Software Diagnostics Library

Archive for May 2nd, 2017

Crash Dump Analysis Patterns (Part 94b)

Tuesday, May 2nd, 2017

Many OS structures have interesting fields, and it is good to maintain a list of the most useful of them to check in cases of abnormal software behavior. This Value Deviation analysis pattern variant is about structure fields that have values not usually seen in normal cases. For example, we may sometimes encounter Missing Threads in ALPC Wait Chain endpoint process. For example, Main Thread may be missing. The remaining threads may look normal waiting for synchronization objects. However, inspection of _EPROCESS ProcessDelete field shows it is 0y1. This points to the possibility that one of the threads experienced exception, was terminated and triggered process termination which was blocked by the remaining threads. In such a case we may suggest to enable WER to catch such an exception and save a process crash dump (for example, via LocalDumps registry key). Such processes are not easy to catch as Zombies Processes since their number of active threads is non-zero and they still have private memory.

In some cases we may even proactively check structure fields for specific values. For example, we can use one of the techniques to navigate an active process list from Advanced Windows Memory Dump Analysis training and list process image file names together with their ProcessDelete field:

0: kd> dt nt!_EPROCESS ActiveProcessLinks +0x2f0 ActiveProcessLinks : _LIST_ENTRY

0: kd> !list -t nt!_LIST_ENTRY.Flink -x "? @$extret-2f0; dt nt!_EPROCESS ImageFileName @$extret-2f0; dt nt!_EPROCESS ProcessDelete @$extret-2f0" poi(nt!PsActiveProcessHead) Evaluate expression: -92874785243072 = ffffab87`e76ac040 +0x450 ImageFileName : [15] "System" +0x304 ProcessDelete : 0y0

Evaluate expression: -92874719545280 = ffffab87`eb553840 +0x450 ImageFileName : [15] "smss.exe" +0x304 ProcessDelete : 0y0

Evaluate expression: -92874717837248 = ffffab87`eb6f4840 +0x450 ImageFileName : [15] "csrss.exe" +0x304 ProcessDelete : 0y0

[...]

Evaluate expression: -92874709187456 = ffffab87`ebf34480 +0x450 ImageFileName : [15] "ServiceA.exe" +0×304 ProcessDelete : 0y1

[...]

0: kd> !process ffffab87ebf34480 3f [...] THREAD ffffab8815527080 [...] THREAD ffffab87eb41e040 [...] THREAD ffffab881bf3c800 [...] [...]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, x64 Windows | No Comments »

M	T	W	T	F	S	S
« Apr				Jul »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Archive for May 2nd, 2017

Crash Dump Analysis Patterns (Part 94b)

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta