Software Diagnostics Library

Archive for January, 2024

Crash Dump Analysis Patterns (Part 151b)

Sunday, January 28th, 2024

This is an unmanaged code analysis pattern variant of the previously published Annotated Disassembly. In modern WinDbg (which was previously called WinDbg Preview), the Disassembly window may annotate local variables in the presence of debugging symbols (this is absent from the output of the uf WinDbg command):

; uf command output 511 00007ff6`6ab22a44 mov dword ptr [rbp+2078h],1 511 00007ff6`6ab22a4e mov dword ptr [rbp+207Ch],2 513 00007ff6`6ab22a58 mov eax,dword ptr [rbp+2078h] 513 00007ff6`6ab22a5e mov dword ptr [rbp+0Ch],eax 514 00007ff6`6ab22a61 mov dword ptr [rbp+0Ch],64h 515 00007ff6`6ab22a68 mov dword ptr [rbp+48h],3 515 00007ff6`6ab22a6f mov dword ptr [rbp+4Ch],4 516 00007ff6`6ab22a76 mov eax,dword ptr [rbp+0Ch]

; Disassembly window 00007ff6`6ab22a4e c7857c20000002000000 mov dword ptr [myDerived.field2 (rbp+207Ch)], 2 00007ff6`6ab22a58 8b8578200000 mov eax, dword ptr [myDerived{.field} (rbp+2078h)] 00007ff6`6ab22a5e 89450c mov dword ptr [myBase{.field} (rbp+Ch)], eax 00007ff6`6ab22a61 c7450c64000000 mov dword ptr [myBase{.field} (rbp+Ch)], 64h 00007ff6`6ab22a68 c7454803000000 mov dword ptr [myDerived2{.field} (rbp+48h)], 3 00007ff6`6ab22a6f c7454c04000000 mov dword ptr [myDerived2.field2 (rbp+4Ch)], 4 00007ff6`6ab22a76 8b450c mov eax, dword ptr [myBase{.field} (rbp+Ch)]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, Reverse Engineering, x64 Windows | Comments Off

Crash Dump Analysis Patterns (Part 286)

Sunday, January 28th, 2024

Sometimes, when we have debugging symbols, information about local variables may be helpful in making sense of function disassembly. For example, we have this code fragment from WinDbg uf command:

511 00007ff6`6ab22a44 mov dword ptr [rbp+2078h],1 511 00007ff6`6ab22a4e mov dword ptr [rbp+207Ch],2 513 00007ff6`6ab22a58 mov eax,dword ptr [rbp+2078h] 513 00007ff6`6ab22a5e mov dword ptr [rbp+0Ch],eax 514 00007ff6`6ab22a61 mov dword ptr [rbp+0Ch],64h 515 00007ff6`6ab22a68 mov dword ptr [rbp+48h],3 515 00007ff6`6ab22a6f mov dword ptr [rbp+4Ch],4 516 00007ff6`6ab22a76 mov eax,dword ptr [rbp+0Ch]

Although source code lines are shown, suppose we don’t have source code to match. However, we can match Address Representations, such as [rbp+xxx], from the output of dv /V WinDbg command:

0:000> dv /V ... 000000ab`740fd00c @rbp+0x000c myBase = struct wmain::__l2::Base ... 000000ab`740ff078 @rbp+0x2078 myDerived = struct wmain::__l2::Derived ... 000000ab`740fd048 @rbp+0x0048 myDerived2 = struct wmain::__l2::Derived ...

Another usage is matching values in raw stack data with local variable addresses. Values as addresses and their symbolic representations here have some connection to ADDR Symbolic and Interpreted Pointers.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, Machine Learning, Reverse Engineering, x64 Windows | Comments Off

Crash Dump Analysis Patterns (Part 285)

Sunday, January 21st, 2024

Almost 15 years ago we introduced Dereference Fixpoints when the address value is equal to the value at the address. In doing raw stack data classification and pattern matching we may be interested in more general Dereference Nearpoints (especially in position independent ones) illustrated in the following diagram:

Such Dereference Nearpoints may appear due to exception processing when a stack exception address or exception stack pointer address is propagated during exception processing, and multiple structure references, for example, when a local structure address is propagated during function calls.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Machine Learning | Comments Off

Trace Analysis Patterns (Part 241)

Friday, January 5th, 2024

Trace Lattice is a selection of messages based on a fixed order distance between them (similar to lattices in geometry, one-dimensional in this case) or some other metric:

This analysis pattern is different from Time Scale where fixed time distance is used with additional analysis transformations.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Mathematics of Debugging, Software Trace Analysis, Trace Analysis Patterns | Comments Off

M	T	W	T	F	S	S
« Dec				Feb »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Archive for January, 2024

Crash Dump Analysis Patterns (Part 151b)

Crash Dump Analysis Patterns (Part 286)

Crash Dump Analysis Patterns (Part 285)

Trace Analysis Patterns (Part 241)

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta