Archive for December 24th, 2010

Trace Analysis Patterns (Part 35)

Friday, December 24th, 2010

News Value is a pattern that assigns relative importance to software traces for problem solving purposes especially when related to problem description, recent incidents and timestamps of other supporting artifacts (memory dumps, other traces, etc.). For example, in one scenario, an ETW trace was provided with 3 additional log files:

# Source PID  TID  Date       Time         Message 
0 Header 1260 1728 12/14/2010 06:48:56.289 ?????  
[…] 
215301 Unknown 640 808 12/14/2010 07:22:57.508 ?????  Unknown( 16): GUID=[…] (No Format Information found).
 

// LogA
05/11/10 18:28:15.1562 : Service() - entry
[...]
14/12/10 10:31:58.0381 : Notification: sleep
* Start of new log *
14/12/10 10:34:38.4687 : Service() - entry
[…]
14/12/10 11:53:35.2729 : Service.CleanUp complete
* Start of new log *
14/12/10 11:56:11.7031 : Service() - entry
[…]
14/12/10 15:25:23.3004 : Notification: sleep

// LogB
[   1] 12/14 10:34:29:890   Entry: ctor
[…]
[   2] 12/14 11:53:30:866   Exit: COMServer.Server.DeleteObject

// LogC
[   1] 12/14 11:56:03:359   Entry: ctor
[…]
[  20] 12/14 15:30:20:110   Exit: Kernel32.Buffer.Release

From the description of the problem we expected LogB and LogC to be logs from two subsequent process executions where the first launch fails (LogB) and the second launch succeeds (LogC). Looking at their start and end times we see that they make sense from the problem description perspective but we have to dismiss ETW trace and most of LogA as recorded earlier and having no value for Inter-Correlation analysis of the more recent logs. We also see that portions of LogA overlap with LogB and LogC and therefore having analysis value for us.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Software Victimology (Part 2)

Friday, December 24th, 2010

Borrowing routine activity theory (RAT) from criminology I would like to introduce the similar approach to abnormal software behavior with patterning activities that adds additional unmotivated offenders to combine malware (software rats) with unintentional ordinary common bugware:

The application of RAT to software can be metaphorically named as Function Activity Theory (FAT).

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 124)

Friday, December 24th, 2010

The following pattern is useful for inconsistent dumps or incomplete supporting information: Environment Hint. It is mostly environment variable information for troubleshooting suggestions such as product elimination for testing purposes and / or necessary upgrade, for example:

0: kd> !peb
PEB at 7ffd7000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: Yes
    BeingDebugged:            No
    ImageBaseAddress:         01000000
    Ldr                       7c8897e0
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00081f18 . 000f9e88
    Ldr.InLoadOrderModuleList:           00081eb0 . 000f9e78
    Ldr.InMemoryOrderModuleList:         00081eb8 . 000f9e80
            Base TimeStamp                     Module
         1000000 45d6a03c Feb 17 06:27:08 2007 C:\WINNT\system32\svchost.exe
        7c800000 49900d60 Feb 09 11:02:56 2009 C:\WINNT\system32\ntdll.dll
[...]
    SubSystemData:     00000000
    ProcessHeap:       00080000
    ProcessParameters: 00020000
    WindowTitle:  'C:\WINNT\system32\svchost.exe'
    ImageFile:    'C:\WINNT\system32\svchost.exe'
    CommandLine:  'C:\WINNT\system32\svchost.exe -k rpcss'
    DllPath:      [...]
    Environment:  00010000
        ALLUSERSPROFILE=C:\Documents and Settings\All Users
[...]
        PROTECTIONDIR=C:\Documents and Settings\All Users\Application Data\3rdPartyAntivirus\Protection
[…] 
       Path= […]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -