Archive for June, 2024

Trace Analysis Patterns (Part 247)

Monday, June 24th, 2024

Trace Sketch can have several Trace Models (borrowed from model theory with sketches representing the logic of traces and logs) when messages satisfy trace and log analysis patterns sketched in Dia|gram language illustrations:

The same Trace Sketch induces an equivalence relation between different Trace Models, yet another Trace Similarity measure. Also, models of traces and logs having the same Trace Shapes may not be equivalent.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Software Trace Analysis, Software Trace Modeling, Trace Analysis Patterns | Comments Off

Trace Analysis Patterns (Part 246)

Wednesday, June 19th, 2024

Trace Sketch embodies Dia|gram language approach: in essence each trace and log analysis pattern illustration is a sketch. For example, a WinDbg log is represented as sequence of different Activity Regions:

Another example of Trace Sketch is Trace Skeleton.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Software Trace Analysis, Software Trace Diagramming, Software Trace Modeling, Trace Analysis Patterns | Comments Off

Crash Dump Analysis Patterns (Part 297, Linux)

Saturday, June 15th, 2024

When analyzing Execution Residue we are interested in valid symbolic references, for example, valid return addresses for Rough Stack Trace and Past Stack Trace reconstruction. Some of them may be Coincidental Symbolic Information that we check with backward disassembly. However, some symbolic references may be Function Pointers if forward disassembly starts with valid function prologue. Some references may also point to the start of exception processing in the middle of a normal function body. These two variants are illustrated with the following two addresses taken from the raw stack data when debugging an x64 Linux process in WSL using the latest version of WinDbg:

0:000> u 00007f73`e45820b0
libgcc_s_so!Unwind_Backtrace+0x7c0:
00007f73`e45820b0 push r15
00007f73`e45820b2 push r14
00007f73`e45820b4 push r13
00007f73`e45820b6 push r12
00007f73`e45820b8 push rbp
00007f73`e45820b9 push rbx
00007f73`e45820ba sub rsp,58h
00007f73`e45820be mov ecx,dword ptr [rdx+28h]

0:000> u 00005564`99d582c8
ud5bv3!start_modeling+0xd7:
00005564`99d582c8 mov rdi,rax
00005564`99d582cb call ud5bv3!_cxa_begin_catch$plt (00005564`99d58040)
00005564`99d582d0 call ud5bv3!_cxa_end_catch$plt (00005564`99d580b0)
00005564`99d582d5 jmp ud5bv3!start_modeling+0x64 (00005564`99d58255)
00005564`99d582da leave
00005564`99d582db ret
ud5bv3!new_feature:
00005564`99d582dc push rbp
00005564`99d582dd mov rbp,rsp

0:000> ub 00005564`99d582c8
ud5bv3!start_modeling+0xb5:
00005564`99d582a6 mov rdi,rax
00005564`99d582a9 call ud5bv3!sem_close$plt (00005564`99d580a0)
00005564`99d582ae mov rax,qword ptr [rbp-8]
00005564`99d582b2 mov rdi,rax
00005564`99d582b5 call ud5bv3!sem_close$plt (00005564`99d580a0)
00005564`99d582ba lea rdi,[ud5bv3!IO_stdin_used+0x4 (00005564`99d59004)]
00005564`99d582c1 call ud5bv3!sem_unlink$plt (00005564`99d580c0)
00005564`99d582c6 jmp ud5bv3!start_modeling+0xe9 (00005564`99d582da)

As we see, some Function Pointers may have symbolic name plus some offset if they don’t have associated symbols.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Core Dump Analysis, Crash Dump Analysis, Crash Dump Patterns, Debugging, x64 Linux | Comments Off