Archive for August, 2012

Crash Dump Analysis Patterns (Part 152c)

Friday, August 31st, 2012

This is a variant of Handled Exception pattern in kernel space (similar to user and managed spaces). The crash dump was the same as in Hidden Exception in kernel space pattern:

fffff880`0a83d910  00000000`00000000
fffff880`0a83d918  fffff6fc`40054fd8
fffff880`0a83d920  fffff880`0a83dca0
fffff880`0a83d928  fffff800`016bcc1c nt!_C_specific_handler+0xcc
fffff880`0a83d930  00000000`00000000
fffff880`0a83d938  00000000`00000000
fffff880`0a83d940  00000000`00000000
fffff880`0a83d948  00000000`00000000
fffff880`0a83d950  fffff800`0189ee38 nt!BBTBuffer <PERF> (nt+0x280e38)
fffff880`0a83d958  fffff880`0a83e940
fffff880`0a83d960  fffff800`016ad767 nt!IopCompleteRequest+0x147
fffff880`0a83d968  fffff880`0a83de40
fffff880`0a83d970  fffff800`01665e40 nt!_GSHandlerCheck_SEH
fffff880`0a83d978  fffff800`017e5338 nt!_imp_NtOpenSymbolicLinkObject+0xfe30
fffff880`0a83d980  fffff880`0a83e310
fffff880`0a83d988  00000000`00000000
fffff880`0a83d990  00000000`00000000
fffff880`0a83d998  fffff800`016b42dd nt!RtlpExecuteHandlerForException+0xd
fffff880`0a83d9a0  fffff800`017d7d0c nt!_imp_NtOpenSymbolicLinkObject+0×2804
fffff880`0a83d9a8  fffff880`0a83eab0
fffff880`0a83d9b0  00000000`00000000

0: kd> ub fffff800`016b42dd
fffff800`016b42c4 cc              int     3
fffff800`016b42c5 cc              int     3
fffff800`016b42c6 cc              int     3
fffff800`016b42c7 cc              int     3
fffff800`016b42c8 0f1f840000000000 nop     dword ptr [rax+rax]
fffff800`016b42d0 4883ec28        sub     rsp,28h
fffff800`016b42d4 4c894c2420      mov     qword ptr [rsp+20h],r9
fffff800`016b42d9 41ff5130        call    qword ptr [r9+30h]

- Dmitry Vostokov @ + -

Crash Dump Analysis Patterns (Part 8b)

Thursday, August 30th, 2012

This is an example of Hidden Exception pattern in kernel space:

0: kd> !thread
THREAD fffffa800d4bf9c0  Cid 0e88.56e0  Teb: 000007fffffd8000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap                 fffff8a001e91950
Owning Process            fffffa800b33cb30       Image:         svchost.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      13154529       Ticks: 0
Context Switch Count      1426
UserTime                  00:00:00.015
KernelTime                00:00:00.124
Win32 Start Address 0x0000000077728d20
Stack Init fffff8800a83fdb0 Current fffff8800a83eb90
Base fffff8800a840000 Limit fffff8800a83a000 Call 0
Priority 10 BasePriority 10 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5

0: kd> dps fffff8800a83a000 fffff8800a840000
fffff880`0a83e180  fffff880`0a83ea10
fffff880`0a83e188  fffff880`0a83e6d0
fffff880`0a83e190  fffff880`0a83e968
fffff880`0a83e198  fffff800`016c88cf nt!KiDispatchException+0×16f
fffff880`0a83e1a0  fffff880`0a83e968
fffff880`0a83e1a8  fffff880`0a83e1d0
fffff880`0a83e1b0  fffff880`00000000
fffff880`0a83e1b8  00000000`00000000
fffff880`0a83e1c0  00000000`00000000
fffff880`0a83e1c8  00000000`00000000

0: kd> .cxr fffff880`0a83e1d0
rax=0000000000000009 rbx=fffffa800d4c1de0 rcx=0000000000000000
rdx=fffff8800a83ece0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800016ad74f rsp=fffff8800a83eba0 rbp=00000000a000000c
r8=fffff8800a83ecd8  r9=fffff8800a83ecc0 r10=0000000000000000
r11=fffff8800a83ed58 r12=0000000000000000 r13=0000000000000000
r14=fffffa800d4bf9c0 r15=fffffa800d4c1ea0
iopl=0  nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b  efl=00010246
fffff800`016ad74f 48894108 mov qword ptr [rcx+8],rax ds:002b:00000000`00000008=????????????????

- Dmitry Vostokov @ + -

Computer Evolution

Thursday, August 30th, 2012

Cube -> Surface -> Point

- Dmitry Vostokov @ + -

M Spaces

Thursday, August 30th, 2012

This is a collage image based on colors and layout of Software Diagnostics Services training course logos such as Accelerated and Advanced Windows Memory Dump Analysis plus 8, 16, 32, and 64 pt Consolas font sizes symbolizing different memory pointer sizes. Colors symbolize kernel, user, managed and physical memory spaces.

- Dmitry Vostokov @ + -

An Introduction to General Systems Thinking

Tuesday, August 28th, 2012

This book I bought more than 5 years ago after I recognized that systems approach was needed for memory dump analysis. However, I read it only recently while preparing to talk on systemic software diagnostics. While reading I realized that I already applied some systems theory ideas, for example, about isomorphism of disciplines as systems (which I named as metaphorical bijection): from literary narratology to software narratology and from that to network trace analysis. So if you are interested in systems either computer software ones or human organizational then I would greatly recommend this book as an introduction. The recommended literature in exercises is also useful.

An Introduction to General Systems Thinking (Silver Anniversary Edition)

- Dmitry Vostokov @ -

Max Mode D’Emploi

Friday, August 24th, 2012

Bought this book in Russian translation and quickly read from cover to cover. Very lively introduction without any utopian suggestions to change the world like in another introduction I read previously: Marx and the Alternative to Capitalism. A few funny cartoons like an employee who fires himself to save his company. Recommended to read before more cryptic The Philosophy of Marx by Étienne Balibar.

Marx (mode d’emploi)

- Dmitry Vostokov @ -

Software Diagnostics Institute Logo

Thursday, August 23rd, 2012

Software Diagnostics Institute main page now features the brand new medical-style logo with UML 2 components and interface sinks:

- Dmitry Vostokov @ + -

Killing Time

Thursday, August 23rd, 2012

A lively autobiography of Paul Feyerabend that shows human side on every page and prompts a reader to think about life and love after turning the last page in contrast to much more formal autobiography of Saunders Mac Lane I read previously.

Killing Time: The Autobiography of Paul Feyerabend

- Dmitry Vostokov @ -