O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

The Design of Memory Dump Analysis: 7 Steps of Highly Successful Analysts

We were recently asked to outline a simple approach to proceed after opening a memory dump. So we came up with these 7 steps:

1.   !analyze -v [-hang]

2.   Exception (Bugcheck): stack trace analysis with d* and lmv

3.   !locks

4.   !runaway f (!running)

5.   Dump all (processes and) thread stack traces [with 32-bit] ~*kv (!process 0 3f)

6.   Search for signs/patterns of abnormal behavior (exceptions, wait chains, message boxes [, from your custom checklist4])

7.   Narrow analysis down to a specific thread and dump raw stack data if needed [repeat*]

(Commands / options in brackets denote kernel/complete dump variation)

[Notes in square brackets denote additional options, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required