Theoretical Software Diagnostics
Monday, November 9th, 2020Theoretical content is available in edited and revised PDF format:
http://www.patterndiagnostics.com/theoretical-software-diagnostics-book
Theoretical content is available in edited and revised PDF format:
http://www.patterndiagnostics.com/theoretical-software-diagnostics-book
This is Linux variant of Paratext pattern for Mac OS X. Because of debugger tool limitations additional software logs and the output of other tools may help in memory dump analysis. Typical examples of such pattern usage can be the list of modules with version and path info, application crash specific information from instrumentation tools such as valgrind, memory region names with attribution and boundaries, and CPU usage information. For example, top and pmap commands output:
14039: ./App1.shared
0000000000400000 4K r-x-- /home/training/ALCDA/App1/App1.shared
0000000000600000 4K rw--- /home/training/ALCDA/App1/App1.shared
0000000000611000 132K rw--- [ anon ]
00007fe8999a6000 4K ----- [ anon ]
00007fe8999a7000 8192K rw--- [ anon ]
00007fe89a1a7000 4K ----- [ anon ]
00007fe89a1a8000 8192K rw--- [ anon ]
00007fe89a9a8000 4K ----- [ anon ]
00007fe89a9a9000 8192K rw--- [ anon ]
00007fe89b1a9000 4K ----- [ anon ]
00007fe89b1aa000 8192K rw--- [ anon ]
00007fe89b9aa000 4K ----- [ anon ]
00007fe89b9ab000 8192K rw--- [ anon ]
00007fe89c1ab000 1540K r-x-- /lib/x86_64-linux-gnu/libc-2.13.so
00007fe89c32c000 2048K ----- /lib/x86_64-linux-gnu/libc-2.13.so
00007fe89c52c000 16K r---- /lib/x86_64-linux-gnu/libc-2.13.so
00007fe89c530000 4K rw--- /lib/x86_64-linux-gnu/libc-2.13.so
00007fe89c531000 20K rw--- [ anon ]
00007fe89c536000 92K r-x-- /lib/x86_64-linux-gnu/libpthread-2.13.so
00007fe89c54d000 2044K ----- /lib/x86_64-linux-gnu/libpthread-2.13.so
00007fe89c74c000 4K r---- /lib/x86_64-linux-gnu/libpthread-2.13.so
00007fe89c74d000 4K rw--- /lib/x86_64-linux-gnu/libpthread-2.13.so
00007fe89c74e000 16K rw--- [ anon ]
00007fe89c752000 128K r-x-- /lib/x86_64-linux-gnu/ld-2.13.so
00007fe89c966000 12K rw--- [ anon ]
00007fe89c96f000 8K rw--- [ anon ]
00007fe89c971000 4K r---- /lib/x86_64-linux-gnu/ld-2.13.so
00007fe89c972000 4K rw--- /lib/x86_64-linux-gnu/ld-2.13.so
00007fe89c973000 4K rw--- [ anon ]
00007ffd458c1000 132K rw--- [ stack ]
00007ffd459e9000 4K r-x-- [ anon ]
ffffffffff600000 4K r-x-- [ anon ]
total 47208K
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
While working on Thread Cluster pattern I realized that we need a predicate version of Module Collection pattern, similar to the predicate version of Stack Trace Collection pattern. A predicate can be anything: a company vendor, semantic proximity, functionality such as printing, remote file management, and so on. Such module sub-collections can be used instead of modules in more complex patterns: an example of software diagnostics pattern substitution and composition. For example, we might be able to identify a possible coupling between 2 semantically different module groups explained by IPC Wait Chains such as on this diagram:
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Most of the time when we look at software trace fragments we recognize certain Motifs* such as client-server interaction, publisher-subscriber notifications, database queries, plugin sequence initialization, etc. This pattern is different from Master Trace which corresponds to a normal use-case or working software scenario and may actually contain several Motifs as it is usually happens in complex software environments. On the other side of the spectrum there are software narremes (basic narrative units) and Macrofunctions (single semantic units). Motifs help to further bridge the great divide between software construction and software diagnostics with software narremes corresponding to implementation patterns, macrofunctions to design patterns, and motifs to architectural patterns although an overlap between these categories is possible.
* The idea of a pattern name comes from motives in mathematics.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Static program analysis is used to eliminate certain coding errors that may lead to abnormal software behaviour. So it is naturally a part of software diagnostics but at source code level. Our goal here is to identify certain patterns directly linkable to patterns we see in memory dumps and software logs and collect them into a catalog. One such pattern candidate is called Loop Construct. It covers conditional and unconditional loops, for example, in one of modern languages:
extern bool soonToBeTrue;
int mediumValue = ...;
while (true)
{ TRACE("Waiting"); sleep(mediumValue); if (soonToBeTrue) { break; } doHeavyWork(); }
while (--pControl->aFewPasses)
{
TRACE("Waiting");
sleep(mediumValue);
doHeavyWork();
}
Such loops may potentially lead to Spiking Thread memory dump analysis and High Message Current and Density trace analysis patterns. Of course, we shouldn’t suspect every loop but only some that have potential to be altered by Local Buffer Overflow (for mediumValue) or Shared Buffer Overwrite (for Control.aFewPasses) or by a race condition (soonToBeTrue).
We expect things to get more interesting when we start associating source code that uses certain API with patterns of abnormal behavior.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Before deciding on whether to retrospect on 2012 we found that since March 14, 2008 this site has had more than 1 million visitors with more than 33% returning. So instead of just 2012 we decided to retrospect on that interval up to December 31, 2012. Google Analytics has improved since last January, 2012 and now made our task easier. So we start with the first one hundred sites referring to us:
Source / Medium |
Visits |
698156 |
|
(direct) |
164142 |
bing |
27923 |
google.com |
17868 |
windbg.org |
12994 |
yahoo |
8682 |
stackoverflow.com |
7194 |
yandex |
5985 |
windbg.dumpanalysis.org |
5375 |
dumpanalysis.com |
5369 |
live |
5310 |
google.co.in |
4598 |
blogs.msdn.com |
4385 |
baike.baidu.com |
3475 |
twitter.com |
2972 |
facebook.com |
2733 |
dumpanalysis.org |
2708 |
images.google.com |
2314 |
t.co |
2095 |
baidu |
1916 |
winvistaclub.com |
1862 |
google.co.uk |
1449 |
advancedwindowsdebugging.com |
1427 |
jasonhaley.com |
1370 |
search |
1328 |
rsdn.ru |
1294 |
en.wikipedia.org |
1276 |
msn |
1256 |
nynaeve.net |
1256 |
blog.codeimproved.net |
1213 |
google.de |
1074 |
google.ca |
979 |
reddit.com |
951 |
bytetalk.net |
908 |
citrixblogger.org |
819 |
stumbleupon.com |
819 |
linkedin.com |
780 |
social.technet.microsoft.com |
774 |
analyze-v.com |
757 |
naver |
750 |
forum.sysinternals.com |
735 |
google.ru |
710 |
blogs.microsoft.co.il |
693 |
kumo.com |
678 |
google.co.kr |
658 |
google.com.au |
654 |
blog.naver.com |
646 |
reconstructer.org |
645 |
community.citrix.com |
632 |
blog.not-a-kernel-guy.com |
604 |
itdatabase.com |
601 |
advanceddotnetdebugging.com |
581 |
serverfault.com |
564 |
voneinem-windbg.blogspot.com |
561 |
support.citrix.com |
555 |
debuggingexperts.com |
549 |
blog.miniasp.com |
527 |
google.fr |
495 |
caloni.com.br |
488 |
google.com.br |
479 |
ask |
459 |
msuiche.net |
439 |
insidewindows.kr |
432 |
google.es |
430 |
gynvael.coldwind.pl |
430 |
blog.flexilis.com |
429 |
aol |
418 |
netfxharmonics.com |
416 |
advdbg.org |
413 |
images.google.co.uk |
401 |
google.it |
391 |
images.google.co.in |
391 |
google.nl |
354 |
serious-code.net |
340 |
admin.itdatabase.com |
337 |
blogs.technet.com |
334 |
brianmadden.com |
327 |
google.pl |
319 |
google.com.ua |
318 |
experts-exchange.com |
316 |
delicious.com |
312 |
images.google.de |
305 |
opentask.com |
301 |
codemachine.com |
296 |
driveronline.org |
287 |
google.com.tw |
282 |
wasm.ru |
275 |
debuglab.com |
265 |
isisaka.com |
262 |
literatescientist.com |
261 |
blog.zoller.lu |
258 |
shellexecute.wordpress.com |
257 |
google.com.hk |
256 |
managementbits.com |
253 |
d.hatena.ne.jp |
251 |
bloglines.com |
249 |
google.com.tr |
248 |
clausbrod.de |
246 |
bing.com |
243 |
Next table is distribution of visits among countries:
Country / Territory |
Visits |
United States |
342291 |
India |
89303 |
United Kingdom |
76131 |
Russia |
46472 |
Germany |
44472 |
China |
40155 |
Canada |
34781 |
Japan |
24985 |
France |
24084 |
South Korea |
21056 |
Australia |
20606 |
Taiwan |
17949 |
Netherlands |
15607 |
Ireland |
15579 |
Israel |
13514 |
Ukraine |
13449 |
Italy |
12542 |
Brazil |
11834 |
Spain |
11786 |
Singapore |
11703 |
Sweden |
11201 |
Poland |
10340 |
Romania |
9423 |
(not set) |
8909 |
Czech Republic |
8355 |
Belgium |
6731 |
Switzerland |
6624 |
Finland |
6596 |
Norway |
5585 |
Malaysia |
5289 |
Philippines |
5052 |
Austria |
5046 |
Denmark |
4980 |
Hong Kong |
4914 |
Turkey |
4728 |
Slovakia |
4599 |
New Zealand |
4369 |
Portugal |
4228 |
Argentina |
3712 |
Belarus |
3518 |
Hungary |
3465 |
Bulgaria |
3301 |
Mexico |
2960 |
South Africa |
2945 |
Vietnam |
2721 |
Greece |
2712 |
Indonesia |
2527 |
Croatia |
1881 |
Serbia |
1843 |
Iran |
1842 |
Thailand |
1726 |
Pakistan |
1660 |
Egypt |
1519 |
Malta |
1422 |
Estonia |
1385 |
Slovenia |
1334 |
Lithuania |
1304 |
United Arab Emirates |
1167 |
Chile |
1104 |
Saudi Arabia |
1096 |
Colombia |
1067 |
Latvia |
922 |
Kazakhstan |
725 |
Peru |
649 |
Morocco |
585 |
Sri Lanka |
516 |
Luxembourg |
516 |
Moldova |
439 |
Uruguay |
435 |
Venezuela |
431 |
Jordan |
425 |
Tunisia |
425 |
Bolivia |
418 |
Armenia |
371 |
Algeria |
362 |
Costa Rica |
355 |
Iceland |
353 |
Panama |
352 |
Macedonia [FYROM] |
347 |
Bosnia and Herzegovina |
327 |
Cyprus |
317 |
Bangladesh |
314 |
Nigeria |
298 |
Puerto Rico |
296 |
Jamaica |
251 |
Ecuador |
248 |
Kuwait |
239 |
Lebanon |
218 |
Qatar |
217 |
Kenya |
195 |
Georgia |
194 |
Mongolia |
189 |
Dominican Republic |
163 |
Macau |
156 |
Trinidad and Tobago |
147 |
Bahrain |
143 |
Uzbekistan |
142 |
Guatemala |
141 |
Azerbaijan |
134 |
Mauritius |
128 |
Oman |
117 |
Nepal |
110 |
El Salvador |
106 |
Syria |
103 |
Iraq |
102 |
Ghana |
96 |
Kyrgyzstan |
86 |
Cambodia |
72 |
Albania |
71 |
Serbia and Montenegro |
63 |
Ethiopia |
63 |
Uganda |
61 |
Brunei |
57 |
Honduras |
55 |
Isle of Man |
55 |
Yemen |
55 |
Cuba |
54 |
Sudan |
54 |
Palestinian Territories |
52 |
Barbados |
49 |
Myanmar [Burma] |
48 |
Paraguay |
45 |
Liechtenstein |
43 |
Montenegro |
43 |
Rwanda |
42 |
Libya |
41 |
Namibia |
41 |
Jersey |
40 |
Maldives |
40 |
Turks and Caicos Islands |
39 |
Bermuda |
38 |
Zimbabwe |
34 |
Fiji |
32 |
Nicaragua |
32 |
Tanzania |
29 |
Réunion |
27 |
Gibraltar |
26 |
New Caledonia |
26 |
Bahamas |
25 |
Monaco |
25 |
Netherlands Antilles |
24 |
Aruba |
24 |
Botswana |
24 |
Cayman Islands |
23 |
Angola |
22 |
Madagascar |
20 |
Guam |
19 |
Afghanistan |
17 |
Côte d’Ivoire |
17 |
Papua New Guinea |
17 |
Dominica |
16 |
Guernsey |
16 |
Guyana |
16 |
Suriname |
16 |
Andorra |
14 |
Belize |
14 |
Congo [DRC] |
14 |
Lesotho |
14 |
Mozambique |
13 |
Antigua and Barbuda |
12 |
Laos |
12 |
French Polynesia |
11 |
Zambia |
11 |
Saint Lucia |
10 |
San Marino |
10 |
Senegal |
10 |
Saint Vincent and the Grenadines |
10 |
Benin |
9 |
Guinea |
9 |
Guadeloupe |
9 |
Malawi |
9 |
Turkmenistan |
9 |
U.S. Virgin Islands |
8 |
Faroe Islands |
7 |
Grenada |
7 |
Haiti |
7 |
British Virgin Islands |
7 |
Cameroon |
6 |
French Guiana |
6 |
Greenland |
6 |
Martinique |
6 |
Seychelles |
6 |
Timor-Leste |
6 |
Mali |
5 |
Tajikistan |
5 |
Gabon |
4 |
Anguilla |
3 |
Å land Islands |
3 |
Swaziland |
3 |
Burundi |
2 |
Congo [Republic] |
2 |
Cape Verde |
2 |
Djibouti |
2 |
Saint Kitts and Nevis |
2 |
Liberia |
2 |
Somalia |
2 |
Togo |
2 |
Vanuatu |
2 |
Burkina Faso |
1 |
Bhutan |
1 |
Falkland Islands [Islas Malvinas] |
1 |
Gambia |
1 |
Equatorial Guinea |
1 |
Guinea-Bissau |
1 |
Comoros |
1 |
Mauritania |
1 |
Palau |
1 |
Sierra Leone |
1 |
Vatican City |
1 |
Samoa |
1 |
Then the first 100 network locations:
Service Provider |
Visits |
microsoft corp |
33646 |
comcast cable communications inc. |
18544 |
road runner holdco llc |
16529 |
internet service provider |
12815 |
comite gestor da internet no brasil |
10995 |
hewlett-packard company |
10961 |
deutsche telekom ag |
9889 |
japan network information center |
9746 |
verizon internet services inc. |
7851 |
network of citrix systems inc |
6945 |
intel corporation |
6873 |
symantec corporation |
6812 |
chunghwa telecom data communication business group |
6381 |
ip pools |
6314 |
insignium llc |
6206 |
reliance communications ltd |
5870 |
charter communications |
5583 |
uunet non-portable customer assignment |
4931 |
verizon online llc |
4900 |
comcast cable communications holdings inc |
4700 |
at&t internet services |
4617 |
eircom |
4567 |
cox communications |
4540 |
proxad / free sas |
4451 |
korea telecom |
4397 |
abts (karnataka) |
4251 |
nib (national internet backbone) |
4243 |
chinanet guangdong province network |
4189 |
comcast cable communications |
3896 |
unknown |
3279 |
xo communications |
3274 |
chinanet shanghai province network |
3248 |
shaw communications inc. |
3179 |
qwest communications company llc |
3156 |
telstra internet |
3130 |
tw telecom holdings inc. |
3091 |
citrix systems inc. |
3029 |
data general corporation |
2998 |
cox communications inc. |
2946 |
bellsouth.net inc. |
2925 |
optimum online (cablevision systems) |
2853 |
china unicom beijing province network |
2850 |
chtd chunghwa telecom co. ltd. |
2791 |
krnic |
2786 |
ntt communications corporation |
2779 |
psinet inc. |
2599 |
emc corporation |
2499 |
comcast cable communications ip services |
2435 |
arcor ag |
2371 |
cisco systems inc. |
2364 |
(not set) |
2335 |
broadband multiplay project o/o dgm bb noc bsnl bangalore |
2285 |
research in motion limited |
2283 |
samtel |
2257 |
rcs & rds s.a. |
2246 |
computer associates international |
2166 |
honeywell international inc. |
2106 |
telus communications inc. |
2103 |
customers ie |
1954 |
sympatico hse |
1929 |
comcast business communications llc |
1853 |
telefonica de espana sau |
1843 |
iinet limited |
1840 |
ziggo consumers |
1810 |
easynet ltd |
1758 |
comcast business communications inc. |
1738 |
microsoft |
1717 |
kaspersky lab internet |
1698 |
appense |
1687 |
chinanet jiangsu province network |
1665 |
dell computer corporation |
1656 |
eircom ltd |
1644 |
taipei taiwan |
1612 |
abts tamilnadu |
1594 |
network of ign arch. and design gb |
1578 |
starhub cable vision ltd |
1555 |
wipro technologies |
1537 |
level 3 communications inc. |
1522 |
tpg internet pty ltd. |
1510 |
siemens ag |
1483 |
microsoft corporation |
1478 |
global crossing |
1433 |
singnet pte ltd |
1429 |
dynamic pools |
1426 |
this space is statically assigned. |
1425 |
videsh sanchar nigam ltd - india. |
1414 |
provider local registry |
1403 |
abts delhi |
1385 |
qwest communications corporation |
1356 |
kla instruments corp. |
1316 |
telia network services |
1311 |
cncgroup beijing province network |
1278 |
frontier communications of america inc. |
1264 |
telecom italia s.p.a. tin easy lite |
1257 |
videotron ltee |
1255 |
oracle datenbanksysteme gmbh |
1234 |
neostrada plus |
1228 |
suddenlink communications |
1214 |
dynamic ip pool for broadband customers |
1202 |
eset s.r.o. |
1200 |
Then the first 100 search keywords and phrases that led to us:
Keyword |
Visits |
(not provided) |
53903 |
kifastsystemcallret |
10644 |
crash dump analysis |
10348 |
crash dump |
9863 |
ntdll!kifastsystemcallret |
4305 |
dump analysis |
4143 |
adplus |
3332 |
win32 error 0n2 |
2553 |
windbg commands |
2198 |
memory dump analysis |
2183 |
windbg |
2131 |
crash dumps |
1825 |
dumpanalysis.org |
1818 |
nt!_gshandlercheck_seh |
1734 |
dmitry vostokov |
1718 |
crashdump |
1683 |
symbol file could not be found |
1669 |
bugcheck 3b |
1458 |
memory dump analysis anthology |
1393 |
crash dump analyzer |
1360 |
warning: frame ip not in any known module. following frames may be wrong. |
1347 |
windbg cheat sheet |
1318 |
windbg crash dump analysis |
1271 |
minidump analysis |
1259 |
adplus download |
1214 |
core dump analysis |
1167 |
fnodobfm |
1159 |
dumpanalysis |
1142 |
windows 7 crash dump |
1142 |
windbg analyze |
1118 |
kisystemservicecopyend |
1066 |
frame ip not in any known module |
1010 |
getcontextstate failed, 0×80070026 |
949 |
crash dump windows 7 |
930 |
the stored exception information can be accessed via .ecxr. |
925 |
windbg script |
922 |
error: symbol file could not be found |
912 |
vista crash dump |
895 |
windows crash dump analysis |
888 |
system_thread_exception_not_handled |
857 |
анализ дампа памяти |
857 |
dump analyzer |
847 |
дамп памяти |
821 |
pool corruption |
820 |
time travel debugging |
776 |
system_service_exception |
772 |
kernel_mode_exception_not_handled |
741 |
ntdll kifastsystemcallret |
741 |
the stored exception information can be accessed via .ecxr |
734 |
kmode_exception_not_handled |
726 |
trap frame |
719 |
idna trace |
695 |
windbg crash dump |
694 |
kiuserexceptiondispatcher |
691 |
minidump analyzer |
672 |
bugcheck 7e |
670 |
kernel32!pnlsuserinfo |
643 |
windbg scripts |
641 |
rtlpwaitoncriticalsection |
635 |
minidump |
628 |
bugcheck system_service_exception |
621 |
exception_double_fault |
597 |
warning: stack unwind information not available. following frames may be wrong. |
584 |
application_fault_status_breakpoint |
583 |
crash dump vista |
582 |
memory dump analysis tool |
576 |
getcontextstate failed, 0xd0000147 |
575 |
memoretics |
544 |
dumpanalysis.org/asmpedia |
537 |
failure_bucket_id |
524 |
“dec 15″ module windbg |
511 |
error: symbol file could not be found. |
511 |
download adplus |
507 |
basethreadinitthunk |
505 |
dr watson vista |
505 |
ntkrnlmp.exe crash dump |
499 |
ntdll.dll!kifastsystemcallret |
492 |
rtlplowfragheapfree |
488 |
analyze minidump |
477 |
adplus tutorial |
473 |
application_hang_blockedon_fileio |
468 |
bios disassembly ninjutsu uncovered |
460 |
ntdll.kifastsystemcallret |
460 |
analyze crash dump |
459 |
windows dump analysis |
459 |
debug_flr_image_timestamp |
456 |
system_thread_exception_not_handled (7e) |
456 |
windbg dump analysis |
446 |
windbg hang |
438 |
windows debugging: practical foundations |
434 |
crash dump analysis windbg |
432 |
dynamicbase aslr |
422 |
crash dump analysis tool |
419 |
nt!kebugcheckex |
414 |
rtluserthreadstart |
414 |
type referenced: kernel32!pnlsuserinfo |
407 |
error: symbol file could not be found. defaulted to export symbols for ntkrnlmp.exe |
405 |
memory dump |
403 |
warning: frame ip not in any known module. following frames may be wrong |
399 |
application_hang_busyhang |
398 |
Then browser stats (we have never thought that there are so many of them):
Browser |
Visits |
Internet Explorer |
446051 |
Firefox |
356686 |
Chrome |
184535 |
Opera |
45787 |
Safari |
24123 |
Mozilla |
3780 |
Mozilla Compatible Agent |
2401 |
Android Browser |
1337 |
Konqueror |
1057 |
IE with Chrome Frame |
982 |
Opera Mini |
705 |
SeaMonkey |
503 |
Safari (in-app) |
197 |
Lunascape |
144 |
BlackBerry8900 |
128 |
Camino |
126 |
RockMelt |
124 |
(not set) |
96 |
Netscape |
72 |
Playstation 3 |
36 |
IUC |
34 |
Googlebot |
29 |
Lynx |
24 |
Unsupported Browser Version |
22 |
BlackBerry9630 |
21 |
NetFront |
17 |
BlackBerry9700 |
15 |
Microsoft-Symbol-Server |
14 |
BlackBerry9000 |
12 |
Galeon |
11 |
Midori |
9 |
NokiaE63 |
9 |
Yahoo! Slurp |
9 |
BlackBerry8530 |
8 |
BlackBerry8520 |
7 |
PagePeeker.com |
7 |
SAMSUNG-SGH-I617 |
7 |
BlackBerry9530 |
6 |
JUC |
6 |
MSR-ISRCCrawler |
6 |
OpenWave |
6 |
anonimo |
5 |
BlackBerry9300 |
5 |
HTC_HD2_T8585 Opera |
5 |
Nokia5233 |
5 |
Space Bison |
5 |
-Vasya |
4 |
Blazer |
4 |
Uzbl |
4 |
-^_^- Hello ![]() |
3 |
<?echo ‘<pre>’; system |
3 |
12345 |
3 |
BlackBerry9330 |
3 |
BlackBerry9650 |
3 |
HTC_P3700 Opera |
3 |
HTC_TyTN_II Mozilla |
3 |
NOKIAN78 |
3 |
Playstation Portable |
3 |
PPC; 240×320; HTC_P3450 |
3 |
undefined GoogleToolbarBB |
3 |
anonymous |
2 |
Empty |
2 |
GreatBrowse |
2 |
Helyi user agent |
2 |
HTC_Touch_Pro2_T7373 Opera |
2 |
HTC_Touch2_T3333 Opera |
2 |
J2ME |
2 |
Mozilla 5.0 |
2 |
NokiaC1-01 |
2 |
NokiaC3-00 |
2 |
NokiaC7-00 |
2 |
NokiaX2-01 |
2 |
nwzfq |
2 |
test |
2 |
— |
1 |
?M5 |
1 |
“PagePeeker.com” |
1 |
<?include |
1 |
<script>alert |
1 |
<SCRIPT>window.location=’http: |
1 |
2.0.0.11 |
1 |
31337′ |
1 |
8900b |
1 |
AltaVista Intranet V2.0 evreka.com crawler@evreka.com |
1 |
annoying |
1 |
AppEngine-Google; |
1 |
BlackBerry9500 |
1 |
BlackBerry9550 |
1 |
bwh3_user_agent |
1 |
Citrix |
1 |
EBABrowser |
1 |
EY |
1 |
fake_user_agent Mozilla |
1 |
FAST Enterprise Crawler 6 used by Reed Exhibitions |
1 |
foo |
1 |
General Browser |
1 |
GOOGLEBOT |
1 |
HD_mini_T5555 Opera |
1 |
Hellbrowser 6.66 |
1 |
holy_teacher FirePHP |
1 |
HTC_P3490 Opera |
1 |
HTC_P4550 Mozilla |
1 |
HTC_Polaris Mozilla |
1 |
HTC_Touch_3G_T3232 Opera |
1 |
HTC_Touch_HD_T8282 Opera |
1 |
HTC_Touch_Pro_T7272 Opera |
1 |
HTC_Touch2_T3320 Opera |
1 |
HTC-8900 |
1 |
IE 8 |
1 |
IE6 |
1 |
iTunes |
1 |
Keep Out |
1 |
KraftwayBrowser2 |
1 |
Links |
1 |
Maemo Browser |
1 |
Medusa |
1 |
MERONG |
1 |
Motorola_ES405B |
1 |
mozilla |
1 |
Mozilla Firefox |
1 |
MS-OC 4.0 |
1 |
msie |
1 |
NCSA Mosaic |
1 |
NightDynamo AdminPanel v0.2.1 |
1 |
Nokia2700c-2 |
1 |
Nokia2730c-1 |
1 |
Nokia305 |
1 |
Nokia5230 |
1 |
Nokia5310XpressMusic |
1 |
Nokia5800 XpressMusic |
1 |
Nokia6300 |
1 |
Nokia6700c-1 |
1 |
NokiaC2-01 |
1 |
NokiaC2-02 |
1 |
NokiaC2-03 |
1 |
NokiaC5-03 |
1 |
nokiac6-00 |
1 |
NokiaC6-00 |
1 |
NOKIAE65 |
1 |
NokiaE66 |
1 |
NokiaE71 |
1 |
NokiaE71-2;Mozilla |
1 |
NokiaE72-1 |
1 |
NokiaN-GageQD |
1 |
NokiaN70-1 |
1 |
NokiaNokia 6210s |
1 |
NoneOfYourBusiness |
1 |
nothisname_wangxiaoyang3 |
1 |
OmniWeb |
1 |
Palm750 |
1 |
Peeplo Screenshot Bot |
1 |
PerTrUsTsQuiD |
1 |
pippos.7 |
1 |
PPC; 480×800; HTC_Touch_HD_T8282; OpVer 34.159.1.612 |
1 |
PriceGoblin User Agent |
1 |
Private |
1 |
Privoxy |
1 |
Read Later |
1 |
SAMSUNG-GT-E2222 |
1 |
samsung-gt-s3653 |
1 |
samsung-gt-s3653 UNTRUSTED |
1 |
SAMSUNG-S8000 |
1 |
SAMSUNG-SGH-I637 |
1 |
Samsung-SPHM540 Polaris |
1 |
SmallProxy 3.5.4 |
1 |
SonyEricssonK750 |
1 |
Surf |
1 |
tdhbrowser |
1 |
TiFiC Client Z |
1 |
union update table sd_users set userid=9 where username=’coco |
1 |
unknown |
1 |
Unknown |
1 |
UNTRUSTED |
1 |
Updownerbot |
1 |
WIN |
1 |
WinXP SP2 |
1 |
Wlwap |
1 |
WM5 PIE |
1 |
Xda_orbit_2; 240×320 |
1 |
Xyi znat kakoi browser MRA 5.7 |
1 |
ZooShot 0.1a |
1 |
ZooShot 0.42 |
1 |
and finally mobile devices stats (you may find your own device there):
Mobile Device Info |
Visits |
Apple iPhone |
2292 |
Apple iPad |
1940 |
(not set) |
1099 |
Samsung GT-I9100 Galaxy S II |
167 |
Apple iPod Touch |
112 |
Asus Eee Pad Transformer TF101 |
112 |
SonyEricsson LT15i Xperia Arc |
94 |
Motorola Xoom |
47 |
Samsung Galaxy Nexus |
47 |
Samsung GT-I9000 Galaxy S |
34 |
Samsung GT-P7510 Galaxy Tab 10.1 |
30 |
Google Nexus S Samsung Nexus S |
26 |
HTC EVO 4G |
26 |
Google Nexus 7 |
21 |
RIM BlackBerry Bold Touch 9900 Dakota |
21 |
Samsung GT-N7000 Galaxy Note |
21 |
Acer A500 Picasso |
17 |
Asus Eee Pad TF201 Transformer Prime |
17 |
HTC Desire HD |
17 |
Motorola DroidX |
17 |
Motorola XT862 Droid 3 |
17 |
Samsung GT-S5830 Galaxy Ace |
17 |
Samsung SGH-I747 Galaxy SIII |
17 |
Samsung SGH-i917 Omnia 7 |
17 |
Verizon Droid2 |
17 |
Google Nexus One |
13 |
Google Nexus One HTC Nexus One |
13 |
HTC ADR6300 Incredible |
13 |
Motorola Droid 2 |
13 |
Samsung GT-P7500 P4 |
13 |
Samsung SHW-M250K GALAXY S II (KT) |
13 |
Apple iPod |
9 |
BlackBerry 9780 |
9 |
BlackBerry 9800 Torch |
9 |
Dell Venue Pro |
9 |
HTC Desire |
9 |
HTC G2 HTC Sappire |
9 |
HTC HD7 |
9 |
HTC T9292 HD7 |
9 |
Motorola MB860 Atrix |
9 |
Nokia E63 |
9 |
RIM BlackBerry 8530 Curve |
9 |
Samsung GT-I9001 |
9 |
Samsung GT-I9300 Galaxy S3 |
9 |
Samsung GT-N8000 Galaxy Note 10.1 |
9 |
Samsung GT-P1000 Galaxy Tab |
9 |
Sharp IS03 IS03 for KDDI |
9 |
T-Mobile myTouch4G |
9 |
Toshiba AT100 |
9 |
ZTE N860 |
9 |
Acer A101 Vangogh |
4 |
Acer A200 Picasso_E |
4 |
Acer Acer E310 Liquid Mini |
4 |
Asus TF300T Transformer Pad TF300T |
4 |
BlackBerry 8520 Curve |
4 |
BlackBerry 9900 Dakota |
4 |
DoCoMo L-05D Optimus it |
4 |
DoCoMo P502i |
4 |
Fujitsu F-12C F-12C for DoCoMo |
4 |
Google Nexus S |
4 |
Google Wireless Transcoder |
4 |
HTC A8181 Desire |
4 |
HTC ADR6350 Droid Incredible 2 |
4 |
HTC ADR6400L Thunderbolt |
4 |
HTC ADR6400L Thunderbolt 4G |
4 |
HTC APC715CKT EVO Design 4G |
4 |
HTC Bravo |
4 |
HTC Desire X0H6T |
4 |
HTC Glacier |
4 |
HTC Incredible S Incredible S |
4 |
HTC Inspire 4G |
4 |
HTC ISW12HT EVO 3D ISW12HT for KDDI |
4 |
HTC Mozart 7 Mozart |
4 |
HTC PC36100 EVO 4G |
4 |
HTC PJ83100 One X |
4 |
HTC Radar 4G |
4 |
HTC S510e Desire S |
4 |
HTC T7380 TouchFLO |
4 |
HTC X515 EVO 3D |
4 |
Huawei M860 Ascend |
4 |
Huawei u8800 Ideos X5 |
4 |
kddi ISW11HT HTC EVO WiMAX ISW11HT for KDDI |
4 |
LG C900 Quantum |
4 |
LG E900 Optimus 7 |
4 |
LG LS670 Optimus S |
4 |
LG MS690 Optimus M |
4 |
LG VM670 Optimus V |
4 |
LG VS910 4G Revolution |
4 |
Motorola A953 MILESTONE 2 |
4 |
Motorola ISW11M PHOTON ISW11M for KDDI |
4 |
Motorola MB501 |
4 |
Motorola MB525 DEFY |
4 |
Motorola MB611 |
4 |
Motorola MOTXT912B Droid Razr 4G |
4 |
Motorola MZ601 Xoom |
4 |
Motorola MZ604 Xoom |
4 |
Motorola MZ605 Xoom |
4 |
Motorola xt875 Droid Bionic |
4 |
Nokia 5800d XpressMusic |
4 |
Nokia C3-00 |
4 |
Nokia C5-03 C5 |
4 |
Nokia C6-00 |
4 |
Nokia Lumia 710 |
4 |
Nokia Lumia 800 |
4 |
RIM BlackBerry 9300 Curve 3G |
4 |
RIM BlackBerry 9700 Bold |
4 |
RIM BlackBerry 9800 Torch |
4 |
RIM Blackberry Bold Touch 9930 |
4 |
Samsung GT i5700 Galaxy Spica |
4 |
Samsung GT I9000T Galaxy S |
4 |
Samsung GT-I9100G Galaxy S II |
4 |
Samsung GT-I9100P Galaxy S II NFC |
4 |
Samsung GT-I9103 |
4 |
Samsung GT-I9300 Galaxy SIII |
4 |
Samsung GT-N8010 Galaxy Note 10.1 |
4 |
Samsung GT-P7500 Galaxy Tab 10.1 |
4 |
Samsung SCH-I500 Fascinate |
4 |
Samsung SCH-I535 4G Galaxy SIII |
4 |
Samsung SGH-i717 Galaxy Note |
4 |
Samsung SGH-I747 Galaxy S3 |
4 |
Samsung SGH-I777 |
4 |
Samsung SGH-I777 Galaxy S II |
4 |
Samsung SGH-I897 Galaxy S Captivate |
4 |
Samsung SHW-M250S GALAXY S II (SKT) |
4 |
Samsung SPH-D700 Epic 4G |
4 |
Samsung SWH-M110S |
4 |
Sharp 003SH Sharp Galapagos 003SH for SoftBank |
4 |
Softbank 001DL DELL Streak |
4 |
SonyEricsson LT26i Xperia Arc HD |
4 |
Xiaomi MI-ONE Plus M1 Plus |
4 |
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
As was announced earlier we start cataloguing elemental malware detection and analysis patterns. We skip Part 1 because we assign Deviant Module to it. Part 2 deals with Fake Module pattern where one of loaded modules masquerades as a legitimate system DLL or a widely known value adding DLL from some popular 3rd party product. To illustrate this pattern we modeled it as Victimware: a process crashed after loading a malware module:
0:000> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
00000000`0026f978 00000001`3f89103a 0x0
00000000`0026f980 00000001`3f8911c4 FakeModule!wmain+0x3a
00000000`0026f9c0 00000000`76e3652d FakeModule!__tmainCRTStartup+0x144
00000000`0026fa00 00000000`7752c521 kernel32!BaseThreadInitThunk+0xd
00000000`0026fa30 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
When we inspect loaded modules we don’t find anything suspicious:
0:000> lmp
start end module name
00000000`76e20000 00000000`76f3f000 kernel32 <none>
00000000`77500000 00000000`776a9000 ntdll <none>
00000001`3f890000 00000001`3f8a6000 FakeModule <none>
000007fe`f8cb0000 000007fe`f8cc7000 winspool <none>
000007fe`fdb30000 000007fe`fdb9c000 KERNELBASE <none>
However, when checking modules images for any modifications we find that winspool was not compared with existing binary from Microsoft symbol server:
0:000> !for_each_module "!chkimg -v -d @#ModuleName"
Searching for module with expression: kernel32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:\WSDK8\Debuggers\x64\sym\kernel32.dll\503285C111f000\kernel32.dll
No range specified
Scanning section: .text
Size: 633485
Range to scan: 76e21000-76ebba8d
Total bytes compared: 633485(100%)
Number of errors: 0
0 errors : kernel32
Searching for module with expression: ntdll
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:\WSDK8\Debuggers\x64\sym\ntdll.dll\4EC4AA8E1a9000\ntdll.dll
No range specified
Scanning section: .text
Size: 1049210
Range to scan: 77501000-7760127a
Total bytes compared: 1049210(100%)
Number of errors: 0
Scanning section: RT
Size: 474
Range to scan: 77602000-776021da
Total bytes compared: 474(100%)
Number of errors: 0
0 errors : ntdll
Searching for module with expression: FakeModule
Error for FakeModule: Could not find image file for the module. Make sure binaries are included in the symbol path.
Searching for module with expression: winspool
Error for winspool: Could not find image file for the module. Make sure binaries are included in the symbol path.
Searching for module with expression: KERNELBASE
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:\WSDK8\Debuggers\x64\sym\KERNELBASE.dll\503285C26c000\KERNELBASE.dll
No range specified
Scanning section: .text
Size: 302047
Range to scan: 7fefdb31000-7fefdb7abdf
Total bytes compared: 302047(100%)
Number of errors: 0
0 errors : KERNELBASE
Checking module data reveals that it was loaded not from System32 folder and doesn’t have any version information:
0:000> lmv m winspool
start end module name
000007fe`f8cb0000 000007fe`f8cc7000 winspool (deferred)
Image path: C:\Work\AWMA\FakeModule\x64\Release\winspool.drv
Image name: winspool.drv
Timestamp: Fri Dec 28 22:22:42 2012 (50DE1BB2)
CheckSum: 00000000
ImageSize: 00017000
File version: 0.0.0.0
Product version: 0.0.0.0
File flags: 0 (Mask 0)
File OS: 0 Unknown Base
File type: 0.0 Unknown
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
We could see that path from running this command as well :
0:000> !for_each_module
00: 0000000076e20000 0000000076f3f000 kernel32 C:\Windows\System32\kernel32.dll kernel32.dll
01: 0000000077500000 00000000776a9000 ntdll C:\Windows\System32\ntdll.dll ntdll.dll
02: 000000013f890000 000000013f8a6000 FakeModule C:\Work\AWMA\FakeModule\x64\Release\FakeModule.exe FakeModule.exe
03: 000007fef8cb0000 000007fef8cc7000 winspool C:\Work\AWMA\FakeModule\x64\Release\winspool.drv
04: 000007fefdb30000 000007fefdb9c000 KERNELBASE C:\Windows\System32\KERNELBASE.dll KERNELBASE.dll
or from PEB:
0:000> !peb
PEB at 000007fffffdf000
[...]
7fef8cb0000 50de1bb2 Dec 28 22:22:42 2012 C:\Work\AWMA\FakeModule\x64\Release\winspool.drv
[…]
Another sign is module size in memory which is much smaller than real winspool.drv:
0:000> ? 000007fe`f8cc7000 - 000007fe`f8cb0000
Evaluate expression: 94208 = 00000000`0001700
Module size can help if legitimate module from well-known folder was replaced. Module debug directory and the size of export and import directories are also different with the former revealing the development folder:
0:000> !dh 000007fe`f8cb0000
[...]
0 [ 0] address [size] of Export Directory
[…]
9000 [ 208] address [size] of Import Address Table Directory
[…]
Debug Directories(2)
Type Size Address Pointer
cv 49 e2c0 cac0 Format: RSDS, guid, 1, C:\Work\AWMA\FakeModule\x64\Release\winspool.pdb
This can also be seen from the output of !lmi command:
0:000> !lmi 7fef8cb0000
Loaded Module Info: [7fef8cb0000]
Module: winspool
Base Address: 000007fef8cb0000
Image Name: winspool.drv
Machine Type: 34404 (X64)
Time Stamp: 50de1bb2 Fri Dec 28 22:22:42 2012
Size: 17000
CheckSum: 0
Characteristics: 2022
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 49, e2c0, cac0 RSDS - GUID: {29D85193-1C9D-4997-95BA-DD190FA3C1BF}
Age: 1, Pdb: C:\Work\AWMA\FakeModule\x64\Release\winspool.pdb
?? 10, e30c, cb0c [Data not mapped]
Symbol Type: DEFERRED - No error - symbol load deferred
Load Report: no symbols loaded
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
I get many questions on whether software log analysis patterns from Software Diagnostics Institute are OS or platform or product specific. My answer is that they are independent from all of them because they are based on viewing software logs as stories of computation and were discovered by application of narratological analysis (software narratology). In addition to these patterns there exist domain specific problem patterns such as wrong hotfix level or specific product error code during software installation or execution. Typical examples of support for such platform and product specific type of patterns include Microsoft Windows Problem Reporting and Citrix Auto Support.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Doing memory dump analysis training for more than 2 years I found that students are divided into 2 types: those who prefer to see source code first and those who want to see a memory dump first. We actually prefer to show a memory dump first and then explore it to find certain patterns of abnormal structure and behavior. Software Diagnostics Services used this approach to design its Accelerated Windows Memory Dump Analysis and Accelerated .NET Memory Dump Analysis courses. Students explore memory dumps and debugger logs to find memory dump analysis patterns which are introduced when necessary. After that they can check source code of modeling applications if they have development experience. Accelerated Windows Software Trace Analysis course uses a different approach. It introduces all software trace analysis patterns at once because they are patterns from software narratology independent from programming languages and software platforms. After that they explore and analyze software traces and logs. We can summarize these 2 approaches on this diagram:
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Pattern-driven software post-construction problem solving involves using preexisting pattern languages and pattern catalogs for software diagnostics, troubleshooting and debugging. Pattern-based software post-construction problem solving addresses PLS (Pattern Life Cycle) - from the discovery of a new pattern through its integration into an existing catalog and language, testing, packaging and delivering to pattern consumers with subsequent usage, refactoring and writing case studies:
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
In addition to MemOS (Memory OS) we propose memCPU architecture where software diagnostics is built from the start. Every CPU instruction from memISA (Memory Instruction Set Architecture) has its previous memory state saved in a memory dump. Plus there are special instructions to facilitate software tracing. All this will be discussed later but for now there is a conceptual diagram depicting data and code input streams and continuous output memory dump stream:
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Influenced by stages of Husserlian phenomenological investigation I propose the following stages for the investigation of phenomena as it appears in software execution artifacts such as memory dumps, traces and logs:
1. Bracketing the outside source code as reduction to patterns of phenomena independent from causal software engineering explanations.
2. Constructing the computational world for the given incident (the so called horizon of computation).
3. Comparing with “computed-in” experience of past computational worlds from which all universal patterns of computational structural and behavioral phenomena emerged.
PS. According to the above software diagnostics is a phenomenological science of patterns. Most probably this sketch will be revised soon. In the mean time here’s a funny coincidence. The first step in a phenomenological method is the so called epoché. I provide my own interpretation of this - “exception processing of crash” hypothetical episteme. Similar to EPOCH metaphysical grand conjecture that our World is just one enormous exception processing handler after Big Bang.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
The case of an error reporting fault chain led me to First Fault Stack Trace memory dump analysis pattern that corresponds to First Fault software diagnostics pattern proper. Here the term first fault is used for an exception that was either ignored by surrounding code or led to other exceptions or error message boxes with stack traces that masked the first one. Typical examples where it is sometimes possible to get a first exception stack trace include but not limited to:
It is also sometimes possible unless a stack region was paged out to get partial stack traces from execution residue when the sequence of return addresses was partially overwritten by subsequently executed code.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Periodic Message Block is similar to Periodic Error but not limited to errors or failure reports. One such example we recently encountered is when some adjoint activity (such as messages from specific PID) stop to appear after the middle of the trace and after that there are repeated blocks of similar messages from different PIDs with their threads checking for some condition (waiting for event and reporting timeouts):
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Forthcoming Accelerated Windows Software Trace Analysis Training.
These are important meta-patterns of monitoring and software problem analysis reports. It is often the case that we have software artifacts and some problem description and we need to provide recommendations on further troubleshooting. Most of the time such an analysis and associated response fit into abstract schemes where we can just substitute variables for concrete states, actions, artifacts and behavioral descriptions. Sometimes we also have difficulty to write such analysis reports so we hope report schemes is of help here to provide organizing templates for thought process. The first such scheme we call Missing Cause Trace:
The difference with Truncated Trace pattern here is that in a truncated trace it was intended to trace certain behaviour but the tracing session was stopped prematurely or started too late. In a missing cause trace only a part of necessary activity was traced and the missing part wasn’t thought of or considered for tracing.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
The modern software trace recording, visualization and analysis tools such as Process Monitor, Xperf, WPR and WPA provide stack traces associated with trace messages. Consider stack traces as software traces we have, in a more general case, traces (fibers) bundled together on (attached to) a base software trace. For example, a trace message, that mentions an IRP can have its I/O stack attached together with thread stack trace with function calls leading to a function that emitted the trace message. Another example is association of different types of traces with trace messages such as managed and unmanaged ones. This general trace analysis pattern needs a name so we opted for Fiber Bundle as analogy with a fiber bundle from mathematics. Here’s a graphical representation of stack traces recorded for each trace message where one message also has an associated I/O stack trace:
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Software diagnosis requires intelligence.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Learn from this Webinar about phenomenological, hermeneutical and analytical approaches to software diagnostics and its knowledge, foundations, norms, theories, logic, methodology, language, ontology, nature and truth. This seminar is hosted by Software Diagnostics Services.
Title: Introduction to Philosophy of Software Diagnostics
Date: 17th of December, 2012
Time: 19:00 GMT
Duration: 60 minutes
Space is limited.
Reserve your Webinar seat now at:
https://www3.gotomeeting.com/register/872846486
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
This is the first pattern that emerged after applying the same pattern-driven software diagnostics methodology to Mac OS X. I had problems using GDB which is so portable that hardly has operating system support like WinDbg has. Fortunately, I found a workaround by complementing core dumps with logs and reports from OS such as crash reports and vmmap data. I call this pattern Paratext which I borrowed from the concept of an extended software trace and software narratology where it borrowed the same concept from literary interpretation (paratext). Typical examples of such pattern usage can be the list of modules with version and path info, application crash specific information, memory region names with attribution and boundaries:
// from .crash reports
0x108f99000 - 0x109044ff7 com.apple.FontBook (198.4 - 198) <7244D36E-4563-3E42-BA46-1F279D30A6CE> /Applications/Font Book.app/Contents/MacOS/Font Book
Exception Type: EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x0000000000000000
Application Specific Information:
objc[195]: garbage collection is OFF
*** error for object 0x7fd7fb818e08: incorrect checksum for freed object - object was probably modified after being freed.
// from vmmap logs
[...]
==== Writable regions for process 966
[...]
Stack 0000000101f71000-0000000101ff3000 [ 520K] rw-/rwx SM=PRV thread 1
MALLOC_LARGE 0000000103998000-00000001039b8000 [ 128K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
MALLOC_SMALL (freed) 00000001039b9000-00000001039bb000 [ 8K] rw-/rwx SM=PRV
mapped file 0000000103a05000-0000000103f32000 [ 5300K] rw-/rwx SM=COW ...box.framework/Versions/A/Resources/Extras2.rsrc
mapped file 0000000104409000-00000001046d2000 [ 2852K] rw-/rwx SM=COW /System/Library/Fonts/Helvetica.dfont
MALLOC_LARGE 0000000104f6e000-0000000104f8e000 [ 128K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
MALLOC_LARGE (freed) 0000000108413000-0000000108540000 [ 1204K] rw-/rwx SM=COW
MALLOC_LARGE (freed) 0000000108540000-0000000108541000 [ 4K] rw-/rwx SM=PRV
MALLOC_TINY 00007fefe0c00000-00007fefe0d00000 [ 1024K] rw-/rwx SM=COW DefaultMallocZone_0x101e6e000
MALLOC_TINY 00007fefe0d00000-00007fefe0e00000 [ 1024K] rw-/rwx SM=PRV DispatchContinuations_0x101f38000
MALLOC_TINY 00007fefe0e00000-00007fefe0f00000 [ 1024K] rw-/rwx SM=COW DefaultMallocZone_0x101e6e000
MALLOC_SMALL 00007fefe1000000-00007fefe107b000 [ 492K] rw-/rwx SM=ZER DefaultMallocZone_0x101e6e000
MALLOC_SMALL 00007fefe107b000-00007fefe1083000 [ 32K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
MALLOC_SMALL 00007fefe1083000-00007fefe1149000 [ 792K] rw-/rwx SM=ZER DefaultMallocZone_0x101e6e000
MALLOC_SMALL (freed) 00007fefe1149000-00007fefe1166000 [ 116K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
MALLOC_SMALL (freed) 00007fefe1166000-00007fefe1800000 [ 6760K] rw-/rwx SM=ZER DefaultMallocZone_0x101e6e000
MALLOC_SMALL 00007fefe1800000-00007fefe18ff000 [ 1020K] rw-/rwx SM=ZER DefaultMallocZone_0x101e6e000
MALLOC_SMALL (freed) 00007fefe18ff000-00007fefe1901000 [ 8K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
MALLOC_SMALL 00007fefe1901000-00007fefe2000000 [ 7164K] rw-/rwx SM=ZER DefaultMallocZone_0x101e6e000
MALLOC_TINY (freed) 00007fefe2000000-00007fefe2100000 [ 1024K] rw-/rwx SM=PRV DispatchContinuations_0x101f38000
MALLOC_TINY 00007fefe2100000-00007fefe2200000 [ 1024K] rw-/rwx SM=PRV DefaultMallocZone_0x101e6e000
Stack 00007fff61186000-00007fff61985000 [ 8188K] rw-/rwx SM=ZER thread 0
Stack 00007fff61985000-00007fff61986000 [ 4K] rw-/rwx SM=COW
[...]
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Forthcoming Training: Accelerated Mac OS X Core Dump Analysis
After some thinking I’ve decided to apply software trace analysis pattern approach to network trace analysis which lacks a unified pattern language. Here I consider a network trace as essentially a software trace where packet headers represent software trace messages coupled with associated transmitted data:
Since we have a trace message stream formatted by a network trace visualization tool we can apply most if not all trace analysis patterns for diagnostics including software narratology for interpretation, discourse and different representations. We provide a few trivial examples here and more in subsequent parts. The first example is Discontinuity pattern:
Other similar patterns are No Activity, Truncated Trace and Time Delta. The second example is Anchor Messages:
Additional example there include Significant Event and Bifurcation Point patterns. Layered protocols are represented through Embedded Message pattern (to be described and added to the pattern list soon). Such traces can be filtered for their embedded protocol headers and therefore naturally represent Adjoint Thread pattern (for the more detailed description of adjoint threads as extension of multithreading please see the article What is an Adjoint Thread):
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -