O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Accelerated Windows Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises with Notes, Fourth Edition

Book Description

The full transcript of Software Diagnostics Services training with 28 step-by-step exercises, notes, source code of specially created modelling applications and more than 100 questions and answers. Covers more than 60 crash dump analysis patterns from x86 and x64 process, kernel, complete (physical), and active memory dumps. Learn how to analyse application, service and system crashes and freezes, navigate through memory dump space and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve. Prerequisites: Basic Windows troubleshooting. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers and quality assurance engineers. The 4th edition was fully reworked to use WinDbg 10 and now covers memory dumps from Windows 10 x64. It also includes optional legacy exercises from the previous editions covering Windows Vista and Windows 7.

Table of Contents

  1. Preface
  2. About the Author
  3. Presentation Slides and Transcript
  4. Practice Exercises
    1. Exercise 0: Download, setup and verify your WinDbg installation
    2. Exercise P1: Analysis of a normal application process dump (32-bit notepad)
    3. Exercise P2: Analysis of a normal application process dump (64-bit notepad)
    4. Exercise P3: Analysis of a normal application process dump (64-bit Microsoft Edge)
    5. Exercise P4: Analysis of an application process dump (64-bit ApplicationK, no symbols)
    6. Exercise P5: Analysis of an application process dump (64-bit ApplicationK, with application symbols)
    7. Exercise P6: Analysis of application process dump (ApplicationL, 32-bit)
    8. Exercise P7: Analysis of an application process dump (ApplicationL, 64-bit)
    9. Exercise P8: Analysis of an application process dump (ApplicationM, 64-bit)
    10. Exercise P9: Analysis of an application process dump (ApplicationN, 64-bit)
    11. Exercise P10: Analysis of an application process dump (ApplicationO, 64-bit)
    12. Exercise P11: Analysis of an application process dump (ApplicationP, 64-bit)
    13. Exercise P12: Analysis of an application process dump (ApplicationR, 32-bit)
    14. Exercise P13: Analysis of an application process dump (ApplicationA, 64-bit)
    15. Exercise P14: Analysis of an application process dump (ApplicationS, 64-bit)
    16. Exercise P15: Analysis of an application process dump (notepad, 32-bit)
    17. Exercise P16: Analysis of an application process dump (notepad, 64-bit)
    18. Exercise P17: Analysis of an application process dump (ApplicationQ, 32-bit)
    19. Exercise K1: Analysis of a normal kernel dump (64-bit)
    20. Exercise K2: Analysis of a kernel dump with pool leak (64-bit)
    21. Exercise K3: Analysis of a kernel dump with pool corruption (64-bit)
    22. Exercise K4: Analysis of a kernel dump with code corruption (64-bit)
    23. Exercise K5: Analysis of a kernel dump with hang I/O (64-bit)
    24. Exercise C1: Analysis of a normal complete dump (64-bit)
    25. Exercise C2: Analysis of a problem complete dump (64-bit)
    26. Exercise C3: Analysis of a problem complete dump (64-bit)
    27. Exercise C4: Analysis of a problem complete dump (64-bit)
    28. Exercise A1: Analysis of a problem active dump (64-bit)
  5. Legacy Exercises
    1. Exercise Legacy.0
    2. Exercise Legacy.P1: Analysis of a normal application process dump (32-bit notepad)
    3. Exercise Legacy.P2: Analysis of a normal application process dump (64-bit notepad)
    4. Exercise Legacy.P3: Analysis of a normal application process dump (32-bit IE)
    5. Exercise Legacy.P4: Analysis of an application process dump (32-bit ApplicationK, no symbols)
    6. Exercise Legacy.P5: Analysis of an application process dump (32-bit ApplicationK, with application symbols)
    7. Exercise Legacy.P6: Analysis of application process dump (ApplicationL, 32-bit)
    8. Exercise Legacy.P7: Analysis of an application process dump (ApplicationL, 64-bit)
    9. Exercise Legacy.P8: Analysis of an application process dump (ApplicationM, 32-bit)
    10. Exercise Legacy.P9: Analysis of an application process dump (ApplicationN, 64-bit)
    11. Exercise Legacy.P10: Analysis of an application process dump (ApplicationO, 64-bit)
    12. Exercise Legacy.P11: Analysis of an application process dump (ApplicationP, 32-bit)
    13. Exercise Legacy.P13: Analysis of an application process dump (ApplicationA, 32-bit)
    14. Exercise Legacy.P14: Analysis of an application process dump (ApplicationS, 32-bit)
    15. Exercise Legacy.P15: Analysis of an application process dump (notepad, 32-bit)
    16. Exercise Legacy.P16: Analysis of an application process dump (notepad, 64-bit)
    17. Exercise Legacy.P17: Analysis of an application process dump (ApplicationQ, 32-bit)
    18. Exercise Legacy.K1: Analysis of a normal kernel dump (32-bit)
    19. Exercise Legacy.K2: Analysis of a kernel dump with pool leak (32-bit)
    20. Exercise Legacy.K3: Analysis of a kernel dump with pool corruption (32-bit)
    21. Exercise Legacy.K4: Analysis of a kernel dump with code corruption (32-bit)
    22. Exercise Legacy.K5: Analysis of a kernel dump with hang I/O (32-bit)
    23. Exercise Legacy.C1: Analysis of a normal complete dump (32-bit)
    24. Exercise Legacy.C2: Analysis of a problem complete dump (32-bit)
  6. Application Source Code
    1. ApplicationA
    2. ApplicationB
    3. ApplicationC
    4. ApplicationE
    5. ApplicationK
    6. ApplicationL
    7. ApplicationM
    8. ApplicationN
    9. ApplicationO
    10. ApplicationP
    11. ApplicationR
    12. ApplicationS
    13. ApplicationQ
  7. Selected Q&A
  8. Minidump Analysis
    1. Scripts and WinDbg Commands
    2. Component Identification
    3. Raw Stack Data Analysis
    4. Symbols and Images
  9. Wait Chain (Executive Resources)