Previously announced draft cover for Memory Dump Analysis Anthology has got new look and feel:
Books symbolize modular memory structure found in Windows memory dumps (see Dump2Picture paintings) and blue strip separating cover text and books symbolizes familiar blue screen).
- Dmitry Vostokov @ DumpAnalysis.org -
Next monthly summary of my Literate Scientist blog:
- Dmitry Vostokov @ DumpAnalysis.org -
Next monthly summary of my Management Bits and Tips blog:
- Dmitry Vostokov @ DumpAnalysis.org -
Finally release dates are set for the following two books:
DebugWare: The Art and Craft of Writing Troubleshooting and Debugging Tools
The latter book will be shorter than planned initially and will contain references to Memory Dump Analysis Anthology, Volume I and Volume II.
(*) subject to change
- Dmitry Vostokov @ DumpAnalysis.org -
Self-publishing process is so fascinating and I feel designing and implementing something between software and hardware despite all necessary hard work. Modern print on demand technology allows to see incremental versions of the book in print. Here is the draft cover and table of contents for previously announced Memory Dump Analysis Anthology, Volume 1:
I decided not to use banal digits and geometrical figures for the book cover and make something original although it might not be exactly the same as you see it now 
- Dmitry Vostokov @ DumpAnalysis.org -
Finally the new update is available for download from Citrix support website.
What’s new in 3.6:
Fixed a bug related to secure string handling updates in MFC. PDBFinder now handles UNC pathnames exceeding 256 characters when building database.
Added additional filter to eliminate noise as shown on the following screenshot:
The motivation behind PDBFinder is covered in my old post:
- Dmitry Vostokov @ DumpAnalysis.org -
Comparing reference stack traces with the output of !process 0 ff command or just visually inspecting the long log and trying to spot anomalies is very difficult and largely based on personal experience with prior problem cases. A tool is needed and I’m currently writing the one. It will compare logs from problem memory dumps with reference stack traces and other information and automatically pinpoint any anomalies and highlight areas for more detailed manual inspection. This is similar to Kernel Memory Space Analyzer original intent but far more useful. Originally I thought about calling it WinDbg Log Analyzer but later decided to make it more general and extendable to other types of logs from different debuggers like GDB. Some people asked me the question: won’t a WinDbg debugger extension suffice? My answer was no - some companies cannot send complete, kernel and process memory dumps due to security considerations but they can send logs free from sensitive data as explained in my previous article:
Resolving security issues with crash dumps
Additionally I want it to be debugger independent at least in the second version and I want it to be web-based too and free from the choice of the hosting platform.
Stay tuned because the working prototype will be soon as a command line tool first. I personally need it for my day-to-day job. The latter always was my primary motivation to create various tools to automate or semi-automate data gathering and improve customer problem analysis.
The next version will have front-end GUI and I still haven’t decided yet whether to employ embedded HTML control like IE, RichEdit or revive my old text processor project. I’m inclined to choose the former due to endless possibilities with HTML and its platform independence. The choice of command line tool written in C++/STL will help to port it to FreeBSD/Linux/Solaris and adapt to other debuggers like GDB/ADB. The latter is my “wild fantasy” at the moment but its good to think towards other platforms that slowly increase their presence in my professional life
Any suggestions are very welcome especially if you have dealt with large debugger logs including not only backtraces but also various synchronization objects, module information, timing and I/O packet distribution.
- Dmitry Vostokov @ DumpAnalysis.org -
Previously announced volume is available in trade paperback and hardcover versions at the nominal price to cover manufacturing costs:
- Dmitry Vostokov @ DumpAnalysis.org -
Sometimes I need a quick link to install Debugging Tools for Windows and for other related information such as standard symbol server path, common commands, etc. For this purpose I’ve setup windbg.org domain and hope it will be handy. Currently its main page has the following links:
Help menu on dumpanalysis.org used to point to CDA Poster now points to this page too.
I’ll add more useful information there soon. Any suggestions are welcome!
- Dmitry Vostokov @ DumpAnalysis.org -
Since the first release of Dump2Wave I was under pressure to publish its source code and today I released it under GPL. I have to apologize that it doesn’t always use secure string manipulation functions, error handling is copy/pasted several times and there are no comments. I promise better code in the next version. 
If you plan to make changes and improvements please let me know so I could enjoy your versions of memory sounds too. I used ancient Visual C++ 6.0 to compile and build the project.
// Dump2Wave version 1.2.1 (c) Dmitry Vostokov
// GNU GENERAL PUBLIC LICENSE
// http://www.gnu.org/licenses/gpl-3.0.txt
#include <iostream>
#include <process.h>
#include <windows.h>
#pragma pack(1)
typedef struct {
unsigned int riff; // 'RIFF'
unsigned int length; // dump size + sizeof(WAVEFILEHDR) - 8
unsigned int wave; // 'WAVE'
unsigned int fmt; // 'fmt '
unsigned int fmtlen; // 16
unsigned short code; // 1
unsigned short channels; // 2
unsigned int sps; // 44100
unsigned int avgbps; // sps*channels*(sbits/8)
unsigned short alignment; // 4
unsigned short sbits; // 16
unsigned int data; // 'data'
unsigned int datalen;
} WAVEFILEHDR;
#pragma pack()
WAVEFILEHDR hdr = {'FFIR', sizeof(WAVEFILEHDR) - 8, 'EVAW',
' tmf', 16, 1, 2, 44100, 44100*4, 4, 16, 'atad', 0};
void DisplayError (LPCSTR szPrefix)
{
LPSTR errMsg;
CHAR szMsg[256];
strncpy(szMsg, szPrefix, 128);
DWORD gle = GetLastError();
if (gle && FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER|
FORMAT_MESSAGE_FROM_SYSTEM, NULL, gle, 0,
(LPSTR)&errMsg, 0, NULL))
{
strcat(szMsg, ": ");
strncat(szMsg, errMsg, 120);
}
std::cout << szMsg << std::endl;
LocalFree(errMsg);
}
int main(int argc, char* argv[])
{
std::cout << std::endl << "Dump2Wave version 1.2.1" <<
std::endl << "Written by Dmitry Vostokov, 2006" <<
std::endl << std::endl;
if (argc < 3)
{
std::cout << "Usage: Dump2Wave dumpfile wavefile [44100|22050|11025|8000 16|8 2|1]" << std::endl;
return -1;
}
HANDLE hFile = CreateFile(argv[1],
GENERIC_READ, FILE_SHARE_READ, NULL,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
DisplayError("Cannot read dump file");
return -1;
}
DWORD dwDumpSizeHigh = 0;
DWORD dwDumpSizeLow = GetFileSize(hFile, &dwDumpSizeHigh);
CloseHandle(hFile);
if (dwDumpSizeHigh)
{
std::cout << "The dump file must be less than 4Gb" <<
std::endl;
return -1;
}
if (argc == 6)
{
hdr.channels = atoi(argv[5]);
hdr.sps = atoi(argv[3]);
hdr.sbits = atoi(argv[4]);
hdr.avgbps = hdr.sps*hdr.channels*(hdr.sbits/8);
hdr.alignment = hdr.channels*(hdr.sbits/8);
}
dwDumpSizeLow = (dwDumpSizeLow/hdr.alignment)*(hdr.alignment);
hdr.length += dwDumpSizeLow;
hdr.datalen = dwDumpSizeLow;
hFile = CreateFile(argv[2], GENERIC_WRITE, 0,
NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
DisplayError("Cannot create wave header file");
return -1;
}
DWORD dwWritten;
if (!WriteFile(hFile, &hdr, sizeof(hdr), &dwWritten, NULL))
{
DisplayError("Cannot write wave header file");
CloseHandle(hFile);
return -1;
}
CloseHandle(hFile);
std::string str = "copy \"";
str += argv[2];
str += "\" /B + \"";
str += argv[1];
str += "\" /B \"";
str += argv[2];
str += "\" /B";
system(str.c_str());
return 0;
}
- Dmitry Vostokov @ DumpAnalysis.org -
It is very easy to become a publisher nowadays. Much easier than I thought. I registered myself as a publisher under the name of OpenTask which is my registered business name in Ireland. I also got the list of ISBN numbers and therefore can announce product details for the first volume of Memory Dump Analysis Anthology series:
Memory Dump Analysis Anthology, Volume 1
(*) subject to change
PDF file will be available for download too.
- Dmitry Vostokov @ DumpAnalysis.org -
Since the first release of Dump2Picture I was under pressure to publish its source code and today I released it under GPL. I have to apologize that it doesn’t always use secure string manipulation functions, error handling is copy/pasted several times and there are no comments. I promise better code in the next version.
If you plan to make changes and improvements please let me know so I could enjoy your versions of memory visuals too. I used ancient Visual C++ 6.0 to compile and build the project.
// Dump2Picture version 1.1 (c) Dmitry Vostokov
// GNU GENERAL PUBLIC LICENSE
// http://www.gnu.org/licenses/gpl-3.0.txt
#include <math.h>
#include <iostream>
#include <process.h>
#include <windows.h>
BITMAPFILEHEADER bmfh = { 'MB', 0, 0, 0,
sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) };
BITMAPINFOHEADER bmih = { sizeof(BITMAPINFOHEADER), 0, 0, 1, 32,
0, 0, 0, 0, 0, 0 };
RGBQUAD rgb[256];
void DisplayError (LPCSTR szPrefix)
{
LPSTR errMsg;
CHAR szMsg[256];
strncpy(szMsg, szPrefix, 128);
DWORD gle = GetLastError();
if (gle && FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
NULL, gle, 0, (LPSTR)&errMsg, 0, NULL))
{
strcat(szMsg, ": ");
strncat(szMsg, errMsg, 120);
}
std::cout << szMsg << std::endl;
LocalFree(errMsg);
}
int main(int argc, char* argv[])
{
std::cout << std::endl << "Dump2Picture version 1.1"
<< std::endl << "Written by Dmitry Vostokov, 2007"
<< std::endl << std::endl;
if (argc < 3)
{
std::cout << "Usage: Dump2Picture dumpfile bmpfile [8|16|24|32]" << std::endl;
return -1;
}
HANDLE hFile = CreateFile(argv[1], GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
DisplayError("Cannot read dump file");
return -1;
}
DWORD dwDumpSizeHigh = 0;
DWORD dwDumpSizeLow = GetFileSize(hFile, &dwDumpSizeHigh);
CloseHandle(hFile);
if (dwDumpSizeHigh)
{
std::cout << "The dump file must be less than 4Gb"
<< std::endl;
return -1;
}
if (argc == 4)
{
if (!strcmp(argv[argc-1],"8"))
{
bmih.biBitCount = 8;
for (int i = 0; i < 256; ++i)
{
rgb[i].rgbBlue = rgb[i].rgbGreen = rgb[i].rgbRed = i;
rgb[i].rgbReserved = 0;
}
}
else if (!strcmp(argv[argc-1],"16"))
{
bmih.biBitCount = 16;
}
else if (!strcmp(argv[argc-1],"24"))
{
bmih.biBitCount = 24;
}
else
{
bmih.biBitCount = 32;
}
}
bmih.biWidth = bmih.biHeight = sqrt((double)(dwDumpSizeLow/
(bmih.biBitCount/8)));
bmih.biWidth -= bmih.biWidth%2;
if (bmih.biBitCount == 8 )
{
bmih.biWidth -= bmih.biWidth%8;
}
bmih.biHeight -= bmih.biHeight%2;
bmih.biSizeImage = bmih.biWidth*bmih.biHeight*
(bmih.biBitCount/8);
if (bmih.biBitCount == 8 )
{
bmfh.bfOffBits += sizeof(rgb);
}
bmfh.bfSize = bmfh.bfOffBits + bmih.biSizeImage;
hFile = CreateFile(argv[2], GENERIC_WRITE, 0, NULL,
CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
DisplayError("Cannot create bitmap header file");
return -1;
}
DWORD dwWritten;
if (!WriteFile(hFile, &bmfh, sizeof(bmfh), &dwWritten, NULL))
{
DisplayError("Cannot write bitmap header file");
CloseHandle(hFile);
return -1;
}
if (!WriteFile(hFile, &bmih, sizeof(bmih), &dwWritten, NULL))
{
DisplayError("Cannot write bitmap header file");
CloseHandle(hFile);
return -1;
}
if (bmih.biBitCount == 8 )
{
if (!WriteFile(hFile, &rgb, sizeof(rgb), &dwWritten, NULL))
{
DisplayError("Cannot write bitmap header file");
CloseHandle(hFile);
return -1;
}
}
CloseHandle(hFile);
std::string str = "copy \"";
str += argv[2];
str += "\" /B + \"";
str += argv[1];
str += "\" /B \"";
str += argv[2];
str += "\" /B";
system(str.c_str());
return 0;
}
- Dmitry Vostokov @ DumpAnalysis.org -
I’ve been trying to put memory dump analysis on relevant scientific grounds for some time and now this branch of science needs its own name. After considering different alternative names I finally chose the word Memoretics. Here is the brief definition:
Computer Memoretics studies computer memory snapshots and their evolution in time.
Obviously this domain of research has many links with application and system debugging. However its scope is wider than debugging because it doesn’t necessarily study memory snapshots from systems and applications experiencing faulty behaviour.
Initially I was thinking about Memogenics word but its suffix is heavily associated with genes metaphor which I’m currently trying to avoid although I personally re-discovered software genes approach to software disorders when thinking about Memoretics vs. Memogenics. Later I found some research efforts going on but seems they are based on constructing software genes artificially. On the contrary I would try to discover genes in computer memories first.
Also Memoretics has longer prefix almost resembling Memory word. This had the final influence on my decision.
PS. I was also thinking about Memorology word but it has negative connotations with Astrology or Numerology and was coined already by someone like Memology and Memorics.
- Dmitry Vostokov @ DumpAnalysis.org -
Out of more than 13,000 organizations including more than 450 universities and colleges I selected top 10 visited my blog. Here is the graph showing the number of visits vs. company name:
- Dmitry Vostokov @ DumpAnalysis.org -
As promised here is the first monthly summary of my Literate Scientist blog:
- Dmitry Vostokov @ DumpAnalysis.org -
Next monthly summary of my Management Bits and Tips blog:
- Dmitry Vostokov @ DumpAnalysis.org -
Now the third volume is ready. Here is PDF file for free download:
Windows Server 2003™ x86 Complete Memory Dump
Surprisingly it is almost twice less in the number of pages than the first volume for Vista x86.
Printed versions are available for purchase at the nominal price to cover manufacturing costs:
The second edition will contain annotations and comments.
- Dmitry Vostokov @ DumpAnalysis.org -
The traffic was slightly down in December due to Christmas and New Year Eve holidays but this month it has already got 10,000 visits for the first time. I continue analyzing the data for 2007 and soon will publish more stats, for example, the distribution of visitors among major software vendors.
- Dmitry Vostokov @ DumpAnalysis.org -
Based on success with Reference Stack Traces for 32-bit Vista I created the similar reference volume for Vista x64. Here is PDF file for free download:
Windows Vista™ x64 Complete Memory Dump
Printed version is available for purchase at the nominal price to cover manufacturing costs:
The second edition will contain annotations and comments.
More volumes to come for other OS versions. I created the separate page to list all current and forthcoming volumes:
- Dmitry Vostokov @ DumpAnalysis.org -
We need to know normal thread stacks when looking at Stack Trace Collection from kernel and complete memory dumps and trying to spot anomalies. In order to fill this gap I just published the reference stack traces and other information form my Vista x86 running on Mac Mini with Apple Boot Camp. Some additional processes like explorer.exe and iexplore.exe were launched in order to include their user space stack traces commonly found in crash dumps. Here is PDF file for free download:
Windows Vista™ x86 Complete Memory Dump
The second edition will contain more information and comments. Soon I’m planning to release additional volumes for Vista x64 and other OS versions.
Printed version is available for purchase at the nominal price to cover manufacturing costs:
This is actually my first complete book
- Dmitry Vostokov @ DumpAnalysis.org -