Software Diagnostics Library

Archive for November 23rd, 2021

Crash Dump Analysis Patterns (Part 279)

Tuesday, November 23rd, 2021

Sometimes, we are interested in field values across many objects of the same type, for example, processes or threads. We call this analysis pattern Structure Field Collection. For example, we may be interested in all thread names or their number of context switches. Here’s an example script that outputs all non-null thread names and their _ETHREAD structure address for further exploration:

0: kd> !for_each_thread "r $t0 = @@C++(((nt!_ETHREAD *) @#Thread )->ThreadName); .if (@$t0 != 0) { .echo _ETHREAD: @#Thread; !ustr @$t0 }" _ETHREAD: 0xffffad03ba43b080 String(46,46) at ffffad03b9a77790: Win32k Raw Input Thread _ETHREAD: 0xffffad03ba468080 String(58,58) at ffffad03b6943e80: Win32k Desktop Thread (IO_DT) _ETHREAD: 0xffffad03ba57d580 String(62,62) at ffffad03ba5aebc0: Win32k Desktop Thread (NOIO_DT) _ETHREAD: 0xffffad03ba49b080 String(46,46) at ffffad03b9a792c0: Win32k Raw Input Thread _ETHREAD: 0xffffad03ba49c080 String(58,58) at ffffad03b6945080: Win32k Desktop Thread (IO_DT) _ETHREAD: 0xffffad03bcb44080 String(62,62) at ffffad03bcb89740: Win32k Desktop Thread (NOIO_DT) _ETHREAD: 0xffffad03bad74080 String(38,38) at ffffad03bacf5a90: DWM LPC Port Thread _ETHREAD: 0xffffad03bad70080 String(42,42) at ffffad03bacf6490: DWM Compositor Thread _ETHREAD: 0xffffad03badbf080 String(32,32) at ffffad03ba5c7910: DWM Token Thread _ETHREAD: 0xffffad03badbe080 String(46,46) at ffffad03bacf7340: DWM Master Input Thread _ETHREAD: 0xffffad03badbd080 String(46,46) at ffffad03bacf7660: DWM Manipulation Thread _ETHREAD: 0xffffad03bae71080 String(34,34) at ffffad03bacf82e0: uDWM Event Thread _ETHREAD: 0xffffad03baf49080 String(32,32) at ffffad03ba5c8e10: OS Events thread _ETHREAD: 0xffffad03baf98080 String(30,30) at ffffad03bafb4ed0: EventLog-System _ETHREAD: 0xffffad03baf33080 String(40,40) at ffffad03baef7490: EventLog-Application _ETHREAD: 0xffffad03bb00b080 String(34,34) at ffffad03baef74e0: EventLog-Security _ETHREAD: 0xffffad03bbeee080 String(100,100) at ffffad03bc1ccaa0: MicrosoftWindows.Client.CBS_cw5n1h2txyewy!InputApp _ETHREAD: 0xffffad03bc590080 String(30,30) at ffffad03bc75cd10: UnknownAppFrame _ETHREAD: 0xffffad03bc539080 String(30,30) at ffffad03bc75f850: UnknownAppFrame _ETHREAD: 0xffffad03bc20e300 String(44,44) at ffffad03bc0e44f0: DManip Delegate Thread _ETHREAD: 0xffffad03bc208080 String(44,44) at ffffad03bc0e4770: DManip Delegate Thread _ETHREAD: 0xffffad03bc457080 String(30,30) at ffffad03bc365cd0: WebView UI ASTA _ETHREAD: 0xffffad03bc44a080 String(52,52) at ffffad03bc25be60: Chakra Background Recycler _ETHREAD: 0xffffad03bc448080 String(52,52) at ffffad03bc25e620: Chakra Background Recycler _ETHREAD: 0xffffad03bc4d1080 String(58,58) at ffffad03bc25de40: EdgeHtml Independent Hit Test _ETHREAD: 0xffffad03bc4ce080 String(28,28) at ffffad03bc3671d0: EdgeHtml Timer _ETHREAD: 0xffffad03bc4c1080 String(42,42) at ffffad03bc0e9950: EdgeHtml Download STA _ETHREAD: 0xffffad03bc4c0080 String(58,58) at ffffad03bc25f8e0: Chakra Parallel Worker Thread _ETHREAD: 0xffffad03bc4be080 String(40,40) at ffffad03bc0eae90: EdgeHtml Storage STA _ETHREAD: 0xffffad03bc4bc080 String(34,34) at ffffad03bc93fbc0: Fetch Idle Worker _ETHREAD: 0xffffad03bc46d080 String(30,30) at ffffad03bc36a1d0: EdgeHtml Render _ETHREAD: 0xffffad03bc544080 String(26,26) at ffffad03bc0676d0: MTA Implicit _ETHREAD: 0xffffad03bc68c040 String(26,26) at ffffad03bc363510: MTA Implicit _ETHREAD: 0xffffad03bca08040 String(26,26) at ffffad03bc363550: MTA Implicit _ETHREAD: 0xffffad03bca07080 String(50,50) at ffffad03bac853c0: EdgeHtml IDB MTA Implicit _ETHREAD: 0xffffad03bca06080 String(26,26) at ffffad03bc363250: MTA Implicit _ETHREAD: 0xffffad03bca04080 String(50,50) at ffffad03bb0fc170: EdgeHtml IDB MTA Implicit _ETHREAD: 0xffffad03bc58e080 String(84,84) at ffffad03bbe4af10: WebPlatStorage Events Channel MTA Implicit _ETHREAD: 0xffffad03bbcd5080 String(36,36) at ffffad03bc9445d0: EdgeHtml Image STA _ETHREAD: 0xffffad03bc5df080 String(52,52) at ffffad03bc25a600: Chakra Background Recycler _ETHREAD: 0xffffad03bc5de080 String(52,52) at ffffad03bc260060: Chakra Background Recycler _ETHREAD: 0xffffad03bc68a080 String(44,44) at ffffad03bc0f3f40: DManip Delegate Thread _ETHREAD: 0xffffad03bc5d8080 String(58,58) at ffffad03bc264f80: EdgeHtml Independent Hit Test _ETHREAD: 0xffffad03bc5d7080 String(28,28) at ffffad03bc754510: EdgeHtml Timer _ETHREAD: 0xffffad03bc0880c0 String(58,58) at ffffad03bc269a20: Chakra Parallel Worker Thread _ETHREAD: 0xffffad03bc9e6080 String(12,12) at ffffad03bc51bd40: main() _ETHREAD: 0xffffad03bc591080 String(20,20) at ffffad03bc75d010: InputPanel _ETHREAD: 0xffffad03bc58c080 String(44,44) at ffffad03bc93e4a0: DManip Delegate Thread _ETHREAD: 0xffffad03bc50e080 String(44,44) at ffffad03bc93f4e0: DManip Delegate Thread _ETHREAD: 0xffffad03bc495040 String(26,26) at ffffad03bc3611d0: MTA Implicit _ETHREAD: 0xffffad03bc494040 String(26,26) at ffffad03bc361a50: MTA Implicit _ETHREAD: 0xffffad03bc490080 String(26,26) at ffffad03bc760bd0: MTA Implicit _ETHREAD: 0xffffad03bc48f080 String(88,88) at ffffad03bbbe6890: RPC StorageEvents_WaitForEvents MTA Implicit _ETHREAD: 0xffffad03bc2a5040 String(26,26) at ffffad03bc3631d0: MTA Implicit _ETHREAD: 0xffffad03bc1c3040 String(26,26) at ffffad03bc361810: MTA Implicit _ETHREAD: 0xffffad03bbced0c0 String(26,26) at ffffad03bc361350: MTA Implicit _ETHREAD: 0xffffad03bca72080 String(52,52) at ffffad03bbdf06b0: Chakra Background Recycler _ETHREAD: 0xffffad03bca71080 String(58,58) at ffffad03bbdf34d0: Chakra Parallel Worker Thread _ETHREAD: 0xffffad03bc509080 String(26,26) at ffffad03bc369890: CrBrowserMain _ETHREAD: 0xffffad03bcb45080 String(34,34) at ffffad03bc94e940: LoaderLockSampler _ETHREAD: 0xffffad03bcb21080 String(22,22) at ffffad03bc368990: BrokerEvent _ETHREAD: 0xffffad03bc682080 String(22,22) at ffffad03bc369950: HangWatcher _ETHREAD: 0xffffad03bc681080 String(46,46) at ffffad03bc94f020: ThreadPoolServiceThread _ETHREAD: 0xffffad03bc680080 String(106,106) at ffffad03bcb06800: ThreadPoolSingleThreadCOMSTASharedBackgroundBlocking0 _ETHREAD: 0xffffad03bc020080 String(106,106) at ffffad03bc1c8960: ThreadPoolSingleThreadCOMSTASharedForegroundBlocking1 _ETHREAD: 0xffffad03bc01e080 String(52,52) at ffffad03bc2663c0: ThreadPoolBackgroundWorker _ETHREAD: 0xffffad03bc285080 String(30,30) at ffffad03bc3695d0: Chrome_IOThread _ETHREAD: 0xffffad03bc284080 String(22,22) at ffffad03bc369910: MemoryInfra _ETHREAD: 0xffffad03bc283080 String(90,90) at ffffad03bca64110: ThreadPoolSingleThreadCOMSTASharedForeground2 _ETHREAD: 0xffffad03bc1ed080 String(94,94) at ffffad03bbe41f10: ThreadPoolSingleThreadSharedBackgroundBlocking3 _ETHREAD: 0xffffad03bc1f2080 String(52,52) at ffffad03bcb8a040: ThreadPoolForegroundWorker _ETHREAD: 0xffffad03bc1b7080 String(42,42) at ffffad03bc94fb10: CompositorTileWorker1 _ETHREAD: 0xffffad03bc1b6080 String(36,36) at ffffad03bc94fc00: VideoCaptureThread _ETHREAD: 0xffffad03bcc0e080 String(30,30) at ffffad03bc75f950: BrowserWatchdog _ETHREAD: 0xffffad03bcc0d080 String(94,94) at ffffad03bbe42010: ThreadPoolSingleThreadSharedBackgroundBlocking4 _ETHREAD: 0xffffad03bc29b080 String(82,82) at ffffad03bce44110: ThreadPoolSingleThreadForegroundBlocking5 _ETHREAD: 0xffffad03bcdda080 String(42,42) at ffffad03bb09a120: CacheThread_BlockFile _ETHREAD: 0xffffad03bcdc50c0 String(94,94) at ffffad03bce44590: ThreadPoolSingleThreadSharedForegroundBlocking6 _ETHREAD: 0xffffad03bc67f4c0 String(106,106) at ffffad03bcb05690: ThreadPoolSingleThreadCOMSTASharedBackgroundBlocking7 _ETHREAD: 0xffffad03bca85080 String(52,52) at ffffad03bcb8cf80: ThreadPoolForegroundWorker _ETHREAD: 0xffffad03bc6af080 String(36,36) at ffffad03bc94e580: CrashpadMainThread _ETHREAD: 0xffffad03bca97080 String(42,42) at ffffad03bc94e620: ExitCodeWatcherThread _ETHREAD: 0xffffad03bcc0c080 String(18,18) at ffffad03bc36dd10: CrGpuMain _ETHREAD: 0xffffad03bcecd080 String(34,34) at ffffad03bc9518c0: LoaderLockSampler _ETHREAD: 0xffffad03bcecb080 String(22,22) at ffffad03bc36e950: GpuWatchdog _ETHREAD: 0xffffad03bce7e080 String(46,46) at ffffad03bc9535d0: ThreadPoolServiceThread _ETHREAD: 0xffffad03bcdcc080 String(52,52) at ffffad03bc26c960: ThreadPoolBackgroundWorker _ETHREAD: 0xffffad03bcdcb080 String(40,40) at ffffad03bc952c20: Chrome_ChildIOThread _ETHREAD: 0xffffad03bcea8080 String(52,52) at ffffad03bcb8c8c0: ThreadPoolForegroundWorker _ETHREAD: 0xffffad03bcea7080 String(38,38) at ffffad03bc952c70: VizCompositorThread _ETHREAD: 0xffffad03bc7ee080 String(26,26) at ffffad03bc36d390: CrUtilityMain _ETHREAD: 0xffffad03bc1f1080 String(34,34) at ffffad03bc951a00: LoaderLockSampler _ETHREAD: 0xffffad03bca3d080 String(46,46) at ffffad03bc951c30: ThreadPoolServiceThread _ETHREAD: 0xffffad03bca3a080 String(40,40) at ffffad03bc951c80: Chrome_ChildIOThread _ETHREAD: 0xffffad03bce81080 String(52,52) at ffffad03bc26ca80: ThreadPoolBackgroundWorker _ETHREAD: 0xffffad03bcbd0080 String(52,52) at ffffad03bcf03da0: ThreadPoolForegroundWorker _ETHREAD: 0xffffad03b67af080 String(52,52) at ffffad03bdcca800: ThreadPoolForegroundWorker _ETHREAD: 0xffffad03bd0db080 String(52,52) at ffffad03bcf0fd40: ThreadPoolForegroundWorker _ETHREAD: 0xffffad03bbdcc080 String(52,52) at ffffad03bcf10280: ThreadPoolForegroundWorker _ETHREAD: 0xffffad03bcdd94c0 String(26,26) at ffffad03bc36e7d0: CrUtilityMain _ETHREAD: 0xffffad03baf95080 String(34,34) at ffffad03bc951aa0: LoaderLockSampler _ETHREAD: 0xffffad03bcec9080 String(46,46) at ffffad03bc952270: ThreadPoolServiceThread _ETHREAD: 0xffffad03bceb6080 String(52,52) at ffffad03bc26ca20: ThreadPoolBackgroundWorker _ETHREAD: 0xffffad03bceb5080 String(40,40) at ffffad03bc952d60: Chrome_ChildIOThread _ETHREAD: 0xffffad03bceb4080 String(52,52) at ffffad03bcb8ca40: ThreadPoolForegroundWorker _ETHREAD: 0xffffad03bcf3e040 String(166,166) at ffffad03bcc38590: windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel _ETHREAD: 0xffffad03baf0a040 String(80,80) at ffffad03bcedb390: Microsoft.WindowsStore_8wekyb3d8bbwe!App _ETHREAD: 0xffffad03b9850080 String(30,30) at ffffad03bc75e1d0: UnknownAppFrame _ETHREAD: 0xffffad03bbf54080 String(30,30) at ffffad03ba344710: UnknownAppFrame _ETHREAD: 0xffffad03ba48e080 String(44,44) at ffffad03ba32bf10: DManip Delegate Thread _ETHREAD: 0xffffad03bada5080 String(44,44) at ffffad03bc950a10: DManip Delegate Thread

One of the early analysis patterns, Last Error Collection, is another instance of this general analysis pattern.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, x64 Windows | Comments Off

Archive for November 23rd, 2021

Crash Dump Analysis Patterns (Part 279)

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

November 2021
M	T	W	T	F	S	S
« Oct				Jan »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30