New cartoon from Narasimha Vedala provides insight on string reversing (click on it to enlarge):
At the Bug Concentration Camp [BCC]
CCB officer decides the fate
I was curious to check if there are any opcodes like BCC or CCB and there are indeed:
BCC - Branch on Carry Clear
CCB - Chip Configuration Byte
- Dmitry Vostokov @ DumpAnalysis.org -
Shakespeare on transitive nature of software defects, where one bug causes another, and so on, until the final effect or when memory corruption causes crash effects.
“… and now remains
That we find out the cause of this effect,
Or rather say, the cause of this defect,
For this effect defective comes by cause.”William Shakespeare, Hamlet
- Dmitry Vostokov @ DumpAnalysis.org -
New cartoon from Narasimha Vedala:
Mother bug explains Morris worm
- Dmitry Vostokov @ DumpAnalysis.org -
“Sir, please believe me, it’s the first time this has ever happened. Have another try, don’t get upset. You know our” Programs “are” TESTED.
Jean-Pierre Petit, Adventures of Archibald Higgins: Euclid Rules O.K.?
- Dmitry Vostokov @ DumpAnalysis.org -
The following error was reported when launching an application and no configured default postmortem debugger was able to save a crash dump:
The application failed to initialize properly (0x06d007e). Click on OK to terminate the application.
The process memory dump captured manually using userdump.exe when the error message box was displayed didn’t show anything helpful on stack traces:
0:000> ~*kL
. 0 Id: 310.1ab8 Suspend: 1 Teb: 7ffdf000 Unfrozen
ChildEBP RetAddr
0012fd14 7c8284c5 ntdll!_LdrpInitialize+0x184
00000000 00000000 ntdll!KiUserApcDispatcher+0x25
1 Id: 310.1ec0 Suspend: 1 Teb: 7ffde000 Unfrozen
ChildEBP RetAddr
0820fcb0 7c826f4b ntdll!KiFastSystemCallRet
0820fcb4 7c813b90 ntdll!NtDelayExecution+0xc
0820fd14 7c8284c5 ntdll!_LdrpInitialize+0x19b
00000000 00000000 ntdll!KiUserApcDispatcher+0x25
However, one of last error values was access violation (Last Error Collection pattern):
0:000> !gle -all
Last error for thread 0:
LastErrorValue: (Win32) 0x3e6 (998) - Invalid access to memory location.
LastStatusValue: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
Last error for thread 1:
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0
It was suspected that access violation errors were handled by application exception handlers (Custom Exception Handler pattern) and it was recommended to catch first-chance exception crash dumps (Early Crash Dump pattern) and indeed there was one such exception:
0:000> r
eax=00000000 ebx=00000000 ecx=00000000 edx=00157554 esi=00000080 edi=00000000
eip=7c829ffa esp=0012ed48 ebp=0012ef64 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlAllocateHeap+0x24:
7c829ffa 0b4310 or eax,dword ptr [ebx+10h] ds:0023:00000010=????????
0:000> kL
ChildEBP RetAddr
0012ef64 7c3416b3 ntdll!RtlAllocateHeap+0x24
0012efa4 7c3416db msvcr71!_heap_alloc+0xe0
0012efac 7c3416f8 msvcr71!_nh_malloc+0x10
0012efb8 67741c01 msvcr71!malloc+0xf
[...]
- Dmitry Vostokov @ DumpAnalysis.org -
The crash dump “is the message”.
- Dmitry Vostokov @ DumpAnalysis.org -
I’m back from my holidays and here is my 10th anniversary bugtation:
“Coincidences, in general, are great stumbling-blocks in the way of” debugging.
Edgar Allan Poe, The Murders in the Rue Morgue
- Dmitry Vostokov @ DumpAnalysis.org -
“There is nothing more deceptive than an obvious” bug.
Sherlock Holmes, The Boscombe Valley Mystery
- Dmitry Vostokov @ DumpAnalysis.org -
New cartoon from Narasimha Vedala (click on it to enlarge):
Misty morning gossip in the park
- Dmitry Vostokov @ DumpAnalysis.org -
New cartoon from Narasimha Vedala provides insight into crazy bugs (click on it to enlarge):
A visit to the Psychiatrist
- Dmitry Vostokov @ DumpAnalysis.org -
Debugging “will one day be as necessary for efficient” programming “as the ability to read and write” code.
- Dmitry Vostokov @ DumpAnalysis.org -
New cartoon from Narasimha Vedala provides insight into the beauty of nature (click on it to enlarge):
Nature’s Wonder: Life cycle of a beetle
- Dmitry Vostokov @ DumpAnalysis.org -
This bugtation is identical to the original quotation:
“Thank you for not dividing by zero.”
Unknown
Encouraged by this I propose another one 
“Thank you for checking for NULL pointers.”
- Dmitry Vostokov @ DumpAnalysis.org -
“I admit that” debugging “is a good thing. But excessive devotion to it is a bad thing.”
- Dmitry Vostokov @ DumpAnalysis.org -
“The great tragedy of” Software: “the slaying of a beautiful” program “by an ugly” bug.
Thomas Henry Huxley, Collected Essays
- Dmitry Vostokov @ DumpAnalysis.org -
Suppose we set up breakpoints to catch a random issue or at the end of a lengthy loop and we don’t want to sit tight, stare at the screen and wait for a debugger notification event. We just want to sit relaxed and read our favourite book or do something else. I discovered this meta-command where we can specify a wave file to be played every time a debugger breaks into a command prompt:
The .sound_notify command causes a sound to be played when WinDbg enters the wait-for-command state (from WinDbg help).
For example:
(15dc.dd0): Break instruction exception - code 80000003 (first chance)
eax=7ffde000 ebx=00000000 ecx=00000000 edx=77b3d094 esi=00000000 edi=00000000
eip=77af7dfe esp=01c6fbf4 ebp=01c6fc20 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
77af7dfe cc int 3
windbg> .sound_notify /ef c:\Windows\Media\tada.wav
Sound notification: file 'c:\Windows\Media\tada.wav'
0:001> g
(15dc.175c): Break instruction exception - code 80000003 (first chance)
eax=7ffde000 ebx=00000000 ecx=00000000 edx=77b3d094 esi=00000000 edi=00000000
eip=77af7dfe esp=01cafc08 ebp=01cafc34 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
77af7dfe cc int 3
[tada.wav is played when we break into]
- Dmitry Vostokov @ DumpAnalysis.org -
“O” engineers, “throw light on this error.”
Leonardo da Vinci, The Notebooks
- Dmitry Vostokov @ DumpAnalysis.org -
“If you find the” crash dump, “perhaps others may find the explanation.”
Sherlock Holmes, The Problem of Thor Bridge
- Dmitry Vostokov @ DumpAnalysis.org -
In the previous post about resolving security issues with crash dumps I mentioned the solution to use logs generated from memory dump files. In the case of process dumps the obvious step is to save logs by a postmortem debugger at the moment of the crash. Here WinDbg scripts come to the rescue. Suppose that CDB is set as a postmortem debugger (see Custom postmortem debuggers on Vista) and AeDebug \ Debugger registry key value is set to:
"C:\Program Files\Debugging Tools for Windows\cdb.exe" -p %ld -e %ld -g -y SRV*c:\mss*http://msdl.microsoft.com/download/symbols -c "$$><c:\WinDbgScripts\LogsAndDumps.txt;q"
Here we specify MS symbols server and the script file. The symbol path is absolutely necessary to have correct stack traces. The script file has the following contents:
.logopen /t c:\UserDumps\process.log
.kframes 100
!analyze -v
~*kv
lmv
.logclose
.dump /m /u c:\UserDumps\mini_process
.dump /ma /u c:\UserDumps\full_process
.dump /mrR /u c:\UserDumps\secure_mini_process
.dump /marR /u c:\UserDumps\secure_full_process
.kframes WinDbg meta-command is necessary to avoid the common pitfall of looking at cut off stack traces (see Mistake #1). In addition to logging the output of any command we want, the script writes 4 memory dumps of the same process:
- mini dump
- full dump
- secure mini dump
- secure full dump
My previous post WinDbg is privacy-aware explains secure dumps in detail. If you need to tailor dump file names and logs to include real process name might need to try the following or similar technique explained here:
Generating file name for .dump command
- Dmitry Vostokov @ DumpAnalysis.org -
“It requires a very unusual mind to undertake the analysis of the obvious” crash.
Alfred North Whitehead, Science and the Modern World
- Dmitry Vostokov @ DumpAnalysis.org -