2 fffff880`0ec109d0 fffff800`031d844e nt!KeWaitForSingleObject+0x19f fffff880`0ec10a70 fffff800`02ee0ed3 nt!NtWaitForSingleObject+0xde fffff880`0ec10ae0 00000000`772f135a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0ec10ae0) 00000000`0071e7f8 00000000`77363062 ntdll!NtWaitForSingleObject+0xa 00000000`0071e800 00000000`773632a5 ntdll!RtlReportExceptionEx+0x1d2 00000000`0071e8f0 00000000`7736330a ntdll!RtlReportException+0xb5 00000000`0071e970 00000000`77364145 ntdll!RtlpTerminateFailureFilter+0x1a 00000000`0071e9a0 00000000`772b85a8 ntdll!RtlReportCriticalFailure+0x96 [...] 00000000`0071ea70 00000000`772b97a8 ntdll!RtlDispatchException+0x45a 00000000`0071f150 00000000`773640f2 ntdll!RtlRaiseException+0x22f 00000000`0071fb00 00000000`77364736 ntdll!RtlReportCriticalFailure+0x62 00000000`0071fbd0 00000000`77365942 ntdll!RtlpReportHeapFailure+0x26 00000000`0071fc00 00000000`773675f4 ntdll!RtlpHeapHandleError+0x12 00000000`0071fc30 00000000`7730dc8f ntdll!RtlpLogHeapFailure+0xa4 00000000`0071fc60 00000000`771a301a ntdll! ?? ::FNODOBFM::`string'+0x10c54 >>> 00000000`0071fce0 00000001`3f061274 kernel32!HeapFree+0xa 00000000`0071fd10 00000001`3f0610c3 ApplicationD+0x1274 [...] To Be Discussed Later Complete Dump Analysis Exercise © 2011 Memory Dump Analysis Services
Example: Special Process 1: kd> !vm [...] 0458 svchost.exe 1922 ( 7688 Kb) 0bfc iexplore.exe 1891 ( 7564 Kb) 0bf4 msseces.exe 1863 ( 7452 Kb) 0fc8 NisSrv.exe 1845 ( 7380 Kb) 0584 StageRemoteSer 1776 ( 7104 Kb) 05dc spoolsv.exe 1729 ( 6916 Kb) 11e8 mscorsvw.exe 1620 ( 6480 Kb) 0c6c vmware-authd.e 1593 ( 6372 Kb) 02d8 services.exe 1560 ( 6240 Kb) >>> 1134 WerFault.exe 1558 ( 6232 Kb) 0c1c StageRemote.ex 1518 ( 6072 Kb) 135c taskmgr.exe 1513 ( 6052 Kb) 0ea4 WmiPrvSE.exe 1411 ( 5644 Kb) 0350 svchost.exe 1283 ( 5132 Kb) 02e0 lsass.exe 1218 ( 4872 Kb) 03b8 svchost.exe 1214 ( 4856 Kb) 09b0 SftService.exe 1171 ( 4684 Kb) 13fc daemonu.exe 1117 ( 4468 Kb) 0b5c igfxpers.exe 1080 ( 4320 Kb) 080c DTLite.exe 1051 ( 4204 Kb) 1194 DTShellHlp.exe 1008 ( 4032 Kb) 04c8 taskhost.exe 975 ( 3900 Kb) 0b34 STService.exe 933 ( 3732 Kb) 0270 csrss.exe 855 ( 3420 Kb) 029c winlogon.exe 845 ( 3380 Kb) [...] To Be Discussed Later Complete Dump Analysis Exercise © 2011 Memory Dump Analysis Services
Common Mistakes  Not switching to the appropriate context  Not looking at full stack traces  Not looking at all stack traces  Not using checklists  Not looking past the first found evidence  Not comparing to the reference debugger output Note: Listing both x86 and x64 stack traces http://www.dumpanalysis.org/blog/index.php/2010/02/09/complete-stack-traces-from-x64-system/ © 2011 Memory Dump Analysis Services
Agenda (Exercise)  Run processes that model abnormal behavior  Generate a complete memory dump  Analyze the memory dump Note: Due to security concerns I’m not making a complete memory dump downloadable. You can generate your own complete memory dump after downloading and running model applications © 2011 Memory Dump Analysis Services
Exercise: Run Processes These processes model specific patterns: ApplicationA , ApplicationB, ApplicationC, ApplicationD, ApplicationE For demonstration I run x64 versions plus x86 version of ApplicationA Note: Run applications in alphabetical order Can be downloaded from this location: www.DumpAnalysis.com/Training/FreeWebinars/CMDA-Examples.zip There are x86 and x64 versions © 2011 Memory Dump Analysis Services
Exercise: Force A Dump The system is x64 Windows 7 Note: Wait at least 10 seconds after running model applications to have them properly initialize their dependencies © 2011 Memory Dump Analysis Services
Exercise: Dump Analysis Now I switch to a WinDbg session... © 2011 Memory Dump Analysis Services
Agenda (Guide)  Patterns related to complete memory dumps  Pattern cooperation case studies from complete memory dumps  Pattern Map © 2011 Memory Dump Analysis Services
Pattern Examples Some patterns that are relevant to complete memory dumps: Incorrect Symbolic Information No System Dumps Semantic Split Message Box Paged Out Data Inconsistent Dump Wait Chain (thread objects) Wait Chain (critical sections) Wait Chain (LPC/ALPC) Wait Chain (process objects) Last Error Collection Special Process Suspended Thread Historical Information Coupled Processes (strong) Stack Trace Collection Truncated Dump Insufficient Memory (handle leak) Spiking Thread Main Thread Deadlock (critical sections) Suspended Thread Problem Vocabulary Pleiades Semantic Structures Dual Stack Trace Virtualized System © 2011 Memory Dump Analysis Services
Case Studies 17 pattern interaction case studies using complete memory dumps: http://www.dumpanalysis.org/blog/index.php/category/complete-memory-dump-analysis/ © 2011 Memory Dump Analysis Services
WinDbg Command Map Pattern <-> WinDbg command © 2011 Memory Dump Analysis Services
Resources  WinDbg.org  DumpAnalysis.org  Memory Dump Analysis Anthology  Accelerated Windows Memory Dump Analysis Forthcoming, end of 2011 © 2011 Memory Dump Analysis Services
Training  Accelerated Windows Memory Dump Analysis  Advanced Windows Memory Dump Analysis with Data Structures © 2011 Memory Dump Analysis Services 20% discount if taking both or buying both course books
Q&A Please send your feedback using the contact form on DumpAnalysis.com © 2011 Memory Dump Analysis Services
Thank you for attendance! © 2011 Memory Dump Analysis Services

Recommended

Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisDmitry Vostokov
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisDmitry Vostokov
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
Debugging linux
Debugging linuxDebugging linux
Debugging linuxAndrea Righi
 
Interview questions
Interview questionsInterview questions
Interview questionsxavier john
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
 
Analyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodAnalyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodBrendan Gregg
 

Recommended

Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisDmitry Vostokov
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisDmitry Vostokov
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
Debugging linux
Debugging linuxDebugging linux
Debugging linuxAndrea Righi
 
Interview questions
Interview questionsInterview questions
Interview questionsxavier john
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
 
Analyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodAnalyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodBrendan Gregg
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introductionsatyajit_t
 
(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and TricksDavid Horvath
 
FreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame GraphsFreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame GraphsBrendan Gregg
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box AttackPrathan Phongthiproek
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
Unix system calls
Unix system callsUnix system calls
Unix system callsstellajoseph
 
Internal representation of files ppt
Internal representation of files pptInternal representation of files ppt
Internal representation of files pptAbhaysinh Surve
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovPivorak MeetUp
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems PerformanceBrendan Gregg
 
QCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsQCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsBrendan Gregg
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsemBO_Conference
 
Systemcall1
Systemcall1Systemcall1
Systemcall1pavimalpani
 
Linux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA'sLinux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA'sMydbops
 
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeFelipe Prado
 
Data race
Data raceData race
Data raceJames Wong
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
Accelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump AnalysisAccelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump AnalysisDmitry Vostokov
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 

More Related Content

What's hot

Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introductionsatyajit_t
 
(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and TricksDavid Horvath
 
FreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame GraphsFreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame GraphsBrendan Gregg
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
Internal representation of files ppt
Internal representation of files pptInternal representation of files ppt
Internal representation of files pptAbhaysinh Surve
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovPivorak MeetUp
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems PerformanceBrendan Gregg
 
QCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsQCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsBrendan Gregg
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsemBO_Conference
 
Linux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA'sLinux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA'sMydbops
 

What's hot (16)

Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introduction
 
(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks
 
FreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame GraphsFreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame Graphs
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
Unix system calls
Unix system callsUnix system calls
Unix system calls
 
Internal representation of files ppt
Internal representation of files pptInternal representation of files ppt
Internal representation of files ppt
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene Pirogov
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems Performance
 
QCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsQCon 2015 Broken Performance Tools
QCon 2015 Broken Performance Tools
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
 
Systemcall1
Systemcall1Systemcall1
Systemcall1
 
Linux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA'sLinux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA's
 

Similar to Complete Crash and Hang Memory Dump Analysis Guide

DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeFelipe Prado
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
Accelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump AnalysisAccelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump AnalysisDmitry Vostokov
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
Advanced Apache Cassandra Operations with JMX
Advanced Apache Cassandra Operations with JMXAdvanced Apache Cassandra Operations with JMX
Advanced Apache Cassandra Operations with JMXzznate
 
Advanced Cassandra Operations via JMX (Nate McCall, The Last Pickle) | C* Sum...
Advanced Cassandra Operations via JMX (Nate McCall, The Last Pickle) | C* Sum...Advanced Cassandra Operations via JMX (Nate McCall, The Last Pickle) | C* Sum...
Advanced Cassandra Operations via JMX (Nate McCall, The Last Pickle) | C* Sum...DataStax
 
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Camilo Alvarez Rivera
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightLinaro
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesDmitry Vostokov
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
2007 Tidc India Profiling
2007 Tidc India Profiling2007 Tidc India Profiling
2007 Tidc India Profilingdanrinkes
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
FBTFTP: an opensource framework to build dynamic tftp servers
FBTFTP: an opensource framework to build dynamic tftp serversFBTFTP: an opensource framework to build dynamic tftp servers
FBTFTP: an opensource framework to build dynamic tftp serversAngelo Failla
 
Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#Wipro
 
Accelerated Windows Malware Analysis with Memory Dumps
Accelerated Windows Malware Analysis with Memory DumpsAccelerated Windows Malware Analysis with Memory Dumps
Accelerated Windows Malware Analysis with Memory DumpsDmitry Vostokov
 
Sql server engine cpu cache as the new ram
Sql server engine cpu cache as the new ramSql server engine cpu cache as the new ram
Sql server engine cpu cache as the new ramChris Adkin
 

Similar to Complete Crash and Hang Memory Dump Analysis Guide (20)

DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
 
Data race
Data raceData race
Data race
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
Accelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump AnalysisAccelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump Analysis
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
 
Advanced Apache Cassandra Operations with JMX
Advanced Apache Cassandra Operations with JMXAdvanced Apache Cassandra Operations with JMX
Advanced Apache Cassandra Operations with JMX
 
Advanced Cassandra Operations via JMX (Nate McCall, The Last Pickle) | C* Sum...
Advanced Cassandra Operations via JMX (Nate McCall, The Last Pickle) | C* Sum...Advanced Cassandra Operations via JMX (Nate McCall, The Last Pickle) | C* Sum...
Advanced Cassandra Operations via JMX (Nate McCall, The Last Pickle) | C* Sum...
 
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slides
 
Techno-Fest-15nov16
Techno-Fest-15nov16Techno-Fest-15nov16
Techno-Fest-15nov16
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
2007 Tidc India Profiling
2007 Tidc India Profiling2007 Tidc India Profiling
2007 Tidc India Profiling
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
FBTFTP: an opensource framework to build dynamic tftp servers
FBTFTP: an opensource framework to build dynamic tftp serversFBTFTP: an opensource framework to build dynamic tftp servers
FBTFTP: an opensource framework to build dynamic tftp servers
 
Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#
 
Accelerated Windows Malware Analysis with Memory Dumps
Accelerated Windows Malware Analysis with Memory DumpsAccelerated Windows Malware Analysis with Memory Dumps
Accelerated Windows Malware Analysis with Memory Dumps
 
Sql server engine cpu cache as the new ram
Sql server engine cpu cache as the new ramSql server engine cpu cache as the new ram
Sql server engine cpu cache as the new ram
 

More from Dmitry Vostokov

Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesDmitry Vostokov
 

More from Dmitry Vostokov (20)

Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slides
 
Debugging TV Frame 0x1C
Debugging TV Frame 0x1CDebugging TV Frame 0x1C
Debugging TV Frame 0x1C
 
Debugging TV Frame 0x1A
Debugging TV Frame 0x1ADebugging TV Frame 0x1A
Debugging TV Frame 0x1A
 
Debugging TV Frame 0x34
Debugging TV Frame 0x34Debugging TV Frame 0x34
Debugging TV Frame 0x34
 
Debugging TV Frame 0x33
Debugging TV Frame 0x33Debugging TV Frame 0x33
Debugging TV Frame 0x33
 
Debugging TV Frame 0x31
Debugging TV Frame 0x31Debugging TV Frame 0x31
Debugging TV Frame 0x31
 
Debugging TV Frame 0x25
Debugging TV Frame 0x25Debugging TV Frame 0x25
Debugging TV Frame 0x25
 
Debugging TV Frame 0x24
Debugging TV Frame 0x24Debugging TV Frame 0x24
Debugging TV Frame 0x24
 
Debugging TV Frame 0x21
Debugging TV Frame 0x21Debugging TV Frame 0x21
Debugging TV Frame 0x21
 
Debugging TV Frame 0x20
Debugging TV Frame 0x20Debugging TV Frame 0x20
Debugging TV Frame 0x20
 
Debugging TV Frame 0x19
Debugging TV Frame 0x19Debugging TV Frame 0x19
Debugging TV Frame 0x19
 
Debugging TV Frame 0x18
Debugging TV Frame 0x18Debugging TV Frame 0x18
Debugging TV Frame 0x18
 
Debugging TV Frame 0x17
Debugging TV Frame 0x17Debugging TV Frame 0x17
Debugging TV Frame 0x17
 
Debugging TV Frame 0x16
Debugging TV Frame 0x16Debugging TV Frame 0x16
Debugging TV Frame 0x16
 
Debugging TV Frame 0x15
Debugging TV Frame 0x15Debugging TV Frame 0x15
Debugging TV Frame 0x15
 
Debugging TV Frame 0x14
Debugging TV Frame 0x14Debugging TV Frame 0x14
Debugging TV Frame 0x14
 
Debugging TV Frame 0x13
Debugging TV Frame 0x13Debugging TV Frame 0x13
Debugging TV Frame 0x13
 
Debugging TV Frame 0x12
Debugging TV Frame 0x12Debugging TV Frame 0x12
Debugging TV Frame 0x12
 
Debugging TV Frame 0x11
Debugging TV Frame 0x11Debugging TV Frame 0x11
Debugging TV Frame 0x11
 
Debugging TV Frame 0x10
Debugging TV Frame 0x10Debugging TV Frame 0x10
Debugging TV Frame 0x10
 

Recently uploaded

办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 

Recently uploaded (20)

办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 

Complete Crash and Hang Memory Dump Analysis Guide

  • 1. Complete Crash and Hang Memory Dump Analysis Presenter: Dmitry Vostokov Memory Dump Analysis Services Revision 2
  • 2. Prerequisites Working knowledge of:  WinDbg (installation, symbols)  Basic user process dump analysis  Basic kernel memory dump analysis To Be Discussed Later We use these boxes to introduce useful vocabulary to be discussed in later slides © 2011 Memory Dump Analysis Services
  • 3. Agenda (Summary)  Basics  Patterns  Exercise  Guide © 2011 Memory Dump Analysis Services
  • 4. Agenda (Basics)  Dump generation  Memory spaces  Major challenges  Common commands © 2011 Memory Dump Analysis Services
  • 5. Dump Generation  Control Panel System Advanced system settings Startup and Recovery  Page file size should be greater than the amount of physical memory by a few MB  For small system partitions or virtual disk systems: DedicatedDumpFile (KB969028) To Be Discussed Later Truncated Dump pattern Manual Dump pattern © 2011 Memory Dump Analysis Services Troubleshooting note: HKLM SYSTEM CurrentControlSet Control CrashControl CrashDumpEnabled = 1 (DWORD)
  • 6. Memory Spaces  Complete memory == Physical memory  We always see the current process space Context switch To Be Discussed Later WinDbg command to switch to a different process context: .process © 2011 Memory Dump Analysis Services
  • 7. Major Challenges  Vast memory space to search  Multiple processes (user spaces) to examine  User space view needs to be correct when we examine another thread  Huge file size (x64) © 2011 Memory Dump Analysis Services User Space To Be Discussed Later WinDbg extension command to dump all stack traces: !process 0 ff
  • 8. The name borrowed from mathematics (topology) Problem: mild freeze of a 64GB memory system Solution: dump domain specific processes and generate a kernel memory dump Fiber Bundles © 2011 Memory Dump Analysis Services User Space User Space User Space User Space User Space Kernel Space To Be Discussed Later Wait Chain patterns
  • 9. Common Commands  .logopen <file> Opens a log file to save all subsequent output  View commands Dump everything or selected processes and threads (context changes automatically)  Switch commands Switch to a specific process or thread for a fine-grain analysis © 2011 Memory Dump Analysis Services
  • 10. View Commands  !process 0 3f Lists all processes (including times, environment, modules) and their thread stack traces  !process 0 1f The same as the previous command but without PEB information (more secure)  !process <address> 3f or !process <address> 1f The same as the previous commands but only for an individual process  !thread <address> 1f Shows thread information and stack trace  !thread <address> 16 The same as the previous command but shows the first 3 parameters for every function © 2011 Memory Dump Analysis Services
  • 11. Switch Commands  .process /r /p <address> Switches to a specified process. Its context becomes current. Reloads symbol files for user space. Now we can use commands like !cs 0: kd> .process /r /p fffffa80044d8b30 Implicit process is now fffffa80`044d8b30 Loading User Symbols .................................  .thread <address> Switches to a specified thread. Assumes the current process context Now we can use commands like k*  .thread /r /p <address> The same as the previous command but makes the thread process context current and reloads symbol files for user space: 0: kd> .thread /r /p fffffa80051b7060 Implicit thread is now fffffa80`051b7060 Implicit process is now fffffa80`044d8b30 Loading User Symbols ................................. © 2011 Memory Dump Analysis Services To Be Discussed Later x86 stack trace from WOW64 process: .thread /w
  • 12. Agenda (Patterns)  Pattern-driven analysis  Pattern classification  Pattern examples  Common mistakes © 2011 Memory Dump Analysis Services
  • 13. Pattern-driven Analysis © 2011 Memory Dump Analysis Services Information Collection (Scripts) Information Extraction (Checklists) Problem Identification (Patterns) Problem Resolution Troubleshooting Suggestions Debugging Strategy To Be Discussed Later CARE Crash Analysis Report Environment Note: we do not discuss BSOD crashes here as most of the time kernel memory dumps are sufficient for analysis Pattern: a common recurrent identifiable problem together with a set of recommendations and possible solutions to apply in a specific context
  • 14. Pattern Classification  Blocked threads  Wait chains  Resource consumption  Corruption signs  Special processes © 2011 Memory Dump Analysis Services
  • 15. Example: Blocked Thread THREAD fffffa80097f1660 Cid 154c.1570 Teb: 000007fffffd4000 Win32Thread: fffff900c06a83f0 WAIT: (WrUserRequest) UserMode Non-Alertable fffffa800447e8f0 SynchronizationEvent Not impersonating DeviceMap fffff8a001ce6b90 Owning Process fffffa8004451060 Image: ApplicationA.exe Attached Process N/A Image: N/A Wait Start TickCount 22248 Ticks: 47 (0:00:00:00.733) Context Switch Count 340 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.000 Win32 Start Address ApplicationA (0x000000013f2c1210) Stack Init fffff8800ec25c70 Current fffff8800ec25730 Base fffff8800ec26000 Limit fffff8800ec1d000 Call 0 Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0ec25770 fffff800`02ee6f32 nt!KiSwapContext+0x7a fffff880`0ec258b0 fffff800`02ee974f nt!KiCommitThreadWait+0x1d2 fffff880`0ec25940 fffff960`0013bc97 nt!KeWaitForSingleObject+0x19f fffff880`0ec259e0 fffff960`0013bd39 win32k!xxxRealSleepThread+0x257 fffff880`0ec25a80 fffff960`0014e7a6 win32k!xxxSleepThread+0x59 fffff880`0ec25ab0 fffff800`02ee0ed3 win32k!NtUserWaitMessage+0x46 fffff880`0ec25ae0 00000000`7709933a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0ec25ae0) 00000000`0275f308 00000000`770a4bc4 USER32!ZwUserWaitMessage+0xa 00000000`0275f310 00000000`770a4edd USER32!DialogBox2+0x274 00000000`0275f3a0 00000000`770f2920 USER32!InternalDialogBox+0x135 00000000`0275f400 00000000`770f1c15 USER32!SoftModalMessageBox+0x9b4 00000000`0275f530 00000000`770f146b USER32!MessageBoxWorker+0x31d 00000000`0275f6f0 00000000`770f1362 USER32!MessageBoxTimeoutW+0xb3 >>> 00000000`0275f7c0 00000001`3f2c1089 USER32!MessageBoxW+0x4e 00000000`0275f800 00000000`02135fd0 ApplicationA+0x1089 00000000`0275f808 00000000`00000000 0x2135fd0 © 2011 Memory Dump Analysis Services To Be Discussed Later Complete Dump Analysis Exercise
  • 16. Example: Wait Chain THREAD fffffa8004514060 Cid 07f4.1470 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable >>> fffffa80044c53c0 Mutant - owning thread fffffa8004569750 Not impersonating DeviceMap fffff8a001ce6b90 Owning Process fffffa8004546060 Image: ApplicationC.exe Attached Process N/A Image: N/A Wait Start TickCount 14474 Ticks: 7821 (0:00:02:02.008) Context Switch Count 2 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ApplicationC (0x000000013f6c12a0) Stack Init fffff8800d196c70 Current fffff8800d1967c0 Base fffff8800d197000 Limit fffff8800d191000 Call 0 Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0d196800 fffff800`02ee6f32 nt!KiSwapContext+0x7a fffff880`0d196940 fffff800`02ee974f nt!KiCommitThreadWait+0x1d2 fffff880`0d1969d0 fffff800`031d844e nt!KeWaitForSingleObject+0x19f fffff880`0d196a70 fffff800`02ee0ed3 nt!NtWaitForSingleObject+0xde fffff880`0d196ae0 00000000`772f135a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0d196ae0) 00000000`0107f708 000007fe`fd9e10dc ntdll!NtWaitForSingleObject+0xa 00000000`0107f710 00000001`3f6c112e KERNELBASE!WaitForSingleObjectEx+0x79 00000000`0107f7b0 00000000`00586570 ApplicationC+0x112e 00000000`0107f7b8 00000000`00000000 0x586570 © 2011 Memory Dump Analysis Services To Be Discussed Later Complete Dump Analysis Exercise
  • 17. Example: Consumption © 2011 Memory Dump Analysis Services To Be Discussed Later Complete Dump Analysis Exercise 1: kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS fffffa80042d5400 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00187000 ObjectTable: fffff8a0000017e0 HandleCount: 785. Image: System PROCESS fffffa8006fa8750 SessionId: none Cid: 0144 Peb: 7fffffda000 ParentCid: 0004 DirBase: 107226000 ObjectTable: fffff8a0002dcf90 HandleCount: 32. Image: smss.exe PROCESS fffffa80083cdb30 SessionId: 0 Cid: 01ec Peb: 7fffffdc000 ParentCid: 01a8 DirBase: 918c1000 ObjectTable: fffff8a0013b98a0 HandleCount: 679. Image: csrss.exe [...] PROCESS fffffa800442ab30 SessionId: 1 Cid: 1418 Peb: 7fffffde000 ParentCid: 0840 >>> DirBase: 11e2c5000 ObjectTable: fffff8a004cc3b50 HandleCount: 20014. Image: ApplicationE.exe [...]
  • 18. Example: Corruption THREAD fffffa80044e2720 Cid 06fc.15c0 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa8009a5bb30 ProcessObject Not impersonating DeviceMap fffff8a001ce6b90 Owning Process fffffa8004364060 Image: ApplicationD.exe [...] Win32 Start Address ApplicationD (0x000000013f061318) Stack Init fffff8800ec10c70 Current fffff8800ec107c0 Base fffff8800ec11000 Limit fffff8800ec0b000 Call 0 Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`0ec10800 fffff800`02ee6f32 nt!KiSwapContext+0x7a fffff880`0ec10940 fffff800`02ee974f nt!KiCommitThreadWait+0x1d2 fffff880`0ec109d0 fffff800`031d844e nt!KeWaitForSingleObject+0x19f fffff880`0ec10a70 fffff800`02ee0ed3 nt!NtWaitForSingleObject+0xde fffff880`0ec10ae0 00000000`772f135a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0ec10ae0) 00000000`0071e7f8 00000000`77363062 ntdll!NtWaitForSingleObject+0xa 00000000`0071e800 00000000`773632a5 ntdll!RtlReportExceptionEx+0x1d2 00000000`0071e8f0 00000000`7736330a ntdll!RtlReportException+0xb5 00000000`0071e970 00000000`77364145 ntdll!RtlpTerminateFailureFilter+0x1a 00000000`0071e9a0 00000000`772b85a8 ntdll!RtlReportCriticalFailure+0x96 [...] 00000000`0071ea70 00000000`772b97a8 ntdll!RtlDispatchException+0x45a 00000000`0071f150 00000000`773640f2 ntdll!RtlRaiseException+0x22f 00000000`0071fb00 00000000`77364736 ntdll!RtlReportCriticalFailure+0x62 00000000`0071fbd0 00000000`77365942 ntdll!RtlpReportHeapFailure+0x26 00000000`0071fc00 00000000`773675f4 ntdll!RtlpHeapHandleError+0x12 00000000`0071fc30 00000000`7730dc8f ntdll!RtlpLogHeapFailure+0xa4 00000000`0071fc60 00000000`771a301a ntdll! ?? ::FNODOBFM::`string'+0x10c54 >>> 00000000`0071fce0 00000001`3f061274 kernel32!HeapFree+0xa 00000000`0071fd10 00000001`3f0610c3 ApplicationD+0x1274 [...] To Be Discussed Later Complete Dump Analysis Exercise © 2011 Memory Dump Analysis Services
  • 19. Example: Special Process 1: kd> !vm [...] 0458 svchost.exe 1922 ( 7688 Kb) 0bfc iexplore.exe 1891 ( 7564 Kb) 0bf4 msseces.exe 1863 ( 7452 Kb) 0fc8 NisSrv.exe 1845 ( 7380 Kb) 0584 StageRemoteSer 1776 ( 7104 Kb) 05dc spoolsv.exe 1729 ( 6916 Kb) 11e8 mscorsvw.exe 1620 ( 6480 Kb) 0c6c vmware-authd.e 1593 ( 6372 Kb) 02d8 services.exe 1560 ( 6240 Kb) >>> 1134 WerFault.exe 1558 ( 6232 Kb) 0c1c StageRemote.ex 1518 ( 6072 Kb) 135c taskmgr.exe 1513 ( 6052 Kb) 0ea4 WmiPrvSE.exe 1411 ( 5644 Kb) 0350 svchost.exe 1283 ( 5132 Kb) 02e0 lsass.exe 1218 ( 4872 Kb) 03b8 svchost.exe 1214 ( 4856 Kb) 09b0 SftService.exe 1171 ( 4684 Kb) 13fc daemonu.exe 1117 ( 4468 Kb) 0b5c igfxpers.exe 1080 ( 4320 Kb) 080c DTLite.exe 1051 ( 4204 Kb) 1194 DTShellHlp.exe 1008 ( 4032 Kb) 04c8 taskhost.exe 975 ( 3900 Kb) 0b34 STService.exe 933 ( 3732 Kb) 0270 csrss.exe 855 ( 3420 Kb) 029c winlogon.exe 845 ( 3380 Kb) [...] To Be Discussed Later Complete Dump Analysis Exercise © 2011 Memory Dump Analysis Services
  • 20. Common Mistakes  Not switching to the appropriate context  Not looking at full stack traces  Not looking at all stack traces  Not using checklists  Not looking past the first found evidence  Not comparing to the reference debugger output Note: Listing both x86 and x64 stack traces http://www.dumpanalysis.org/blog/index.php/2010/02/09/complete-stack-traces-from-x64-system/ © 2011 Memory Dump Analysis Services
  • 21. Agenda (Exercise)  Run processes that model abnormal behavior  Generate a complete memory dump  Analyze the memory dump Note: Due to security concerns I’m not making a complete memory dump downloadable. You can generate your own complete memory dump after downloading and running model applications © 2011 Memory Dump Analysis Services
  • 22. Exercise: Run Processes These processes model specific patterns: ApplicationA , ApplicationB, ApplicationC, ApplicationD, ApplicationE For demonstration I run x64 versions plus x86 version of ApplicationA Note: Run applications in alphabetical order Can be downloaded from this location: www.DumpAnalysis.com/Training/FreeWebinars/CMDA-Examples.zip There are x86 and x64 versions © 2011 Memory Dump Analysis Services
  • 23. Exercise: Force A Dump The system is x64 Windows 7 Note: Wait at least 10 seconds after running model applications to have them properly initialize their dependencies © 2011 Memory Dump Analysis Services
  • 24. Exercise: Dump Analysis Now I switch to a WinDbg session... © 2011 Memory Dump Analysis Services
  • 25. Agenda (Guide)  Patterns related to complete memory dumps  Pattern cooperation case studies from complete memory dumps  Pattern Map © 2011 Memory Dump Analysis Services
  • 26. Pattern Examples Some patterns that are relevant to complete memory dumps: Incorrect Symbolic Information No System Dumps Semantic Split Message Box Paged Out Data Inconsistent Dump Wait Chain (thread objects) Wait Chain (critical sections) Wait Chain (LPC/ALPC) Wait Chain (process objects) Last Error Collection Special Process Suspended Thread Historical Information Coupled Processes (strong) Stack Trace Collection Truncated Dump Insufficient Memory (handle leak) Spiking Thread Main Thread Deadlock (critical sections) Suspended Thread Problem Vocabulary Pleiades Semantic Structures Dual Stack Trace Virtualized System © 2011 Memory Dump Analysis Services
  • 27. Case Studies 17 pattern interaction case studies using complete memory dumps: http://www.dumpanalysis.org/blog/index.php/category/complete-memory-dump-analysis/ © 2011 Memory Dump Analysis Services
  • 28. WinDbg Command Map Pattern <-> WinDbg command © 2011 Memory Dump Analysis Services
  • 29. Resources  WinDbg.org  DumpAnalysis.org  Memory Dump Analysis Anthology  Accelerated Windows Memory Dump Analysis Forthcoming, end of 2011 © 2011 Memory Dump Analysis Services
  • 30. Training  Accelerated Windows Memory Dump Analysis  Advanced Windows Memory Dump Analysis with Data Structures © 2011 Memory Dump Analysis Services 20% discount if taking both or buying both course books
  • 31. Q&A Please send your feedback using the contact form on DumpAnalysis.com © 2011 Memory Dump Analysis Services
  • 32. Thank you for attendance! © 2011 Memory Dump Analysis Services