Archive for the ‘Software Diagnostics’ Category

Theoretical Software Diagnostics

Monday, November 9th, 2020

Theoretical content is available in edited and revised PDF format:

http://www.patterndiagnostics.com/theoretical-software-diagnostics-book

Crash Dump Analysis Patterns (Part 180, Linux)

Monday, December 14th, 2015

This is Linux variant of Paratext pattern for Mac OS X. Because of debugger tool limitations additional software logs and the output of other tools may help in memory dump analysis. Typical examples of such pattern usage can be the list of modules with version and path info, application crash specific information from instrumentation tools such as valgrind, memory region names with attribution and boundaries, and CPU usage information. For example, top and pmap commands output:

14039: ./App1.shared
0000000000400000 4K r-x-- /home/training/ALCDA/App1/App1.shared
0000000000600000 4K rw--- /home/training/ALCDA/App1/App1.shared
0000000000611000 132K rw--- [ anon ]
00007fe8999a6000 4K ----- [ anon ]
00007fe8999a7000 8192K rw--- [ anon ]
00007fe89a1a7000 4K ----- [ anon ]
00007fe89a1a8000 8192K rw--- [ anon ]
00007fe89a9a8000 4K ----- [ anon ]
00007fe89a9a9000 8192K rw--- [ anon ]
00007fe89b1a9000 4K ----- [ anon ]
00007fe89b1aa000 8192K rw--- [ anon ]
00007fe89b9aa000 4K ----- [ anon ]
00007fe89b9ab000 8192K rw--- [ anon ]
00007fe89c1ab000 1540K r-x-- /lib/x86_64-linux-gnu/libc-2.13.so
00007fe89c32c000 2048K ----- /lib/x86_64-linux-gnu/libc-2.13.so
00007fe89c52c000 16K r---- /lib/x86_64-linux-gnu/libc-2.13.so
00007fe89c530000 4K rw--- /lib/x86_64-linux-gnu/libc-2.13.so
00007fe89c531000 20K rw--- [ anon ]
00007fe89c536000 92K r-x-- /lib/x86_64-linux-gnu/libpthread-2.13.so
00007fe89c54d000 2044K ----- /lib/x86_64-linux-gnu/libpthread-2.13.so
00007fe89c74c000 4K r---- /lib/x86_64-linux-gnu/libpthread-2.13.so
00007fe89c74d000 4K rw--- /lib/x86_64-linux-gnu/libpthread-2.13.so
00007fe89c74e000 16K rw--- [ anon ]
00007fe89c752000 128K r-x-- /lib/x86_64-linux-gnu/ld-2.13.so
00007fe89c966000 12K rw--- [ anon ]
00007fe89c96f000 8K rw--- [ anon ]
00007fe89c971000 4K r---- /lib/x86_64-linux-gnu/ld-2.13.so
00007fe89c972000 4K rw--- /lib/x86_64-linux-gnu/ld-2.13.so
00007fe89c973000 4K rw--- [ anon ]
00007ffd458c1000 132K rw--- [ stack ]
00007ffd459e9000 4K r-x-- [ anon ]
ffffffffff600000 4K r-x-- [ anon ]
total 47208K

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 190b)

Saturday, April 19th, 2014

While working on Thread Cluster pattern I realized that we need a predicate version of Module Collection pattern, similar to the predicate version of Stack Trace Collection pattern. A predicate can be anything: a company vendor, semantic proximity, functionality such as printing, remote file management, and so on. Such module sub-collections can be used instead of modules in more complex patterns: an example of software diagnostics pattern substitution and composition. For example, we might be able to identify a possible coupling between 2 semantically different module groups explained by IPC Wait Chains such as on this diagram:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 74)

Friday, July 19th, 2013

Most of the time when we look at software trace fragments we recognize certain Motifs* such as client-server interaction, publisher-subscriber notifications, database queries, plugin sequence initialization, etc. This pattern is different from Master Trace which corresponds to a normal use-case or working software scenario and may actually contain several Motifs as it is usually happens in complex software environments. On the other side of the spectrum there are software narremes (basic narrative units) and Macrofunctions (single semantic units). Motifs help to further bridge the great divide between software construction and software diagnostics with software narremes corresponding to implementation patterns, macrofunctions to design patterns, and motifs to architectural patterns although an overlap between these categories is possible.

* The idea of a pattern name comes from motives in mathematics.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Static Code Analysis Patterns (Part 1)

Friday, January 11th, 2013

Static program analysis is used to eliminate certain coding errors that may lead to abnormal software behaviour. So it is naturally a part of software diagnostics but at source code level. Our goal here is to identify certain patterns directly linkable to patterns we see in memory dumps and software logs and collect them into a catalog. One such pattern candidate is called Loop Construct. It covers conditional and unconditional loops, for example, in one of modern languages:

extern bool soonToBeTrue; 
int mediumValue = ...;
while (true)

{

  TRACE("Waiting");

  sleep(mediumValue);

  if (soonToBeTrue)

  {

    break;

  }

  doHeavyWork();

}
while (--pControl->aFewPasses)

{

  TRACE("Waiting");

  sleep(mediumValue);

  doHeavyWork();

}

Such loops may potentially lead to Spiking Thread memory dump analysis and High Message Current and Density trace analysis patterns. Of course, we shouldn’t suspect every loop but only some that have potential to be altered by Local Buffer Overflow (for mediumValue) or Shared Buffer Overwrite (for Control.aFewPasses) or by a race condition (soonToBeTrue).

We expect things to get more interesting when we start associating source code that uses certain API with patterns of abnormal behavior.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

2008-2012 in Retrospection

Friday, January 4th, 2013

Before deciding on whether to retrospect on 2012 we found that since March 14, 2008 this site has had more than 1 million visitors with more than 33% returning. So instead of just 2012 we decided to retrospect on that interval up to December 31, 2012. Google Analytics has improved since last January, 2012 and now made our task easier. So we start with the first one hundred sites referring to us:


Source / Medium

Visits

google

698156

(direct)

164142

bing

27923

google.com

17868

windbg.org

12994

yahoo

8682

stackoverflow.com

7194

yandex

5985

windbg.dumpanalysis.org

5375

dumpanalysis.com

5369

live

5310

google.co.in

4598

blogs.msdn.com

4385

baike.baidu.com

3475

twitter.com

2972

facebook.com

2733

dumpanalysis.org

2708

images.google.com

2314

t.co

2095

baidu

1916

winvistaclub.com

1862

google.co.uk

1449

advancedwindowsdebugging.com

1427

jasonhaley.com

1370

search

1328

rsdn.ru

1294

en.wikipedia.org

1276

msn

1256

nynaeve.net

1256

blog.codeimproved.net

1213

google.de

1074

google.ca

979

reddit.com

951

bytetalk.net

908

citrixblogger.org

819

stumbleupon.com

819

linkedin.com

780

social.technet.microsoft.com

774

analyze-v.com

757

naver

750

forum.sysinternals.com

735

google.ru

710

blogs.microsoft.co.il

693

kumo.com

678

google.co.kr

658

google.com.au

654

blog.naver.com

646

reconstructer.org

645

community.citrix.com

632

blog.not-a-kernel-guy.com

604

itdatabase.com

601

advanceddotnetdebugging.com

581

serverfault.com

564

voneinem-windbg.blogspot.com

561

support.citrix.com

555

debuggingexperts.com

549

blog.miniasp.com

527

google.fr

495

caloni.com.br

488

google.com.br

479

ask

459

msuiche.net

439

insidewindows.kr

432

google.es

430

gynvael.coldwind.pl

430

blog.flexilis.com

429

aol

418

netfxharmonics.com

416

advdbg.org

413

images.google.co.uk

401

google.it

391

images.google.co.in

391

google.nl

354

serious-code.net

340

admin.itdatabase.com

337

blogs.technet.com

334

brianmadden.com

327

google.pl

319

google.com.ua

318

experts-exchange.com

316

delicious.com

312

images.google.de

305

opentask.com

301

codemachine.com

296

driveronline.org

287

google.com.tw

282

wasm.ru

275

debuglab.com

265

isisaka.com

262

literatescientist.com

261

blog.zoller.lu

258

shellexecute.wordpress.com

257

google.com.hk

256

managementbits.com

253

d.hatena.ne.jp

251

bloglines.com

249

google.com.tr

248

clausbrod.de

246

bing.com

243

Next table is distribution of visits among countries:


Country / Territory

Visits

United States

342291

India

89303

United Kingdom

76131

Russia

46472

Germany

44472

China

40155

Canada

34781

Japan

24985

France

24084

South Korea

21056

Australia

20606

Taiwan

17949

Netherlands

15607

Ireland

15579

Israel

13514

Ukraine

13449

Italy

12542

Brazil

11834

Spain

11786

Singapore

11703

Sweden

11201

Poland

10340

Romania

9423

(not set)

8909

Czech Republic

8355

Belgium

6731

Switzerland

6624

Finland

6596

Norway

5585

Malaysia

5289

Philippines

5052

Austria

5046

Denmark

4980

Hong Kong

4914

Turkey

4728

Slovakia

4599

New Zealand

4369

Portugal

4228

Argentina

3712

Belarus

3518

Hungary

3465

Bulgaria

3301

Mexico

2960

South Africa

2945

Vietnam

2721

Greece

2712

Indonesia

2527

Croatia

1881

Serbia

1843

Iran

1842

Thailand

1726

Pakistan

1660

Egypt

1519

Malta

1422

Estonia

1385

Slovenia

1334

Lithuania

1304

United Arab Emirates

1167

Chile

1104

Saudi Arabia

1096

Colombia

1067

Latvia

922

Kazakhstan

725

Peru

649

Morocco

585

Sri Lanka

516

Luxembourg

516

Moldova

439

Uruguay

435

Venezuela

431

Jordan

425

Tunisia

425

Bolivia

418

Armenia

371

Algeria

362

Costa Rica

355

Iceland

353

Panama

352

Macedonia [FYROM]

347

Bosnia and Herzegovina

327

Cyprus

317

Bangladesh

314

Nigeria

298

Puerto Rico

296

Jamaica

251

Ecuador

248

Kuwait

239

Lebanon

218

Qatar

217

Kenya

195

Georgia

194

Mongolia

189

Dominican Republic

163

Macau

156

Trinidad and Tobago

147

Bahrain

143

Uzbekistan

142

Guatemala

141

Azerbaijan

134

Mauritius

128

Oman

117

Nepal

110

El Salvador

106

Syria

103

Iraq

102

Ghana

96

Kyrgyzstan

86

Cambodia

72

Albania

71

Serbia and Montenegro

63

Ethiopia

63

Uganda

61

Brunei

57

Honduras

55

Isle of Man

55

Yemen

55

Cuba

54

Sudan

54

Palestinian Territories

52

Barbados

49

Myanmar [Burma]

48

Paraguay

45

Liechtenstein

43

Montenegro

43

Rwanda

42

Libya

41

Namibia

41

Jersey

40

Maldives

40

Turks and Caicos Islands

39

Bermuda

38

Zimbabwe

34

Fiji

32

Nicaragua

32

Tanzania

29

Réunion

27

Gibraltar

26

New Caledonia

26

Bahamas

25

Monaco

25

Netherlands Antilles

24

Aruba

24

Botswana

24

Cayman Islands

23

Angola

22

Madagascar

20

Guam

19

Afghanistan

17

Côte d’Ivoire

17

Papua New Guinea

17

Dominica

16

Guernsey

16

Guyana

16

Suriname

16

Andorra

14

Belize

14

Congo [DRC]

14

Lesotho

14

Mozambique

13

Antigua and Barbuda

12

Laos

12

French Polynesia

11

Zambia

11

Saint Lucia

10

San Marino

10

Senegal

10

Saint Vincent and the Grenadines

10

Benin

9

Guinea

9

Guadeloupe

9

Malawi

9

Turkmenistan

9

U.S. Virgin Islands

8

Faroe Islands

7

Grenada

7

Haiti

7

British Virgin Islands

7

Cameroon

6

French Guiana

6

Greenland

6

Martinique

6

Seychelles

6

Timor-Leste

6

Mali

5

Tajikistan

5

Gabon

4

Anguilla

3

Å land Islands

3

Swaziland

3

Burundi

2

Congo [Republic]

2

Cape Verde

2

Djibouti

2

Saint Kitts and Nevis

2

Liberia

2

Somalia

2

Togo

2

Vanuatu

2

Burkina Faso

1

Bhutan

1

Falkland Islands [Islas Malvinas]

1

Gambia

1

Equatorial Guinea

1

Guinea-Bissau

1

Comoros

1

Mauritania

1

Palau

1

Sierra Leone

1

Vatican City

1

Samoa

1


Then the first 100 network locations:

Service Provider

Visits

microsoft corp

33646

comcast cable communications inc.

18544

road runner holdco llc

16529

internet service provider

12815

comite gestor da internet no brasil

10995

hewlett-packard company

10961

deutsche telekom ag

9889

japan network information center

9746

verizon internet services inc.

7851

network of citrix systems inc

6945

intel corporation

6873

symantec corporation

6812

chunghwa telecom data communication business group

6381

ip pools

6314

insignium llc

6206

reliance communications ltd

5870

charter communications

5583

uunet non-portable customer assignment

4931

verizon online llc

4900

comcast cable communications holdings inc

4700

at&t internet services

4617

eircom

4567

cox communications

4540

proxad / free sas

4451

korea telecom

4397

abts (karnataka)

4251

nib (national internet backbone)

4243

chinanet guangdong province network

4189

comcast cable communications

3896

unknown

3279

xo communications

3274

chinanet shanghai province network

3248

shaw communications inc.

3179

qwest communications company llc

3156

telstra internet

3130

tw telecom holdings inc.

3091

citrix systems inc.

3029

data general corporation

2998

cox communications inc.

2946

bellsouth.net inc.

2925

optimum online (cablevision systems)

2853

china unicom beijing province network

2850

chtd chunghwa telecom co. ltd.

2791

krnic

2786

ntt communications corporation

2779

psinet inc.

2599

emc corporation

2499

comcast cable communications ip services

2435

arcor ag

2371

cisco systems inc.

2364

(not set)

2335

broadband multiplay project o/o dgm bb noc bsnl bangalore

2285

research in motion limited

2283

samtel

2257

rcs & rds s.a.

2246

computer associates international

2166

honeywell international inc.

2106

telus communications inc.

2103

customers ie

1954

sympatico hse

1929

comcast business communications llc

1853

telefonica de espana sau

1843

iinet limited

1840

ziggo consumers

1810

easynet ltd

1758

comcast business communications inc.

1738

microsoft

1717

kaspersky lab internet

1698

appense

1687

chinanet jiangsu province network

1665

dell computer corporation

1656

eircom ltd

1644

taipei taiwan

1612

abts tamilnadu

1594

network of ign arch. and design gb

1578

starhub cable vision ltd

1555

wipro technologies

1537

level 3 communications inc.

1522

tpg internet pty ltd.

1510

siemens ag

1483

microsoft corporation

1478

global crossing

1433

singnet pte ltd

1429

dynamic pools

1426

this space is statically assigned.

1425

videsh sanchar nigam ltd - india.

1414

provider local registry

1403

abts delhi

1385

qwest communications corporation

1356

kla instruments corp.

1316

telia network services

1311

cncgroup beijing province network

1278

frontier communications of america inc.

1264

telecom italia s.p.a. tin easy lite

1257

videotron ltee

1255

oracle datenbanksysteme gmbh

1234

neostrada plus

1228

suddenlink communications

1214

dynamic ip pool for broadband customers

1202

eset s.r.o.

1200

Then the first 100 search keywords and phrases that led to us:


Keyword

Visits

(not provided)

53903

kifastsystemcallret

10644

crash dump analysis

10348

crash dump

9863

ntdll!kifastsystemcallret

4305

dump analysis

4143

adplus

3332

win32 error 0n2

2553

windbg commands

2198

memory dump analysis

2183

windbg

2131

crash dumps

1825

dumpanalysis.org

1818

nt!_gshandlercheck_seh

1734

dmitry vostokov

1718

crashdump

1683

symbol file could not be found

1669

bugcheck 3b

1458

memory dump analysis anthology

1393

crash dump analyzer

1360

warning: frame ip not in any known module. following frames may be wrong.

1347

windbg cheat sheet

1318

windbg crash dump analysis

1271

minidump analysis

1259

adplus download

1214

core dump analysis

1167

fnodobfm

1159

dumpanalysis

1142

windows 7 crash dump

1142

windbg analyze

1118

kisystemservicecopyend

1066

frame ip not in any known module

1010

getcontextstate failed, 0×80070026

949

crash dump windows 7

930

the stored exception information can be accessed via .ecxr.

925

windbg script

922

error: symbol file could not be found

912

vista crash dump

895

windows crash dump analysis

888

system_thread_exception_not_handled

857

анализ дампа памяти

857

dump analyzer

847

дамп памяти

821

pool corruption

820

time travel debugging

776

system_service_exception

772

kernel_mode_exception_not_handled

741

ntdll kifastsystemcallret

741

the stored exception information can be accessed via .ecxr

734

kmode_exception_not_handled

726

trap frame

719

idna trace

695

windbg crash dump

694

kiuserexceptiondispatcher

691

minidump analyzer

672

bugcheck 7e

670

kernel32!pnlsuserinfo

643

windbg scripts

641

rtlpwaitoncriticalsection

635

minidump

628

bugcheck system_service_exception

621

exception_double_fault

597

warning: stack unwind information not available. following frames may be wrong.

584

application_fault_status_breakpoint

583

crash dump vista

582

memory dump analysis tool

576

getcontextstate failed, 0xd0000147

575

memoretics

544

dumpanalysis.org/asmpedia

537

failure_bucket_id

524

“dec 15″ module windbg

511

error: symbol file could not be found.

511

download adplus

507

basethreadinitthunk

505

dr watson vista

505

ntkrnlmp.exe crash dump

499

ntdll.dll!kifastsystemcallret

492

rtlplowfragheapfree

488

analyze minidump

477

adplus tutorial

473

application_hang_blockedon_fileio

468

bios disassembly ninjutsu uncovered

460

ntdll.kifastsystemcallret

460

analyze crash dump

459

windows dump analysis

459

debug_flr_image_timestamp

456

system_thread_exception_not_handled (7e)

456

windbg dump analysis

446

windbg hang

438

windows debugging: practical foundations

434

crash dump analysis windbg

432

dynamicbase aslr

422

crash dump analysis tool

419

nt!kebugcheckex

414

rtluserthreadstart

414

type referenced: kernel32!pnlsuserinfo

407

error: symbol file could not be found. defaulted to export symbols for ntkrnlmp.exe

405

memory dump

403

warning: frame ip not in any known module. following frames may be wrong

399

application_hang_busyhang

398

Then browser stats (we have never thought that there are so many of them):


Browser

Visits

Internet Explorer

446051

Firefox

356686

Chrome

184535

Opera

45787

Safari

24123

Mozilla

3780

Mozilla Compatible Agent

2401

Android Browser

1337

Konqueror

1057

IE with Chrome Frame

982

Opera Mini

705

SeaMonkey

503

Safari (in-app)

197

Lunascape

144

BlackBerry8900

128

Camino

126

RockMelt

124

(not set)

96

Netscape

72

Playstation 3

36

IUC

34

Googlebot

29

Lynx

24

Unsupported Browser Version

22

BlackBerry9630

21

NetFront

17

BlackBerry9700

15

Microsoft-Symbol-Server

14

BlackBerry9000

12

Galeon

11

Midori

9

NokiaE63

9

Yahoo! Slurp

9

BlackBerry8530

8

BlackBerry8520

7

PagePeeker.com

7

SAMSUNG-SGH-I617

7

BlackBerry9530

6

JUC

6

MSR-ISRCCrawler

6

OpenWave

6

anonimo

5

BlackBerry9300

5

HTC_HD2_T8585 Opera

5

Nokia5233

5

Space Bison

5

-Vasya

4

Blazer

4

Uzbl

4

-^_^- Hello :)

3

<?echo ‘<pre>’; system

3

12345

3

BlackBerry9330

3

BlackBerry9650

3

HTC_P3700 Opera

3

HTC_TyTN_II Mozilla

3

NOKIAN78

3

Playstation Portable

3

PPC; 240×320; HTC_P3450

3

undefined GoogleToolbarBB

3

anonymous

2

Empty

2

GreatBrowse

2

Helyi user agent

2

HTC_Touch_Pro2_T7373 Opera

2

HTC_Touch2_T3333 Opera

2

J2ME

2

Mozilla 5.0

2

NokiaC1-01

2

NokiaC3-00

2

NokiaC7-00

2

NokiaX2-01

2

nwzfq

2

test

2

1

?M5

1

“PagePeeker.com”

1

<?include

1

<script>alert

1

<SCRIPT>window.location=’http:

1

2.0.0.11

1

31337′

1

8900b

1

AltaVista Intranet V2.0 evreka.com crawler@evreka.com

1

annoying

1

AppEngine-Google;

1

BlackBerry9500

1

BlackBerry9550

1

bwh3_user_agent

1

Citrix

1

EBABrowser

1

EY

1

fake_user_agent Mozilla

1

FAST Enterprise Crawler 6 used by Reed Exhibitions

1

foo

1

General Browser

1

GOOGLEBOT

1

HD_mini_T5555 Opera

1

Hellbrowser 6.66

1

holy_teacher FirePHP

1

HTC_P3490 Opera

1

HTC_P4550 Mozilla

1

HTC_Polaris Mozilla

1

HTC_Touch_3G_T3232 Opera

1

HTC_Touch_HD_T8282 Opera

1

HTC_Touch_Pro_T7272 Opera

1

HTC_Touch2_T3320 Opera

1

HTC-8900

1

IE 8

1

IE6

1

iTunes

1

Keep Out

1

KraftwayBrowser2

1

Links

1

Maemo Browser

1

Medusa

1

MERONG

1

Motorola_ES405B

1

mozilla

1

Mozilla Firefox

1

MS-OC 4.0

1

msie

1

NCSA Mosaic

1

NightDynamo AdminPanel v0.2.1

1

Nokia2700c-2

1

Nokia2730c-1

1

Nokia305

1

Nokia5230

1

Nokia5310XpressMusic

1

Nokia5800 XpressMusic

1

Nokia6300

1

Nokia6700c-1

1

NokiaC2-01

1

NokiaC2-02

1

NokiaC2-03

1

NokiaC5-03

1

nokiac6-00

1

NokiaC6-00

1

NOKIAE65

1

NokiaE66

1

NokiaE71

1

NokiaE71-2;Mozilla

1

NokiaE72-1

1

NokiaN-GageQD

1

NokiaN70-1

1

NokiaNokia 6210s

1

NoneOfYourBusiness

1

nothisname_wangxiaoyang3

1

OmniWeb

1

Palm750

1

Peeplo Screenshot Bot

1

PerTrUsTsQuiD

1

pippos.7

1

PPC; 480×800; HTC_Touch_HD_T8282; OpVer 34.159.1.612

1

PriceGoblin User Agent

1

Private

1

Privoxy

1

Read Later

1

SAMSUNG-GT-E2222

1

samsung-gt-s3653

1

samsung-gt-s3653 UNTRUSTED

1

SAMSUNG-S8000

1

SAMSUNG-SGH-I637

1

Samsung-SPHM540 Polaris

1

SmallProxy 3.5.4

1

SonyEricssonK750

1

Surf

1

tdhbrowser

1

TiFiC Client Z

1

union update table sd_users set userid=9 where username=’coco

1

unknown

1

Unknown

1

UNTRUSTED

1

Updownerbot

1

WIN

1

WinXP SP2

1

Wlwap

1

WM5 PIE

1

Xda_orbit_2; 240×320

1

Xyi znat kakoi browser MRA 5.7

1

ZooShot 0.1a

1

ZooShot 0.42

1

and finally mobile devices stats (you may find your own device there):


Mobile Device Info

Visits

Apple iPhone

2292

Apple iPad

1940

(not set)

1099

Samsung GT-I9100 Galaxy S II

167

Apple iPod Touch

112

Asus Eee Pad Transformer TF101

112

SonyEricsson LT15i Xperia Arc

94

Motorola Xoom

47

Samsung Galaxy Nexus

47

Samsung GT-I9000 Galaxy S

34

Samsung GT-P7510 Galaxy Tab 10.1

30

Google Nexus S Samsung Nexus S

26

HTC EVO 4G

26

Google Nexus 7

21

RIM BlackBerry Bold Touch 9900 Dakota

21

Samsung GT-N7000 Galaxy Note

21

Acer A500 Picasso

17

Asus Eee Pad TF201 Transformer Prime

17

HTC Desire HD

17

Motorola DroidX

17

Motorola XT862 Droid 3

17

Samsung GT-S5830 Galaxy Ace

17

Samsung SGH-I747 Galaxy SIII

17

Samsung SGH-i917 Omnia 7

17

Verizon Droid2

17

Google Nexus One

13

Google Nexus One HTC Nexus One

13

HTC ADR6300 Incredible

13

Motorola Droid 2

13

Samsung GT-P7500 P4

13

Samsung SHW-M250K GALAXY S II (KT)

13

Apple iPod

9

BlackBerry 9780

9

BlackBerry 9800 Torch

9

Dell Venue Pro

9

HTC Desire

9

HTC G2 HTC Sappire

9

HTC HD7

9

HTC T9292 HD7

9

Motorola MB860 Atrix

9

Nokia E63

9

RIM BlackBerry 8530 Curve

9

Samsung GT-I9001

9

Samsung GT-I9300 Galaxy S3

9

Samsung GT-N8000 Galaxy Note 10.1

9

Samsung GT-P1000 Galaxy Tab

9

Sharp IS03 IS03 for KDDI

9

T-Mobile myTouch4G

9

Toshiba AT100

9

ZTE N860

9

Acer A101 Vangogh

4

Acer A200 Picasso_E

4

Acer Acer E310 Liquid Mini

4

Asus TF300T Transformer Pad TF300T

4

BlackBerry 8520 Curve

4

BlackBerry 9900 Dakota

4

DoCoMo L-05D Optimus it

4

DoCoMo P502i

4

Fujitsu F-12C F-12C for DoCoMo

4

Google Nexus S

4

Google Wireless Transcoder

4

HTC A8181 Desire

4

HTC ADR6350 Droid Incredible 2

4

HTC ADR6400L Thunderbolt

4

HTC ADR6400L Thunderbolt 4G

4

HTC APC715CKT EVO Design 4G

4

HTC Bravo

4

HTC Desire X0H6T

4

HTC Glacier

4

HTC Incredible S Incredible S

4

HTC Inspire 4G

4

HTC ISW12HT EVO 3D ISW12HT for KDDI

4

HTC Mozart 7 Mozart

4

HTC PC36100 EVO 4G

4

HTC PJ83100 One X

4

HTC Radar 4G

4

HTC S510e Desire S

4

HTC T7380 TouchFLO

4

HTC X515 EVO 3D

4

Huawei M860 Ascend

4

Huawei u8800 Ideos X5

4

kddi ISW11HT HTC EVO WiMAX ISW11HT for KDDI

4

LG C900 Quantum

4

LG E900 Optimus 7

4

LG LS670 Optimus S

4

LG MS690 Optimus M

4

LG VM670 Optimus V

4

LG VS910 4G Revolution

4

Motorola A953 MILESTONE 2

4

Motorola ISW11M PHOTON ISW11M for KDDI

4

Motorola MB501

4

Motorola MB525 DEFY

4

Motorola MB611

4

Motorola MOTXT912B Droid Razr 4G

4

Motorola MZ601 Xoom

4

Motorola MZ604 Xoom

4

Motorola MZ605 Xoom

4

Motorola xt875 Droid Bionic

4

Nokia 5800d XpressMusic

4

Nokia C3-00

4

Nokia C5-03 C5

4

Nokia C6-00

4

Nokia Lumia 710

4

Nokia Lumia 800

4

RIM BlackBerry 9300 Curve 3G

4

RIM BlackBerry 9700 Bold

4

RIM BlackBerry 9800 Torch

4

RIM Blackberry Bold Touch 9930

4

Samsung GT i5700 Galaxy Spica

4

Samsung GT I9000T Galaxy S

4

Samsung GT-I9100G Galaxy S II

4

Samsung GT-I9100P Galaxy S II NFC

4

Samsung GT-I9103

4

Samsung GT-I9300 Galaxy SIII

4

Samsung GT-N8010 Galaxy Note 10.1

4

Samsung GT-P7500 Galaxy Tab 10.1

4

Samsung SCH-I500 Fascinate

4

Samsung SCH-I535 4G Galaxy SIII

4

Samsung SGH-i717 Galaxy Note

4

Samsung SGH-I747 Galaxy S3

4

Samsung SGH-I777

4

Samsung SGH-I777 Galaxy S II

4

Samsung SGH-I897 Galaxy S Captivate

4

Samsung SHW-M250S GALAXY S II (SKT)

4

Samsung SPH-D700 Epic 4G

4

Samsung SWH-M110S

4

Sharp 003SH Sharp Galapagos 003SH for SoftBank

4

Softbank 001DL DELL Streak

4

SonyEricsson LT26i Xperia Arc HD

4

Xiaomi MI-ONE Plus M1 Plus

4


- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 2)

Saturday, December 29th, 2012

As was announced earlier we start cataloguing elemental malware detection and analysis patterns. We skip Part 1 because we assign Deviant Module to it. Part 2 deals with Fake Module pattern where one of loaded modules masquerades as a legitimate system DLL or a widely known value adding DLL from some popular 3rd party product. To illustrate this pattern we modeled it as Victimware: a process crashed after loading a malware module:

0:000> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0026f978 00000001`3f89103a 0x0
00000000`0026f980 00000001`3f8911c4 FakeModule!wmain+0x3a
00000000`0026f9c0 00000000`76e3652d FakeModule!__tmainCRTStartup+0x144
00000000`0026fa00 00000000`7752c521 kernel32!BaseThreadInitThunk+0xd
00000000`0026fa30 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

When we inspect loaded modules we don’t find anything suspicious:

0:000> lmp
start             end                 module name
00000000`76e20000 00000000`76f3f000   kernel32 <none>
00000000`77500000 00000000`776a9000   ntdll    <none>
00000001`3f890000 00000001`3f8a6000   FakeModule <none>
000007fe`f8cb0000 000007fe`f8cc7000   winspool <none>
000007fe`fdb30000 000007fe`fdb9c000   KERNELBASE <none>

However, when checking modules images for any modifications we find that winspool was not compared with existing binary from Microsoft symbol server:

0:000> !for_each_module "!chkimg -v -d @#ModuleName"
Searching for module with expression: kernel32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:\WSDK8\Debuggers\x64\sym\kernel32.dll\503285C111f000\kernel32.dll
No range specified

Scanning section:    .text
Size: 633485
Range to scan: 76e21000-76ebba8d
Total bytes compared: 633485(100%)
Number of errors: 0
0 errors : kernel32
Searching for module with expression: ntdll
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:\WSDK8\Debuggers\x64\sym\ntdll.dll\4EC4AA8E1a9000\ntdll.dll
No range specified

Scanning section:    .text
Size: 1049210
Range to scan: 77501000-7760127a
Total bytes compared: 1049210(100%)
Number of errors: 0

Scanning section:       RT
Size: 474
Range to scan: 77602000-776021da
Total bytes compared: 474(100%)
Number of errors: 0
0 errors : ntdll
Searching for module with expression: FakeModule
Error for FakeModule: Could not find image file for the module. Make sure binaries are included in the symbol path.
Searching for module with expression: winspool
Error for winspool: Could not find image file for the module. Make sure binaries are included in the symbol path.

Searching for module with expression: KERNELBASE
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:\WSDK8\Debuggers\x64\sym\KERNELBASE.dll\503285C26c000\KERNELBASE.dll
No range specified

Scanning section:    .text
Size: 302047
Range to scan: 7fefdb31000-7fefdb7abdf
Total bytes compared: 302047(100%)
Number of errors: 0
0 errors : KERNELBASE

Checking module data reveals that it was loaded not from System32 folder and doesn’t have any version information:

0:000> lmv m winspool
start             end                 module name
000007fe`f8cb0000 000007fe`f8cc7000   winspool   (deferred)
Image path: C:\Work\AWMA\FakeModule\x64\Release\winspool.drv
Image name: winspool.drv
Timestamp:        Fri Dec 28 22:22:42 2012 (50DE1BB2)
CheckSum:         00000000
ImageSize:        00017000
File version:     0.0.0.0
Product version:  0.0.0.0
File flags:       0 (Mask 0)
File OS:          0 Unknown Base
File type:        0.0 Unknown
File date:        00000000.00000000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

We could see that path from running this command as well :

0:000> !for_each_module
00: 0000000076e20000  0000000076f3f000         kernel32 C:\Windows\System32\kernel32.dll                      kernel32.dll
01: 0000000077500000  00000000776a9000            ntdll C:\Windows\System32\ntdll.dll                            ntdll.dll
02: 000000013f890000  000000013f8a6000       FakeModule C:\Work\AWMA\FakeModule\x64\Release\FakeModule.exe  FakeModule.exe
03: 000007fef8cb0000  000007fef8cc7000         winspool C:\Work\AWMA\FakeModule\x64\Release\winspool.drv
04: 000007fefdb30000  000007fefdb9c000       KERNELBASE C:\Windows\System32\KERNELBASE.dll                  KERNELBASE.dll

or from PEB:

0:000> !peb
PEB at 000007fffffdf000
[...]
7fef8cb0000 50de1bb2 Dec 28 22:22:42 2012 C:\Work\AWMA\FakeModule\x64\Release\winspool.drv
[…]

Another sign is module size in memory which is much smaller than real winspool.drv:

0:000> ? 000007fe`f8cc7000 - 000007fe`f8cb0000
Evaluate expression: 94208 = 00000000`0001700

Module size can help if legitimate module from well-known folder was replaced. Module debug directory and the size of export and import directories are also different with the former revealing the development folder:

0:000> !dh 000007fe`f8cb0000
[...]
   0 [       0] address [size] of Export Directory
[…]
9000 [     208] address [size] of Import Address Table Directory
[…]
Debug Directories(2)
Type       Size     Address  Pointer
cv           49        e2c0     cac0 Format: RSDS, guid, 1, C:\Work\AWMA\FakeModule\x64\Release\winspool.pdb

This can also be seen from the output of !lmi command:

0:000> !lmi 7fef8cb0000
Loaded Module Info: [7fef8cb0000]
Module: winspool
Base Address: 000007fef8cb0000
Image Name: winspool.drv
Machine Type: 34404 (X64)
Time Stamp: 50de1bb2 Fri Dec 28 22:22:42 2012
Size: 17000
CheckSum: 0
Characteristics: 2022
Debug Data Dirs: Type  Size     VA  Pointer
CODEVIEW    49,  e2c0,    cac0 RSDS - GUID: {29D85193-1C9D-4997-95BA-DD190FA3C1BF}
Age: 1, Pdb: C:\Work\AWMA\FakeModule\x64\Release\winspool.pdb
??    10,  e30c,    cb0c [Data not mapped]
Symbol Type: DEFERRED - No error - symbol load deferred
Load Report: no symbols loaded

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Software Trace Analysis Patterns Domain Hierarchy

Sunday, November 18th, 2012

I get many questions on whether software log analysis patterns from Software Diagnostics Institute are OS or platform or product specific. My answer is that they are independent from all of them because they are based on viewing software logs as stories of computation and were discovered by application of narratological analysis (software narratology). In addition to these patterns there exist domain specific problem patterns such as wrong hotfix level or specific product error code during software installation or execution. Typical examples of support for such platform and product specific type of patterns include Microsoft Windows Problem Reporting and Citrix Auto Support.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Software Diagnostics Training: Two Approaches

Saturday, November 3rd, 2012

Doing memory dump analysis training for more than 2 years I found that students are divided into 2 types: those who prefer to see source code first and those who want to see a memory dump first. We actually prefer to show a memory dump first and then explore it to find certain patterns of abnormal structure and behavior. Software Diagnostics Services used this approach to design its Accelerated Windows Memory Dump Analysis and Accelerated .NET Memory Dump Analysis courses. Students explore memory dumps and debugger logs to find memory dump analysis patterns which are introduced when necessary. After that they can check source code of modeling applications if they have development experience. Accelerated Windows Software Trace Analysis course uses a different approach. It introduces all software trace analysis patterns at once because they are patterns from software narratology independent from programming languages and software platforms. After that they explore and analyze software traces and logs. We can summarize these 2 approaches on this diagram:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Pattern-Based Software Diagnostics

Sunday, October 21st, 2012

Pattern-driven software post-construction problem solving involves using preexisting pattern languages and pattern catalogs for software diagnostics, troubleshooting and debugging. Pattern-based software post-construction problem solving addresses PLS (Pattern Life Cycle) - from the discovery of a new pattern through its integration into an existing catalog and language, testing, packaging and delivering to pattern consumers with subsequent usage, refactoring and writing case studies:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

memCPU Architecture (Part 1)

Wednesday, October 17th, 2012

In addition to MemOS (Memory OS) we propose memCPU architecture where software diagnostics is built from the start. Every CPU instruction from memISA (Memory Instruction Set Architecture) has its previous memory state saved in a memory dump. Plus there are special instructions to facilitate software tracing. All this will be discussed later but for now there is a conceptual diagram depicting data and code input streams and continuous output memory dump stream:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Phenomenology of Software Diagnostics: A First Sketch

Thursday, October 11th, 2012

Influenced by stages of Husserlian phenomenological investigation I propose the following stages for the investigation of phenomena as it appears in software execution artifacts such as memory dumps, traces and logs:

1. Bracketing the outside source code as reduction to patterns of phenomena independent from causal software engineering explanations.

2. Constructing the computational world for the given incident (the so called horizon of computation).

3. Comparing with “computed-in” experience of past computational worlds from which all universal patterns of computational structural and behavioral phenomena emerged.

PS. According to the above software diagnostics is a phenomenological science of patterns. Most probably this sketch will be revised soon. In the mean time here’s a funny coincidence. The first step in a phenomenological method is the so called epoché. I provide my own interpretation of this - “exception processing of crash” hypothetical episteme. Similar to EPOCH metaphysical grand conjecture that our World is just one enormous exception processing handler after Big Bang.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 183)

Wednesday, October 10th, 2012

The case of an error reporting fault chain led me to First Fault Stack Trace memory dump analysis pattern that corresponds to First Fault software diagnostics pattern proper. Here the term first fault is used for an exception that was either ignored by surrounding code or led to other exceptions or error message boxes with stack traces that masked the first one. Typical examples where it is sometimes possible to get a first exception stack trace include but not limited to:

It is also sometimes possible unless a stack region was paged out to get partial stack traces from execution residue when the sequence of return addresses was partially overwritten by subsequently executed code.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 53)

Monday, October 8th, 2012

Periodic Message Block is similar to Periodic Error but not limited to errors or failure reports. One such example we recently encountered is when some adjoint activity (such as messages from specific PID) stop to appear after the middle of the trace and after that there are repeated blocks of similar messages from different PIDs with their threads checking for some condition (waiting for event and reporting timeouts):

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Forthcoming Accelerated Windows Software Trace Analysis Training.

Software Diagnostics Report Schemes (Part 1)

Tuesday, October 2nd, 2012

These are important meta-patterns of monitoring and software problem analysis reports. It is often the case that we have software artifacts and some problem description and we need to provide recommendations on further troubleshooting. Most of the time such an analysis and associated response fit into abstract schemes where we can just substitute variables for concrete states, actions, artifacts and behavioral descriptions. Sometimes we also have difficulty to write such analysis reports so we hope report schemes is of help here to provide organizing templates for thought process. The first such scheme we call Missing Cause Trace:

  1. If Action then Behavior
  2. We have a trace of Behavior
  3. We need a trace of Action and Behavior

The difference with Truncated Trace pattern here is that in a truncated trace it was intended to trace certain behaviour but the tracing session was stopped prematurely or started too late. In a missing cause trace only a part of necessary activity was traced and the missing part wasn’t thought of or considered for tracing.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 52)

Wednesday, September 26th, 2012

The modern software trace recording, visualization and analysis tools such as Process Monitor, Xperf, WPR and WPA provide stack traces associated with trace messages. Consider stack traces as software traces we have, in a more general case, traces (fibers) bundled together on (attached to) a base software trace. For example, a trace message, that mentions an IRP can have its I/O stack attached together with thread stack trace with function calls leading to a function that emitted the trace message. Another example is association of different types of traces with trace messages such as managed and unmanaged ones. This general trace analysis pattern needs a name so we opted for Fiber Bundle as analogy with a fiber bundle from mathematics. Here’s a graphical representation of stack traces recorded for each trace message where one message also has an associated I/O stack trace:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Bugtation No.159

Tuesday, September 25th, 2012

Software diagnosis requires intelligence.

Dmitry Vostokov

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Webinar: Introduction to Philosophy of Software Diagnostics

Sunday, September 23rd, 2012

Learn from this Webinar about phenomenological, hermeneutical and analytical approaches to software diagnostics and its knowledge, foundations, norms, theories, logic, methodology, language, ontology, nature and truth. This seminar is hosted by Software Diagnostics Services.

 Introduction to Philosophy of Software Diagnostics Logo

Title: Introduction to Philosophy of Software Diagnostics
Date: 17th of December, 2012
Time: 19:00 GMT
Duration: 60 minutes

Space is limited.
Reserve your Webinar seat now at:
https://www3.gotomeeting.com/register/872846486

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 180, Mac OS X)

Saturday, July 28th, 2012

This is the first pattern that emerged after applying the same pattern-driven software diagnostics methodology to Mac OS X. I had problems using GDB which is so portable that hardly has operating system support like WinDbg has. Fortunately, I found a workaround by complementing core dumps with logs and reports from OS such as crash reports and vmmap data. I call this pattern Paratext which I borrowed from the concept of an extended software trace and software narratology where it borrowed the same concept from literary interpretation (paratext). Typical examples of such pattern usage can be the list of modules with version and path info, application crash specific information, memory region names with attribution and boundaries:

// from .crash reports

0x108f99000 - 0x109044ff7 com.apple.FontBook (198.4 - 198) <7244D36E-4563-3E42-BA46-1F279D30A6CE> /Applications/Font Book.app/Contents/MacOS/Font Book

Exception Type: EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x0000000000000000

Application Specific Information:
objc[195]: garbage collection is OFF
*** error for object 0x7fd7fb818e08: incorrect checksum for freed object - object was probably modified after being freed.

// from vmmap logs

[...]
==== Writable regions for process 966
[...]
Stack 0000000101f71000-0000000101ff3000 [ 520K] rw-/rwx SM=PRV thread 1
MALLOC_LARGE 0000000103998000-00000001039b8000 [ 128K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
MALLOC_SMALL (freed) 00000001039b9000-00000001039bb000 [ 8K] rw-/rwx SM=PRV
mapped file 0000000103a05000-0000000103f32000 [ 5300K] rw-/rwx SM=COW ...box.framework/Versions/A/Resources/Extras2.rsrc
mapped file 0000000104409000-00000001046d2000 [ 2852K] rw-/rwx SM=COW /System/Library/Fonts/Helvetica.dfont
MALLOC_LARGE 0000000104f6e000-0000000104f8e000 [ 128K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
MALLOC_LARGE (freed) 0000000108413000-0000000108540000 [ 1204K] rw-/rwx SM=COW
MALLOC_LARGE (freed) 0000000108540000-0000000108541000 [ 4K] rw-/rwx SM=PRV
MALLOC_TINY 00007fefe0c00000-00007fefe0d00000 [ 1024K] rw-/rwx SM=COW DefaultMallocZone_0x101e6e000
MALLOC_TINY 00007fefe0d00000-00007fefe0e00000 [ 1024K] rw-/rwx SM=PRV DispatchContinuations_0x101f38000
MALLOC_TINY 00007fefe0e00000-00007fefe0f00000 [ 1024K] rw-/rwx SM=COW DefaultMallocZone_0x101e6e000
MALLOC_SMALL 00007fefe1000000-00007fefe107b000 [ 492K] rw-/rwx SM=ZER DefaultMallocZone_0x101e6e000
MALLOC_SMALL 00007fefe107b000-00007fefe1083000 [ 32K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
MALLOC_SMALL 00007fefe1083000-00007fefe1149000 [ 792K] rw-/rwx SM=ZER DefaultMallocZone_0x101e6e000
MALLOC_SMALL (freed) 00007fefe1149000-00007fefe1166000 [ 116K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
MALLOC_SMALL (freed) 00007fefe1166000-00007fefe1800000 [ 6760K] rw-/rwx SM=ZER DefaultMallocZone_0x101e6e000
MALLOC_SMALL 00007fefe1800000-00007fefe18ff000 [ 1020K] rw-/rwx SM=ZER DefaultMallocZone_0x101e6e000
MALLOC_SMALL (freed) 00007fefe18ff000-00007fefe1901000 [ 8K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
MALLOC_SMALL 00007fefe1901000-00007fefe2000000 [ 7164K] rw-/rwx SM=ZER DefaultMallocZone_0x101e6e000
MALLOC_TINY (freed) 00007fefe2000000-00007fefe2100000 [ 1024K] rw-/rwx SM=PRV DispatchContinuations_0x101f38000
MALLOC_TINY 00007fefe2100000-00007fefe2200000 [ 1024K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
Stack 00007fff61186000-00007fff61985000 [ 8188K] rw-/rwx SM=ZER thread 0
Stack 00007fff61985000-00007fff61986000 [ 4K] rw-/rwx SM=COW
[...]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Forthcoming Training: Accelerated Mac OS X Core Dump Analysis

Network Trace Analysis Patterns (Part 1)

Thursday, July 19th, 2012

After some thinking I’ve decided to apply software trace analysis pattern approach to network trace analysis which lacks a unified pattern language. Here I consider a network trace as essentially a software trace where packet headers represent software trace messages coupled with associated transmitted data:

Since we have a trace message stream formatted by a network trace visualization tool we can apply most if not all trace analysis patterns for diagnostics including software narratology for interpretation, discourse and different representations. We provide a few trivial examples here and more in subsequent parts. The first example is Discontinuity pattern:

Other similar patterns are No Activity, Truncated Trace and Time Delta. The second example is Anchor Messages:

Additional example there include Significant Event and Bifurcation Point patterns. Layered protocols are represented through Embedded Message pattern (to be described and added to the pattern list soon). Such traces can be filtered for their embedded protocol headers and therefore naturally represent Adjoint Thread pattern (for the more detailed description of adjoint threads as extension of multithreading please see the article What is an Adjoint Thread):

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -