Crash Dump Analysis

Data Recovery with Memory Dump Analysis

Sponsored link: Memory Dump Analysis Services

My friend was typing a long message in IE to one of his old schoolmates that he had just found on Internet. He spent about an hour writing and rewriting and when finally hit the Send button he got a page saying that connection was probably lost. Going back in URL history brought the empty edit box and all data was lost. Or was it? He called me and I immediately advised him to save a crash dump of iexplore.exe using Task Manager (Vista). I also asked him for a word he used to start his message. It was “Hello” in Russian. I got his dump file and opened it in WinDbg. Because the language of his message was Russian I assumed that it was still there in local buffers or heap entries in UNICODE format so I typed “ello” in Notepad and saved this in a Unicode text file. Loading it in a binary editor (I used Visual C++) showed the following sequence of bytes:

40 04 38 04 32 04 35 04 42 04

Then I did a search in WinDbg for this sequence from the first loaded module address till the end of user space:

0:000> lm start end module name 003c0000 0045b000 iexplore [...]

0:000> s 003c0000 L?7FFFFFFF 40 04 38 04 32 04 35 04 42 04 [...] 048971e4 40 04 38 04 32 04 35 04-42 04 2c 00 20 00 1c 04 @.8.2.5.B.,. ... [...] 08530fe4 40 04 38 04 32 04 35 04-42 04 2c 00 20 00 1c 04 @.8.2.5.B.,. ... [...] 201ea65c 40 04 38 04 32 04 35 04-42 04 2c 00 20 00 1c 04 @.8.2.5.B.,. ... [...]

The number of found entries was big and I decided to output every entry into a file using the following script:

.foreach ( address { s-[1]b 003c0000 L?7FFFFFFF 40 04 38 04 32 04 35 04 42 04 }) {.writemem c:\dmitry\ieout${address}.txt ${address}-10 ${address}+1000}

I got numerous files:

C:\dmitry>dir ieout*.txt [...] 09/06/2008 08:53 4112 ieout0x048971e4.txt 09/06/2008 08:53 4112 ieout0x0489784c.txt 09/06/2008 08:53 4112 ieout0x0489b854.txt 09/06/2008 08:53 4112 ieout0x0489bc5c.txt [...]

I combined all of them into one big file and sent it to my friend:

C:\dmitry>type ieout0x*.txt >ieoutall.txt

The file contained not only the final message but all intermediate typing histories too. He was very happy.

- Dmitry Vostokov @ DumpAnalysis.org -

Museum of Debugging and Memory Dumps

7/7/2010 - 8/8/2010 Annual Competition: Tell Your Windows Debugging Story

Crash and Hang Analysis Audit Service

CARE: Crash Analysis Report Environment

Crash Dump and Software Trace Analysis Training and Seminars

Access OpenTask Titles on Safari Books Online

DATA (Dump Analysis + Trace Analysis) Facebook group
Please join the community of memory (dump) and trace analysis engineers. This group promotes scientific methods and memory dump-based worldview.

Twitter @ DumpAnalysis
You can now follow portal and blog news at DumpAnalysis on Twitter

LinkedIn Group Dr. Watson Enthusiasts
All about Dr. Watson errors and more. Get news, excerpts and progress reports about the forthcoming book The Science of Dr. Watson: An Illustrated History of Debugging (ISBN 978-1906717070)

2010 (0x7DA) - The Year of Dump Analysis
2011 (0x7DB) - 2020 (0x7E4) The Debugging Decade

International Memory Analysts and Debuggers Day:
07.07 and/or 08.08 starting from The Year of Dump Analysis, 2010, 7DA

Announcements

Coming Soon:

Management Bits: An Anthology from Reductionist Manager

Crash Dump Analysis: Practical Foundations (Windows Edition, Systematic Software Fault Analysis Series)

Debugging Notebook: Essential Concepts, WinDbg Commands and Tools

Crash Dump Analysis for System Administrators and Support Engineers

New Magazines:

Debugged! MZ/PE: MagaZine for/from Practicing Engineers

New Books:

Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3

Memory Dump Analysis Anthology, Volume 3

First Fault Software Problem Solving: A Guide for Engineers, Managers and Users

x64 Windows Debugging: Practical Foundations

Also available:

Windows Debugging: Practical Foundations

DLL List Landscape: The Art from Computer Memory Space

Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov

WinDbg: A Reference Poster and Learning Cards

Memory Dump Analysis Anthology, Volume 2

Memory Dump Analysis Anthology, Volume 1

New Children's Book:

Baby Turing

Memory Dump It

This entry was posted on Monday, June 9th, 2008 at 2:35 pm and is filed under Crash Dump Analysis, Data Recovery, Memory Analysis Forensics and Intelligence, WinDbg Scripts, WinDbg Tips and Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Data Recovery with Memory Dump Analysis”

Soren Dreijer Says:
June 10th, 2008 at 9:56 am
Great read. This is an innovative and unique way to put the debugger to good use.
Dmitry Vostokov Says:
June 10th, 2008 at 12:35 pm
Thanks! This was indeed my first use of WinDbg in data recovery. I tried strings.exe from sysinternals on a dump file but it didn’t pull out correct Unicode data. Perhaps that tool works well only with English Unicode.
ABeginner Says:
June 11th, 2008 at 2:14 am
why you not use
{s -u 003c0000 L?7FFFFFFF “ello” }
?
Dmitry Vostokov Says:
June 11th, 2008 at 7:40 am
Because it was not “ello” but its Russian equivalent. It uses different charset. For example, du on addresses containing Russian Unicode strings doesn’t show Russian characters in command output window.

Data Recovery with Memory Dump Analysis

4 Responses to “Data Recovery with Memory Dump Analysis”

Leave a Reply