Archive for the ‘Computer Forensics’ Category

Crash Dump Analysis Patterns (Part 209)

Saturday, September 6th, 2014

The availability of direct dump modification raises the possibility of Tampered Dumps. These are memory dumps specifically modified to alter structural and behavioural diagnostic patterns, for example, to suppress certain module involvement or introduce fictitious past objects and interaction traces such as Execution Residue and Module Hints. There can be 2 types of such artefacts: strong tampering with new or altered information completely integrated into memory fabric and weak tampering to confuse inexperienced software support engineers and memory forensics analysts.

For example, in one such experimental process memory dump we see Exception Stack Trace pointing to a problem in calc module:

0:003> k
Child-SP RetAddr Call Site
00000000`0244e858 000007fe`fd061430 ntdll!NtWaitForMultipleObjects+0xa
00000000`0244e860 00000000`76ec1723 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`0244e960 00000000`76f3b5e5 kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`0244e9f0 00000000`76f3b767 kernel32!WerpReportFaultInternal+0x215
00000000`0244ea90 00000000`76f3b7bf kernel32!WerpReportFault+0x77
00000000`0244eac0 00000000`76f3b9dc kernel32!BasepReportFault+0x1f
00000000`0244eaf0 00000000`77153398 kernel32!UnhandledExceptionFilter+0x1fc
00000000`0244ebd0 00000000`770d85c8 ntdll! ?? ::FNODOBFM::`string'+0x2365
00000000`0244ec00 00000000`770e9d2d ntdll!_C_specific_handler+0x8c
00000000`0244ec70 00000000`770d91cf ntdll!RtlpExecuteHandlerForException+0xd
00000000`0244eca0 00000000`77111248 ntdll!RtlDispatchException+0x45a
00000000`0244f380 00000000`ffdbdb27 ntdll!KiUserExceptionDispatch+0×2e
00000000`0244fab0 00000000`76eb59ed calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244faf0 00000000`770ec541 kernel32!BaseThreadInitThunk+0xd
00000000`0244fb20 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

The default analysis command (!analyse -v) diagnoses “stack corruption”:

FAULTING_IP:
kernel32!UnhandledExceptionFilter+1fc
00000000`76f3b9dc 448bf0 mov r14d,eax

EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000076f3b9dc (kernel32!UnhandledExceptionFilter+0x00000000000001fc)
ExceptionCode: 0244e9f0
ExceptionFlags: 00000000
NumberParameters: 0

DEFAULT_BUCKET_ID: STACK_CORRUPTION

PRIMARY_PROBLEM_CLASS: STACK_CORRUPTION

BUGCHECK_STR: APPLICATION_FAULT_STACK_CORRUPTION

IP_ON_HEAP: 8d483674c33bfffa
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

UNALIGNED_STACK_POINTER: 0000000076f3b767

STACK_TEXT:
00000000`00000000 00000000`00000000 calc!CTimedCalc::WatchDogThread+0x0

FOLLOWUP_IP:
calc!CTimedCalc::WatchDogThread+0
00000000`ffd92254 48895c2408 mov qword ptr [rsp+8],rbx

Stored Exception resembles signs of Local Buffer Overflow (segment register values and CPU flags have suspiciously invalid values, possibly Lateral Damage):

0:003> .ecxr
rax=0000000000000000 rbx=0000000000000001 rcx=000000000244ec30
rdx=000000000244ec30 rsi=0100000000000080 rdi=0000000000000158
rip=0000000076f3b9dc rsp=0000000076f3b767 rbp=0000000000000000
r8=0000000000000000 r9=ffffffffffffffff r10=0000000076f3b7bf
r11=000000000244ec30 r12=0000000000000001 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na pe nc
cs=0000 ss=0000 ds=0266 es=0000 fs=0000 gs=0154 efl=00000000
kernel32!UnhandledExceptionFilter+0×1fc:
00000000`76f3b9dc 448bf0 mov r14d,eax

0:003> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
00000000`76f3b767 8d483674`c33bfffa kernel32!UnhandledExceptionFilter+0x1fc
00000000`76f3b847 5aa3e800`05bfac0d 0x8d483674`c33bfffa
00000000`76f3b84f ebffcf83`48ccfff9 0x5aa3e800`05bfac0d
00000000`76f3b857 8348c000`0409ba27 0xebffcf83`48ccfff9
00000000`76f3b85f 54dfe8cf`8b48ffcf 0x8348c000`0409ba27
00000000`76f3b867 4c02778d`db33fff9 0x54dfe8cf`8b48ffcf
00000000`76f3b86f 4c000000`e024a48b 0x4c02778d`db33fff9
00000000`76f3b877 ffcf8348`04ebeb8b 0x4c000000`e024a48b
00000000`76f3b87f fffc59e9`e8cc8b49 0xffcf8348`04ebeb8b
00000000`76f3b887 42e9c78b`0775c73b 0xfffc59e9`e8cc8b49
00000000`76f3b88f fffa6fa9`e8000003 0x42e9c78b`0775c73b
00000000`76f3b897 32e9c033`0774c33b 0xfffa6fa9`e8000003
00000000`76f3b89f fa7f3d8d`4c000003 0x32e9c033`0774c33b
00000000`76f3b8a7 de15ffcf`8b490006 0xfa7f3d8d`4c000003
00000000`76f3b8af f9370d8b`4800000e 0xde15ffcf`8b490006
00000000`76f3b8b7 000014a1`15ff0006 0xf9370d8b`4800000e
00000000`76f3b8bf 840fc33b`48f08b4c 0x000014a1`15ff0006
00000000`76f3b8c7 f6158b48`00000099 0x840fc33b`48f08b4c
00000000`76f3b8cf 0238c281`480006f3 0xf6158b48`00000099
00000000`76f3b8d7 48cfe8c8`8b480000 0x0238c281`480006f3
00000000`76f3b8df 8b4c7f74`c33bfff9 0x48cfe8c8`8b480000
00000000`76f3b8e7 888b4900`06f3dc05 0x8b4c7f74`c33bfff9
00000000`76f3b8ef 75083949`00000238 0x888b4900`06f3dc05
00000000`76f3b8f7 00000240`808b496c 0x75083949`00000238
00000000`76f3b8ff 8b415f75`08403949 0x00000240`808b496c
00000000`76f3b907 00024880`3b411040 0x8b415f75`08403949
00000000`76f3b90f 01040000`a9527500 0x00024880`3b411040
00000000`76f3b917 00025090`8d491874 0x01040000`a9527500
00000000`76f3b91f c68a4418`488d4900 0x00025090`8d491874
00000000`76f3b927 c33a0000`117315ff 0xc68a4418`488d4900
00000000`76f3b92f 4e15ffcf`8b493374 0xc33a0000`117315ff
00000000`76f3b937 ff41cc8b`4900000e 0x4e15ffcf`8b493374
00000000`76f3b93f 00028c84`0fc63bd6 0xff41cc8b`4900000e
00000000`76f3b947 00028484`0fc73b00 0x00028c84`0fc63bd6
00000000`76f3b94f 6ee7e819`75c33b00 0x00028484`0fc73b00
00000000`76f3b957 c0331074`c33bfffa 0x6ee7e819`75c33b00
00000000`76f3b95f cf8b4900`000270e9 0xc0331074`c33bfffa
00000000`76f3b967 8b490000`0e1b15ff 0xcf8b4900`000270e9
00000000`76f3b96f 3b000013`e215ffcc 0x8b490000`0e1b15ff
00000000`76f3b977 0253e9c7`8b0775c7 0x3b000013`e215ffcc
00000000`76f3b97f 41fff959`4ae80000 0x0253e9c7`8b0775c7
00000000`76f3b987 c6844100`000002be 0x41fff959`4ae80000
00000000`76f3b98f 15ff0000`023d850f 0xc6844100`000002be
00000000`76f3b997 850f20a8`00000f65 0x15ff0000`023d850f
00000000`76f3b99f 245c8948`0000022f 0x850f20a8`00000f65
00000000`76f3b9a7 448d4c3e`4e8d4520 0x245c8948`0000022f
00000000`76f3b9af ffc933d6`8b416024 0x448d4c3e`4e8d4520
00000000`76f3b9b7 7cc33b00`0009f415 0xffc933d6`8b416024
00000000`76f3b9bf 730a7024`64ba0f0f 0x7cc33b00`0009f415
00000000`76f3b9c7 00000205`e9c68b07 0x730a7024`64ba0f0f
00000000`76f3b9cf cc8b49d6`8bfb8b44 0x00000205`e9c68b07
00000000`76f3b9d7 f08b44ff`fffdc4e8 0xcc8b49d6`8bfb8b44
00000000`76f3b9df e9c03307`7508f883 0xf08b44ff`fffdc4e8
00000000`76f3b9e7 7506f883`000001e9 0xe9c03307`7508f883
00000000`76f3b9ef c33bfffa`6e4be810 0x7506f883`000001e9
00000000`76f3b9f7 0001d4e9`c0330774 0xc33bfffa`6e4be810
00000000`76f3b9ff 86850f04`fe834100 0x0001d4e9`c0330774
00000000`76f3ba07 0000024a`ba000001 0x86850f04`fe834100
00000000`76f3ba0f 00b841ce`8b45c933 0x0000024a`ba000001
00000000`76f3ba17 fff7a249`e8000010 0x00b841ce`8b45c933
00000000`76f3ba1f 0775c33b`48e88b4c 0xfff7a249`e8000010
00000000`76f3ba27 48000001`a6e9c033 0x0775c33b`48e88b4c
00000000`76f3ba2f 24448948`3024448d 0x48000001`a6e9c033
00000000`76f3ba37 0000f024`8c8d4c20 0x24448948`3024448d
00000000`76f3ba3f 49000001`25b84100 0x0000f024`8c8d4c20
00000000`76f3ba47 8a0fe8cf`8b48d58b 0x49000001`25b84100
00000000`76f3ba4f 4166097c`c33bfffe 0x8a0fe8cf`8b48d58b
00000000`76f3ba57 39fe450f`44005d39 0x4166097c`c33bfffe
00000000`76f3ba5f 850f0000`00f0249c 0x39fe450f`44005d39
00000000`76f3ba67 240c8b49`000000bc 0x850f0000`00f0249c
00000000`76f3ba6f 40244489`48016348 0x240c8b49`000000bc
00000000`76f3ba77 24448948`10418b48 0x40244489`48016348
00000000`76f3ba7f 75c00000`06398148 0x24448948`10418b48
00000000`76f3ba87 480b7203`18798318 0x75c00000`06398148
00000000`76f3ba8f 50244489`4830418b 0x480b7203`18798318
00000000`76f3ba97 eb50245c`89481ceb 0x50244489`4830418b
00000000`76f3ba9f 8b480b72`18713915 0xeb50245c`89481ceb
00000000`76f3baa7 eb502444`89482041 0x8b480b72`18713915
00000000`76f3baaf 02ba5024`5c894805 0xeb502444`89482041
00000000`76f3bab7 0b721851`39000000 0x02ba5024`5c894805
00000000`76f3babf 24448948`28418b48 0x0b721851`39000000
00000000`76f3bac7 58245c89`4805eb58 0x24448948`28418b48
00000000`76f3bacf ba1d3808`74fb3b44 0x58245c89`4805eb58
00000000`76f3bad7 48d68b02`740006fd 0xba1d3808`74fb3b44
00000000`76f3badf 48000000`e824848d 0x48d68b02`740006fd
00000000`76f3bae7 20245489`28244489 0x48000000`e824848d
00000000`76f3baef c0334540`244c8d4c 0x20245489`28244489
00000000`76f3baf7 000144b9`04508d41 0xc0334540`244c8d4c
00000000`76f3baff ba00000d`7215ffd0 0x000144b9`04508d41
00000000`76f3bb07 8c8bc223`c0000000 0xba00000d`7215ffd0
00000000`76f3bb0f b8c23b00`0000e824 0x8c8bc223`c0000000
00000000`76f3bb17 89c8440f`00000006 0xb8c23b00`0000e824
00000000`76f3bb1f 07eb0000`00e8248c 0x89c8440f`00000006
00000000`76f3bb27 44000000`e8248c8b 0x07eb0000`00e8248c
00000000`76f3bb2f 7403f983`5d74fb3b 0x44000000`e8248c8b
00000000`76f3bb37 000000f0`249c3909 0x7403f983`5d74fb3b
00000000`76f3bb3f 0006fd4d`058a4f74 0x000000f0`249c3909
00000000`76f3bb47 f85f5ce8`4b75c33a 0x0006fd4d`058a4f74
00000000`76f3bb4f 448b3b75`5c5838ff 0xf85f5ce8`4b75c33a
00000000`76f3bb57 894c2824`44893024 0x448b3b75`5c5838ff
00000000`76f3bb5f 08244c8b`4d20246c 0x894c2824`44893024
00000000`76f3bb67 fec2c748`24048b4d 0x08244c8b`4d20246c
00000000`76f3bb6f b6e8cf8b`48ffffff 0xfec2c748`24048b4d
00000000`76f3bb77 fd130db6`0fffffea 0xb6e8cf8b`48ffffff
00000000`76f3bb7f 88ce4c0f`c33b0006 0xfd130db6`0fffffea
00000000`76f3bb87 ebfb8b00`06fd080d 0x88ce4c0f`c33b0006
00000000`76f3bb8f 3a0006fc`fe058a29 0xebfb8b00`06fd080d
00000000`76f3bb97 8b240c8b`491874c3 0x3a0006fc`fe058a29
00000000`76f3bb9f 060f15ff`cf8b4811 0x8b240c8b`491874c3
00000000`76f3bba7 0000f824`bc8b0000 0x060f15ff`cf8b4811
00000000`76f3bbaf 00f824bc`8b07eb00 0x0000f824`bc8b0000
00000000`76f3bbb7 331074eb`3b4c0000 0x00f824bc`8b07eb00
00000000`76f3bbbf 49000080`00b841d2 0x331074eb`3b4c0000
00000000`76f3bbc7 8bfff74b`5ae8cd8b 0x49000080`00b841d2
00000000`76f3bbcf c48148c6`8b02ebc7 0x8bfff74b`5ae8cd8b
00000000`76f3bbd7 5e415f41`000000a0 0xc48148c6`8b02ebc7
00000000`76f3bbdf c35b5e5f`5c415d41 0x5e415f41`000000a0
00000000`76f3bbe7 158ead00`00000090 0xc35b5e5f`5c415d41
00000000`76f3bbef 00000200`00000053 0x158ead00`00000090
00000000`76f3bbf7 09bc2400`00002500 0x00000200`00000053
00000000`76f3bbff 00000000`09b42400 0x09bc2400`00002500
00000000`76f3bc07 7e023553`158ead00 0x9b42400
00000000`76f3bc0f 00000400`00000a19 0x7e023553`158ead00
00000000`76f3bc17 09b42000`09bc2000 0x00000400`00000a19
00000000`76f3bc1f 445352bb`03197e00 0x09b42000`09bc2000
00000000`76f3bc27 4c886225`48e28953 0x445352bb`03197e00
00000000`76f3bc2f 4fb29af4`dfbb8344 0x4c886225`48e28953
00000000`76f3bc37 72656b00`0000020e 0x4fb29af4`dfbb8344
00000000`76f3bc3f 64702e32`336c656e 0x72656b00`0000020e
00000000`76f3bc47 00000000`00000062 0x64702e32`336c656e

We check for any Hidden Exceptions and find it was NULL Data Pointer:

0:003> .cxr
Resetting default scope

0:003> k
Child-SP RetAddr Call Site
00000000`0244e858 000007fe`fd061430 ntdll!NtWaitForMultipleObjects+0xa
00000000`0244e860 00000000`76ec1723 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`0244e960 00000000`76f3b5e5 kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`0244e9f0 00000000`76f3b767 kernel32!WerpReportFaultInternal+0x215
00000000`0244ea90 00000000`76f3b7bf kernel32!WerpReportFault+0x77
00000000`0244eac0 00000000`76f3b9dc kernel32!BasepReportFault+0x1f
00000000`0244eaf0 00000000`77153398 kernel32!UnhandledExceptionFilter+0x1fc
00000000`0244ebd0 00000000`770d85c8 ntdll! ?? ::FNODOBFM::`string'+0x2365
00000000`0244ec00 00000000`770e9d2d ntdll!_C_specific_handler+0x8c
00000000`0244ec70 00000000`770d91cf ntdll!RtlpExecuteHandlerForException+0xd
00000000`0244eca0 00000000`77111248 ntdll!RtlDispatchException+0×45a
00000000`0244f380 00000000`ffdbdb27 ntdll!KiUserExceptionDispatch+0×2e
00000000`0244fab0 00000000`76eb59ed calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244faf0 00000000`770ec541 kernel32!BaseThreadInitThunk+0xd
00000000`0244fb20 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

0:003> dps 00000000`0244eca0 00000000`0244fab0
00000000`0244eca0 00000000`02450000
00000000`0244eca8 00000000`76fadda0 kernel32!__PchSym_ <PERF> (kernel32+0x10dda0)
00000000`0244ecb0 00000000`00012f00
00000000`0244ecb8 00000000`7711920a ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x3da
00000000`0244ecc0 00000000`00000005
00000000`0244ecc8 00000000`00000000
00000000`0244ecd0 00000000`00000000
00000000`0244ecd8 00000000`00000000
00000000`0244ece0 00000000`0244fb20
00000000`0244ece8 00000000`00000000
00000000`0244ecf0 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0)
00000000`0244ecf8 00000000`00000000
00000000`0244ed00 00000000`00000000
00000000`0244ed08 00000000`02450000
00000000`0244ed10 00000000`771e8180 ntdll!`string'+0xc040
00000000`0244ed18 00000000`0244b000
00000000`0244ed20 00000000`0244f250
00000000`0244ed28 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0)
00000000`0244ed30 00000000`770ec541 ntdll!RtlUserThreadStart+0x1d
00000000`0244ed38 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0)
00000000`0244ed40 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0)
00000000`0244ed48 00000000`0244fb20
00000000`0244ed50 00000000`771d7718 ntdll!LdrpDefaultExtension
00000000`0244ed58 00000000`0244ed80
00000000`0244ed60 00000000`770d852c ntdll!_C_specific_handler
00000000`0244ed68 00000000`771e8180 ntdll!`string'+0xc040
00000000`0244ed70 00000000`0244f250
00000000`0244ed78 00000000`00000000
00000000`0244ed80 00000000`00000000
00000000`0244ed88 00000000`00000000
00000000`0244ed90 00000000`00000000
00000000`0244ed98 00000000`00000000
00000000`0244eda0 00000000`00000000
00000000`0244eda8 00000000`00000000
00000000`0244edb0 00001f80`00000000
00000000`0244edb8 00000000`00000033
00000000`0244edc0 00010246`002b0000
00000000`0244edc8 00000000`00000000
00000000`0244edd0 00000000`00000000
00000000`0244edd8 00000000`00000000
00000000`0244ede0 00000000`00000000
00000000`0244ede8 000007fe`ff3625c0 msctf!s_szCompClassName
00000000`0244edf0 00000000`00200000
00000000`0244edf8 00000000`0244ee40
00000000`0244ee00 00000000`0244ee40
00000000`0244ee08 00000000`0244ee40
00000000`0244ee10 00000000`00000000
00000000`0244ee18 00000000`0244fb70
00000000`0244ee20 00000000`00000000
00000000`0244ee28 00000000`00000000
00000000`0244ee30 00000000`00000000
00000000`0244ee38 000007fe`fd602790 ole32!`string'
00000000`0244ee40 00000000`00292170
00000000`0244ee48 00000000`770e7a33 ntdll!LdrpFindOrMapDll+0x138
00000000`0244ee50 00000000`0244ef68
00000000`0244ee58 00000000`00000000
00000000`0244ee60 00000000`00000000
00000000`0244ee68 00000000`00000000
00000000`0244ee70 00000000`00000000
00000000`0244ee78 00000000`00000000
00000000`0244ee80 00000000`0000027f
00000000`0244ee88 00000000`00000000
00000000`0244ee90 00000000`00000000
00000000`0244ee98 0000ffff`00001f80
00000000`0244eea0 00000000`00000000
00000000`0244eea8 00000000`00000000
00000000`0244eeb0 00000000`00000000
00000000`0244eeb8 00000000`00000000
00000000`0244eec0 00000000`00000000
00000000`0244eec8 00000000`00000000
00000000`0244eed0 00000000`00000000
00000000`0244eed8 00000000`00000000
00000000`0244eee0 00000000`00000000
00000000`0244eee8 00000000`00000000
00000000`0244eef0 00000000`00000000
00000000`0244eef8 00000000`00000000
00000000`0244ef00 00000000`00000000
00000000`0244ef08 00000000`00000000
00000000`0244ef10 00000000`00000000
00000000`0244ef18 00000000`00000000
00000000`0244ef20 00000000`00000000
00000000`0244ef28 00000000`771192a8 ntdll!LdrpApplyFileNameRedirection+0x2d3
00000000`0244ef30 00000000`00000000
00000000`0244ef38 00000000`00000000
00000000`0244ef40 00000000`00000000
00000000`0244ef48 00000000`02080000
00000000`0244ef50 00000000`0244f028
00000000`0244ef58 00000000`0244f020
00000000`0244ef60 00000000`00000000
00000000`0244ef68 00000000`00000000
00000000`0244ef70 00000000`00000000
00000000`0244ef78 000007fe`fd602848 ole32!`string'
00000000`0244ef80 00000000`00000000
00000000`0244ef88 00000000`00000000
00000000`0244ef90 00000000`00000000
00000000`0244ef98 00000000`00000000
00000000`0244efa0 00000000`00000000
00000000`0244efa8 00000000`00000000
00000000`0244efb0 00000000`00000000
00000000`0244efb8 00000000`00000000
00000000`0244efc0 00000000`00000000
00000000`0244efc8 00000000`00000000
00000000`0244efd0 00000000`00000000
00000000`0244efd8 00000000`00000000
00000000`0244efe0 00000000`00000000
00000000`0244efe8 00000000`00000000
00000000`0244eff0 00000000`00000000
00000000`0244eff8 00000000`00000000
00000000`0244f000 00000000`00000000
00000000`0244f008 00000000`00000000
00000000`0244f010 00000000`00000000
00000000`0244f018 00000000`00000000
00000000`0244f020 00000000`0244f038
00000000`0244f028 00000000`0000011b
00000000`0244f030 00000000`024d0000
00000000`0244f038 00000080`001a024d
00000000`0244f040 00000000`01c0c8a0
00000000`0244f048 00000000`002f0101
00000000`0244f050 00000000`00000000
00000000`0244f058 00000000`00000022
00000000`0244f060 00000000`002f9b00
00000000`0244f068 00000000`01bd5390
00000000`0244f070 00000000`002f7c00
00000000`0244f078 00000000`01bd5580
00000000`0244f080 00000000`01bd57b0
00000000`0244f088 00000000`002f9b00
00000000`0244f090 00000000`00000000
00000000`0244f098 00000024`00000003
00000000`0244f0a0 00000000`002e91b0
00000000`0244f0a8 00000000`00000022
00000000`0244f0b0 00000000`771d5430 ntdll!RtlpInterceptorRoutines
00000000`0244f0b8 00000000`00000000
00000000`0244f0c0 00000000`00000010
00000000`0244f0c8 00000000`01bd0000
00000000`0244f0d0 00000000`00000008
00000000`0244f0d8 00000000`00000001
00000000`0244f0e0 00000000`01bd0288
00000000`0244f0e8 00000000`77113448 ntdll!RtlAllocateHeap+0xe4
00000000`0244f0f0 00000000`00000000
00000000`0244f0f8 00000000`00000001
00000000`0244f100 000002b2`000f002f
00000000`0244f108 00000000`01bd5780
00000000`0244f110 00000000`00250230
00000000`0244f118 00000000`000000df
00000000`0244f120 00000000`002551a0
00000000`0244f128 00000000`00255210
00000000`0244f130 00000000`002f9b00
00000000`0244f138 00000000`002551a0
00000000`0244f140 00000000`000000df
00000000`0244f148 00000000`10000010
00000000`0244f150 00000000`00250230
00000000`0244f158 00000000`00000000
00000000`0244f160 00000000`00250498
00000000`0244f168 00000000`0025026c
00000000`0244f170 00000000`002f9b00
00000000`0244f178 00000000`002551a0
00000000`0244f180 00000000`00000022
00000000`0244f188 00000000`76fd88b8 user32!GetPropW+0x4d
00000000`0244f190 00000000`00002974
00000000`0244f198 00000000`76fd88b8 user32!GetPropW+0x4d
00000000`0244f1a0 00000000`00250230
00000000`0244f1a8 00000000`76fd7931 user32!IsWindow+0x9
00000000`0244f1b0 00000000`002ed6d0
00000000`0244f1b8 00000000`76fd7931 user32!IsWindow+0x9
00000000`0244f1c0 00000000`00000000
00000000`0244f1c8 00000000`01c0c8d0
00000000`0244f1d0 00000000`01c0c8a0
00000000`0244f1d8 00000000`00000000
00000000`0244f1e0 00000000`00000008
00000000`0244f1e8 00000000`01bd0000
00000000`0244f1f0 00000000`00000000
00000000`0244f1f8 00000000`770f41c8 ntdll!RtlpReAllocateHeap+0x178
00000000`0244f200 00000000`00000002
00000000`0244f208 00000000`00000002
00000000`0244f210 00000000`00000000
00000000`0244f218 000007fe`4f00024d
00000000`0244f220 00000000`00000000
00000000`0244f228 000007fe`fb601381 uxtheme!CThemeWnd::_PreDefWindowProc+0x31
00000000`0244f230 00000000`00000082
00000000`0244f238 00000000`00000000
00000000`0244f240 00000000`7a337100
00000000`0244f248 00000000`01c0c8c0
00000000`0244f250 00000000`00000003
00000000`0244f258 00000000`76eb59e0 kernel32!BaseThreadInitThunk
00000000`0244f260 00000000`ffdbdb32 calc!CTimedCalc::Start+0xa9
00000000`0244f268 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0x0)
00000000`0244f270 00000000`ffe0ac64 calc!_dyn_tls_init_callback <PERF> (calc+0x7ac64)
00000000`0244f278 00000000`76ea0000 kernel32!TestResourceDataMatchEntry <PERF> (kernel32+0x0)
00000000`0244f280 00000000`76fadda0 kernel32!__PchSym_ <PERF> (kernel32+0x10dda0)
00000000`0244f288 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0)
00000000`0244f290 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0)
00000000`0244f298 00000000`76fd760e user32!RealDefWindowProcW+0x5a
00000000`0244f2a0 00000000`00000001
00000000`0244f2a8 000007fe`fb600037 uxtheme!operator delete <PERF> (uxtheme+0x37)
00000000`0244f2b0 00000000`01bd0158
00000000`0244f2b8 00000000`00000082
00000000`0244f2c0 00000000`00000000
00000000`0244f2c8 00000000`00000003
00000000`0244f2d0 00000000`000111f2
00000000`0244f2d8 00000000`00000054
00000000`0244f2e0 00000000`00000000
00000000`0244f2e8 00000000`00000000
00000000`0244f2f0 00000000`00000001
00000000`0244f2f8 00000000`01c11c60
00000000`0244f300 00000000`0244f462
00000000`0244f308 00000000`01bd0230
00000000`0244f310 00000000`00000000
00000000`0244f318 00000000`00000000
00000000`0244f320 00000000`00000000
00000000`0244f328 00000000`14010015
00000000`0244f330 00000000`01c11570
00000000`0244f338 00000000`00000000
00000000`0244f340 00000000`00000000
00000000`0244f348 00000000`00000000
00000000`0244f350 00000000`00009c40
00000000`0244f358 00000000`00000000
00000000`0244f360 00000000`00000000
00000000`0244f368 00000000`00000000
00000000`0244f370 00000000`00002710
00000000`0244f378 00000000`77111248 ntdll!KiUserExceptionDispatch+0×2e
00000000`0244f380 00000000`0244f870
00000000`0244f388 00000000`0244f380
00000000`0244f390 00000000`00000000
00000000`0244f398 00000000`00000000
00000000`0244f3a0 000007fe`fb63fb40 uxtheme!$$VProc_ImageExportDirectory
00000000`0244f3a8 00000000`00000ad5
00000000`0244f3b0 00001f80`0010005f
00000000`0244f3b8 0053002b`002b0033
00000000`0244f3c0 00010246`002b002b
00000000`0244f3c8 00000000`00000000
00000000`0244f3d0 00000000`00000000
00000000`0244f3d8 00000000`00000000
00000000`0244f3e0 00000000`00000000
00000000`0244f3e8 00000000`00000000
00000000`0244f3f0 00000000`00000000
00000000`0244f3f8 00000000`0012c770
00000000`0244f400 00000000`00000000
00000000`0244f408 00000000`00000000
00000000`0244f410 00000000`00002710
00000000`0244f418 00000000`0244fab0
00000000`0244f420 00000000`00000000
00000000`0244f428 00000000`00000000
00000000`0244f430 00000000`00000000
00000000`0244f438 00000000`0244f938
00000000`0244f440 00000000`00962210
00000000`0244f448 00000000`00000000
00000000`0244f450 00000000`0244f9a0
00000000`0244f458 00000000`00009c40
00000000`0244f460 00000000`00000000
00000000`0244f468 00000000`00000000
00000000`0244f470 00000000`00000000
00000000`0244f478 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244f480 00000000`0000027f
00000000`0244f488 00000000`00000000
00000000`0244f490 00000000`00000000
00000000`0244f498 0000ffff`00001f80
00000000`0244f4a0 00000000`00000000
00000000`0244f4a8 00000000`00000000
00000000`0244f4b0 00000000`00000000
00000000`0244f4b8 00000000`00000000
00000000`0244f4c0 00000000`00000000
00000000`0244f4c8 00000000`00000000
00000000`0244f4d0 00000000`00000000
00000000`0244f4d8 00000000`00000000
00000000`0244f4e0 00000000`00000000
00000000`0244f4e8 00000000`00000000
00000000`0244f4f0 00000000`00000000
00000000`0244f4f8 00000000`00000000
00000000`0244f500 00000000`00000000
00000000`0244f508 00000000`00000000
00000000`0244f510 00000000`00000000
00000000`0244f518 00000000`00000000
00000000`0244f520 00000000`00000000
00000000`0244f528 00000000`00000000
00000000`0244f530 00000000`00000000
00000000`0244f538 00000000`00000000
00000000`0244f540 00000000`00000000
00000000`0244f548 00000000`00000000
00000000`0244f550 00000000`00000000
00000000`0244f558 00000000`00000000
00000000`0244f560 00000000`00000000
00000000`0244f568 00000000`00000000
00000000`0244f570 00000000`00000000
00000000`0244f578 00000000`00000000
00000000`0244f580 00000000`00000000
00000000`0244f588 00000000`00000000
00000000`0244f590 00000000`00000000
00000000`0244f598 00000000`00000000
00000000`0244f5a0 00000000`00000000
00000000`0244f5a8 00000000`00000000
00000000`0244f5b0 00000000`00000000
00000000`0244f5b8 00000000`00000000
00000000`0244f5c0 00000000`00000000
00000000`0244f5c8 00000000`00000000
00000000`0244f5d0 00000000`00000000
00000000`0244f5d8 00000000`00000000
00000000`0244f5e0 00000000`00000000
00000000`0244f5e8 00000000`00000000
00000000`0244f5f0 00000000`00000000
00000000`0244f5f8 00000000`00000000
00000000`0244f600 00000000`00000000
00000000`0244f608 00000000`00000000
00000000`0244f610 00000000`00000000
00000000`0244f618 00000000`00000000
00000000`0244f620 00000000`00000000
00000000`0244f628 00000000`00000000
00000000`0244f630 00000000`00000000
00000000`0244f638 00000000`00000000
00000000`0244f640 00000000`00000000
00000000`0244f648 00000000`00000000
00000000`0244f650 00000000`00000000
00000000`0244f658 00000000`00000000
00000000`0244f660 00000000`00000000
00000000`0244f668 fffff800`032d5e53
00000000`0244f670 00000000`00000002
00000000`0244f678 00000000`00000000
00000000`0244f680 00000000`01c11580
00000000`0244f688 00000000`00000082
00000000`0244f690 00000000`00000082
00000000`0244f698 00000000`000111e4
00000000`0244f6a0 00000000`00000002
00000000`0244f6a8 00000000`0244f6f0
00000000`0244f6b0 00000000`00000002
00000000`0244f6b8 00000000`00000000
00000000`0244f6c0 00000000`000111e4
00000000`0244f6c8 00000000`00000000
00000000`0244f6d0 00000000`00000082
00000000`0244f6d8 00000000`00000000
00000000`0244f6e0 00000000`00000000
00000000`0244f6e8 00000000`76fe76c2 user32!DefDlgProcW+0×36
00000000`0244f6f0 00000000`00000000
00000000`0244f6f8 00000000`00000000
00000000`0244f700 00000000`000111e4
00000000`0244f708 00000000`00000000
00000000`0244f710 00000000`00000082
00000000`0244f718 00000000`00000000
00000000`0244f720 00000000`0244f908
00000000`0244f728 00000000`76fd9bef user32!UserCallWinProcCheckWow+0×1cb
00000000`0244f730 00000000`00962210
00000000`0244f738 00000000`00000001
00000000`0244f740 00000000`00000000
00000000`0244f748 00000000`00000000
00000000`0244f750 00000000`0244f768
00000000`0244f758 00000000`0244f778
00000000`0244f760 00000000`00000001
00000000`0244f768 00000000`00000000
00000000`0244f770 00000000`00000000
00000000`0244f778 00000000`00000000
00000000`0244f780 00000000`00000048
00000000`0244f788 00000000`00000001
00000000`0244f790 00000000`00000000
00000000`0244f798 00000000`00000000
00000000`0244f7a0 00000000`00000070
00000000`0244f7a8 ffffffff`ffffffff
00000000`0244f7b0 ffffffff`ffffffff
00000000`0244f7b8 00000000`76fd9b43 user32!UserCallWinProcCheckWow+0×99
00000000`0244f7c0 00000000`76fd9bef user32!UserCallWinProcCheckWow+0×1cb
00000000`0244f7c8 00000000`00000000
00000000`0244f7d0 00000000`00000000
00000000`0244f7d8 00000000`00000000
00000000`0244f7e0 00000000`00000000
00000000`0244f7e8 00000000`76fd72cb user32!DispatchClientMessage+0xc3
00000000`0244f7f0 00000000`00000000
00000000`0244f7f8 00000000`770e46b4 ntdll!NtdllDialogWndProc_W
00000000`0244f800 00000000`00000000
00000000`0244f808 00000000`00000000
00000000`0244f810 00000000`00000000
00000000`0244f818 00000000`00000000
00000000`0244f820 00000000`00962238
00000000`0244f828 00000000`00000001
00000000`0244f830 00000000`00000000
00000000`0244f838 00000000`00000000
00000000`0244f840 00000000`00000000
00000000`0244f848 00000000`00000000
00000000`0244f850 00000730`fffffb30
00000000`0244f858 000004d0`fffffb30
00000000`0244f860 00000170`000000f0
00000000`0244f868 0000002c`00000001
00000000`0244f870 00000000`c0000005
00000000`0244f878 00000000`00000000
00000000`0244f880 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244f888 00000000`00000002
00000000`0244f890 00000000`00000000
00000000`0244f898 00000000`00000000
00000000`0244f8a0 00000000`00000000
00000000`0244f8a8 00000000`00000000
00000000`0244f8b0 00000000`00000000
00000000`0244f8b8 00000000`00000000
00000000`0244f8c0 00000000`00000000
00000000`0244f8c8 00000000`00000000
00000000`0244f8d0 00000000`00000000
00000000`0244f8d8 00000000`00000000
00000000`0244f8e0 00000000`00000000
00000000`0244f8e8 00000000`00000000
00000000`0244f8f0 00000000`00000000
00000000`0244f8f8 00000000`00000000
00000000`0244f900 00000000`00000000
00000000`0244f908 00000000`00962210
00000000`0244f910 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244f918 00000000`00000000
00000000`0244f920 00000000`00000000
00000000`0244f928 00000000`0244fab0
00000000`0244f930 00000000`77101530 ntdll!NtdllDispatchMessage_W
00000000`0244f938 00000000`76fe505b user32!DialogBox2+0×2ec
00000000`0244f940 00000000`00000000
00000000`0244f948 00000000`00000000
00000000`0244f950 00000000`00000000
00000000`0244f958 00000000`00000000
00000000`0244f960 00000000`00000000
00000000`0244f968 00000000`00000000
00000000`0244f970 00000000`00000000
00000000`0244f978 00000000`00000000
00000000`0244f980 00000000`00000002
00000000`0244f988 00000000`000111f0
00000000`0244f990 00000271`0f689359
00000000`0244f998 00000000`00000030
00000000`0244f9a0 00000000`00000000
00000000`0244f9a8 00000000`00000000
00000000`0244f9b0 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0×0)
00000000`0244f9b8 00000000`001a17e0
00000000`0244f9c0 00000000`00000000
00000000`0244f9c8 00000000`76fe4edd user32!InternalDialogBox+0×135
00000000`0244f9d0 00000000`00000000
00000000`0244f9d8 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc
00000000`0244f9e0 00000000`00000000
00000000`0244f9e8 00000000`00000000
00000000`0244f9f0 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc
00000000`0244f9f8 00000000`00000000
00000000`0244fa00 00000000`00000001
00000000`0244fa08 00000000`00000000
00000000`0244fa10 00000000`00000000
00000000`0244fa18 00000000`00009c40
00000000`0244fa20 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0×0)
00000000`0244fa28 00000000`76fe4f52 user32!DialogBoxIndirectParamAorW+0×58
00000000`0244fa30 00000000`001a17e0
00000000`0244fa38 00000000`00000000
00000000`0244fa40 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc
00000000`0244fa48 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc
00000000`0244fa50 00000000`00000000
00000000`0244fa58 00000000`00000001
00000000`0244fa60 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0×0)
00000000`0244fa68 00000000`76fdd476 user32!DialogBoxParamW+0×66
00000000`0244fa70 ffffffff`ffffffff
00000000`0244fa78 00000000`00000000
00000000`0244fa80 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc
00000000`0244fa88 00000000`00000000
00000000`0244fa90 00000000`00000000
00000000`0244fa98 00000000`00000000
00000000`0244faa0 00000000`00000000
00000000`0244faa8 00000000`ffdbdafa calc!CTimedCalc::WatchDogThread+0×72
00000000`0244fab0 00000000`00002710

Segment registers and flags look normal now:

0:003> .cxr 00000000`0244f380
rax=000000000012c770 rbx=0000000000002710 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=00000000ffdbdb27 rsp=000000000244fab0 rbp=0000000000000000
r8=000000000244f938 r9=0000000000962210 r10=0000000000000000
r11=000000000244f9a0 r12=0000000000009c40 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
calc!CTimedCalc::WatchDogThread+0xb2:
00000000`ffdbdb27 488b01 mov rax,qword ptr [rcx] ds:00000000`00000000=????????????????

0:003> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
00000000`0244fab0 00000000`76eb59ed calc!CTimedCalc::WatchDogThread+0xb2
00000000`0244faf0 00000000`770ec541 kernel32!BaseThreadInitThunk+0xd
00000000`0244fb20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

What is a Software Narrative?

Tuesday, March 20th, 2012

The previous definition of software narratology was restricted to software traces and logs (the top left quadrant on a software narrative square, also the part of Memoretics which studies memory snapshots). Now, with the broadening of the domain of software narratology to the whole world of software narrative stories including actor interactions with software in construction requirements use cases and post-construction incidents we give another definition:

Software narrative is a representation of software events and changes of state. Software Narratology is a discipline that studies such software narratives (software narrative science).

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Uses of Memoretics

Wednesday, September 21st, 2011

Memoretics promotes pattern-driven memory dump and software trace analysis which has many uses but not limited to:

  • Software and site reliability
  • Software Debugging
  • QA and Software Testing
  • Computer Security
  • Software Troubleshooting
  • Malware Research and Analysis
  • Tools as a Service (TaaS)
  • Supportability
  • Software Diagnostics

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crossdisciplinary Memoretics as Interdisciplinary Science

Wednesday, September 21st, 2011

Memoretics as a science of memory snapshots borrows many ideas from the following disciplines (the list is not exhaustive):

  • Troubleshooting and Debugging
  • Intelligence Analysis
  • Critical Thinking
  • Forensics
  • Linguistics
  • Archaeology
  • Psychoanalysis
  • History
  • Mathematics: Sets and Categories
  • Literary Criticism and Narratology

It also contributes many ideas back. The following diagram depicts such an interaction:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Expanded Job Advertisements

Tuesday, April 26th, 2011

Jobs page on Memory Dump, Software Trace, Debugging and Malware Analysis Portal now accepts company job ads related to security research, computer forensics, reverse engineering, and malware analysis in addition to debugging, software defect research, crash / core / memory dump and software trace analysis.

http://www.dumpanalysis.org/jobs

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Memory Dump Analysis Anthology, Volume 5 is available for download

Sunday, April 17th, 2011

I’m pleased to announce that MDAA, Volume 5 is available in PDF format:

www.dumpanalysis.org/Memory+Dump+Analysis+Anthology+Volume+5

It features:

- 25 new crash dump analysis patterns
- 11 new pattern interaction case studies (including software tracing)
- 16 new trace analysis patterns
- 7 structural memory patterns
- 4 modeling case studies for memory dump analysis patterns
- Discussion of 3 common analysis mistakes
- Malware analysis case study
- Computer independent architecture of crash analysis report service
- Expanded coverage of software narratology
- Metaphysical and theological implications of memory dump worldview
- More pictures of memory space and physicalist art
- Classification of memory visualization tools
- Memory visualization case studies
- Close reading of the stories of Sherlock Holmes: Dr. Watson’s observational patterns
- Fully cross-referenced with Volume 1, Volume 2, Volume 3, and Volume 4

Its table of contents is available here:

www.dumpanalysis.org/MDAA/MDA-Anthology-V5-TOC.pdf

Paperback and hardcover versions should be available in a week or two. I also started working on Volume 6 that should be available in November-December.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

The New School of Debugging

Saturday, January 1st, 2011

With the new year starts the new initiative to integrate traditional multidisciplinary debugging approaches and methodologies with multiplatform pattern-driven software problem solving, unified debugging patterns, best practices in memory dump analysis and software tracing, computer security, economics, and the new emerging trends I’m going to write about during this year.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Welcome to Victimware.org

Saturday, December 25th, 2010

As a part of my efforts to unify malware and forensic analysis with memory dump and software trace analysis from behavioral and structural patterns perspective I created a domain name Victimware.org that currently points to dump analysis portal. The word victimware was borrowed and extended from its previous limited use:

Software Victimology (Part 1)
Software Victimology (Part 2)

I also added this signature to the bottom of every post and page where C-style comments signify defect and malware removal as causes of victimware:

/* Malware and Software Defects -> Victimware.org */

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -