Archive for August 26th, 2007

Book: Windows® Crash Dump Analysis

Sunday, August 26th, 2007

After blogging for more than a year, accumulating initial amount of material and being persuaded by my colleagues at Citrix I finally decided to embrace a new challenge and write a book with a simple working title: Windows® Crash Dump Analysis.

The reader will master crash and hang memory dump analysis for process, kernel and complete memory dumps. The book will provide answers to many questions including those in the following list:

Memory Dump Analysis Interview Questions

and will also include guidelines for implementing SMART (Smart Memory Analysis in Real Time) process in a technical support or software maintenance environment.

As this is my first book I’m going to write the draft version online. More details and the link to Table of Contents will be announced in September/October.

I’ll continue blogging about crash dump analysis at the same time.

- Dmitry Vostokov @ DumpAnalysis.org -

Moving to kernel space (updated references)

Sunday, August 26th, 2007

If you are developing and debugging user space applications (and/or doing crash dump analysis in user space) and you want to understand Windows kernel dumps and device drivers better (and probably start writing your own kernel tools) here is the reading list I found the most effective over the last 4 years:

0. Read and re-read Windows Internals book in parallel while reading all other books. I read all editions by the way. It will show you the big picture and some useful WinDbg commands and techniques but you need to read device driver books to fill the gaps and be confident in kernel space:

Buy from Amazon

1. Start with “The Windows 2000 Device Driver Book: A Guide for Programmers (2nd Edition)”. This short book will show you the basics and you can start writing your drivers and kernel tools immediately.

Buy from Amazon

2. Next read “Windows NT Device Driver Development” book to consolidate your knowledge. This book has been reprinted by OSR:

Buy from Amazon

3. Don’t stop here. Read “Developing Windows NT Device Drivers:
 A Programmer’s Handbook”. This is very good book explaining everything in great detail and good pictures. You will finally understand various buffering methods.

Buy from Amazon

4. Continue with WDM drivers and modern presentation: “Programming the Microsoft Windows Driver Model, Second Edition”. Must read even if your drivers are not WDM.

Buy from Amazon

5. Finally read “Developing Drivers with the Windows Driver Foundation” book as this is the future and it also covers ETW (event tracing for Windows), WinDbg extensions, PREfast and static driver verifier.

Buy from Amazon

Additional reading (not including DDK Help which you will use anyway) can be done in parallel after finishing “Windows NT Device Driver Development” book:

1. OSR NT Insider articles. I have their full printed collection 1996 - 2006

http://www.osronline.com/

2. “Windows NT File System Internals” reprinted by OSR:

Buy from Amazon

3. “Rootkits: Subverting the Windows Kernel” book will show you Windows kernel from hacker perspective. In addition you will find overview of kernel areas not covered in other books.

Buy from Amazon

Of course, you must know C language and its idioms really well. Really know it down to assembly language level! I’ll publish another reading list soon. Stay tuned.

- Dmitry Vostokov @ DumpAnalysis.org -

Memory Dump Analysis Interview Questions

Sunday, August 26th, 2007

The following interview questions might be useful to assess the skill level in crash dump analysis on Windows platforms. These could be useful for debugging interviews as well.

  1. What is FPO?

  2. How many exceptions can be found in a crash dump?

  3. You see the message from WinDbg:
    WARNING: Stack unwind information not available. Following frames may be wrong.
    What would you do?

  4. How would you find spinlock implementation if you have a kernel dump?

  5. What is OMAP?

  6. What is full page heap?

  7. Company name is missing from module information. How would you try to find it?

  8. What is IDT?

  9. How does a postmortem debugger work?

  10. You’ve got a mini dump of your application. How would you disassemble the code?

  11. Memory consumption is growing for an application. How would you discover the leaking component?

  12. What is IRQL?

  13. When do you use TEB?

  14. You’ve got 200 process dumps from a server. You need to find a deadlock. How would you do it?

  15. You’ve got a complete memory dump from a server. You need to find a deadlock. How would you do it?

  16. What is GC heap?

  17. Your customer is reluctant to send a dump due to security policies. What is your next step?

  18. What is a first chance exception?

I’ve created a permanent page and will add more questions there in the future:

Memory Dump Analysis Interview Questions

- Dmitry Vostokov @ DumpAnalysis.org -

Memory Dump Analysis Jobs

Sunday, August 26th, 2007

The Jobs section was created on Crash Dump Analysis Portal to assist companies in finding engineers skilled in crash/core dump analysis. Please read guidelines at:

http://www.dumpanalysis.org/index.php?q=jobs

- Dmitry Vostokov @ DumpAnalysis.org -