Software Diagnostics Library

Archive for the ‘Breakfast with Intel’ Category

Structural Memory Patterns (Part 6)

Wednesday, October 13th, 2010

Another important pattern category is Memory Hierarchy. Typical examples include a complete memory dump with a physical to virtual mapping and paged out memory. Please note that page file is optional and paging can be implemented without a page file. There can be several layers of hierarchy, for example:

physical memory
virtualized physical memory
virtual memory

Another example is from the protected mode x86 architecture:

physical memory
linear memory (paging, virtual)
logical memory (segments)

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Breakfast with Intel, Crash Dump Analysis, Debugging, Memoretics, Structural Memory Patterns | No Comments »

What color is your instruction?

Wednesday, September 30th, 2009

Opcodism art is not limited to assembly language code and binary installations. It also provides beautiful color illustrations of processor opcodes and instructions. In this post I provide illustrations of NOP, PAUSE and INT 3 instructions generated by Dump2Picture from memory dump images of crashed 1MbNop and 1MbPause processes.

0:000> lmp start end module name 00000000`77030000 00000000`7715d000 kernel32 00000000`77230000 00000000`773b6000 ntdll 00000001`40000000 00000001`40144000 1MbNop 000007fe`fd1c0000 000007fe`fd1f5000 apphelp 000007fe`fdaf0000 000007fe`fdc33000 rpcrt4 000007fe`ff400000 000007fe`ff508000 advapi32

8 bit image of 1Mb NOP field fenced by INT 3 wall:

16 bit image of 1Mb NOP field fenced by INT 3 wall:

24 bit image of 1Mb NOP field fenced by INT 3 wall:

32 bit image of 1Mb NOP field fenced by INT 3 wall:

0:000> lmp start end module name 00000000`77030000 00000000`7715d000 kernel32 00000000`77230000 00000000`773b6000 ntdll 00000001`40000000 00000001`40284000 1MbPause

8 bit image of 1Mb PAUSE field fenced by INT 3 wall:

The same as above but PAUSE / INT 3 transition magnified:

16 bit image of 1Mb PAUSE field fenced by INT 3 wall:

24 bit image of 1Mb PAUSE field fenced by INT 3 wall:

The same as above but PAUSE / INT 3 transition magnified:

32 bit image of 1Mb PAUSE field fenced by INT 3 wall:

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Art, Assembly Language, Breakfast with Intel, Fun with Crash Dumps, Memory Visualization, Opcodism | No Comments »

Breakfast with Intel Manuals (1st)

Wednesday, July 15th, 2009

I’ve decided to spend a few hours every week reading and / or re-reading various Intel 64 and IA-32 Architectures manuals to keep myself informed in differences between x64 and x86, revive Asmpedia and perhaps even apply gained insights to memory dump analysis. Today I read 2.1 - 2.2.5 sections from Volume 1 and here’s a rough picture of processor families that I assembled after reading:

Most of these models and their hardware architecture are discussed in this popular book that I read more than a year ago and still recommend without hesitation:

Inside the Machine

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Assembly Language, Books, Breakfast with Intel, Hardware, Reading Notebook | No Comments »

M	T	W	T	F	S	S
« Apr
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

Archive for the ‘Breakfast with Intel’ Category

Structural Memory Patterns (Part 6)

What color is your instruction?

Breakfast with Intel Manuals (1st)

Pages

Recent Comments

Categories

Archives

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta