• Home

  • Documents

  • Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices
25
Software Trace and Memory Dump Analysis Presenter: Dmitry Vostokov Memory Dump Analysis Services

Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Embed Size (px)

Citation preview

Page 1: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Software Trace and Memory Dump Analysis

Presenter: Dmitry Vostokov Memory Dump Analysis Services

Page 2: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Prerequisites

Experience in software troubleshooting and reading software logs

Advantage: Citrix CDF and

Microsoft ETW trace analysis including Process Monitor logs

© 2011 Memory Dump Analysis Services

Page 3: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Agenda Memory Dump Analysis Services Root Cause Analysis Methodology Software Traces and Memory Dumps Examples

© 2011 Memory Dump Analysis Services

Page 4: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

MDA Services Memory Dump Analysis Audit Software Trace Analysis Audit (New) Software Error Reporting Audit Remote Training Debugging Bureau Tool Objects and EasyDbg

Powered by DA+TA DumpAnalysis.org + TraceAnaysis.org

© 2011 Memory Dump Analysis Services

http://www.dumpanalysis.org/
http://www.traceanalysis.org/
Page 5: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

A.C.P. Root Cause Analysis

© 2011 Memory Dump Analysis Services

Artifacts

Checklists

Patterns

Checklists and patterns as best practices

Iterative and Incremental

Page 6: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

DA+TA DA: Dump Artifact / Dump Analysis Memory snapshots: process, kernel, physical memory dumps

TA: Trace Artifact / Trace Analysis Software traces: Event Tracing for Windows, logs

© 2011 Memory Dump Analysis Services

Page 7: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Spatiality vs. Narrativity

© 2011 Memory Dump Analysis Services

Narrativity

Spartiality

SoftwareTrace

Memory Dump

Software trace as software narrative, the story of a computation

Page 8: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Tools for Artifact Analysis Memory dumps:

WinDbg from Debugging Tools for Windows Notepad (textual debugger logs)

Software traces:

CDFAnalyzer* / CDFControl from Citrix Process Monitor* from Microsoft * supports adjoint threads

© 2011 Memory Dump Analysis Services

Page 9: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Checklists for Analysis Memory dumps:

http://www.dumpanalysis.org/blog/index.php/2007/06/20/crash-dump-analysis-checklist/

Software traces:

http://www.dumpanalysis.org/blog/index.php/2011/03/10/software-trace-analysis-checklist/

© 2011 Memory Dump Analysis Services

http://www.dumpanalysis.org/blog/index.php/2007/06/20/crash-dump-analysis-checklist/
http://www.dumpanalysis.org/blog/index.php/2007/06/20/crash-dump-analysis-checklist/
http://www.dumpanalysis.org/blog/index.php/2011/03/10/software-trace-analysis-checklist/
http://www.dumpanalysis.org/blog/index.php/2011/03/10/software-trace-analysis-checklist/
Page 10: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Software Behavior Patterns Memory dump and software trace Examples: Spiking Thread, Discontinuity +200 patterns (DA+TA) DumpAnalysis.org

© 2011 Memory Dump Analysis Services

http://www.dumpanalysis.org/blog/index.php/2007/05/11/crash-dump-analysis-patterns-part-14/
http://www.dumpanalysis.org/blog/index.php/2009/08/04/trace-analysis-patterns-part-8/
http://www.dumpanalysis.org/
Page 11: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

DA: Software Behavior

Memory dump: a memory snapshot Definition, partial classification and

historical list Pattern identification case studies

© 2011 Memory Dump Analysis Services

http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/pattern-cooperation/
Page 12: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

TA: Software Behavior

“Imagine you got a software trace from hundreds of modules you haven’t written or haven’t seen source code of...”

Software trace: a sequence of memory fragments ordered in time

Definition, and historical list Pattern identification case studies

© 2011 Memory Dump Analysis Services

http://www.dumpanalysis.org/blog/index.php/trace-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/pattern-cooperation/
Page 13: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

CDFAnalyzer Filters

© 2011 Memory Dump Analysis Services

Page 14: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Threads Time

# PID TID Time Message

Time

# PID TID Time Message

© 2011 Memory Dump Analysis Services

Page 15: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Adjoint Threads

© 2011 Memory Dump Analysis Services

Time

# PID TID Time Message

Time

# PID TID Time Message (ATID)

Page 16: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Significant Event csrss.exe winlogon.exe LogonUI.exe userinit.exe …

Custom events: CDFMarker

© 2011 Memory Dump Analysis Services

Time

# PID TID Time Message

Page 17: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Discontinuity

© 2011 Memory Dump Analysis Services

… 14:23:02.146 14:23:02.345 14:31:10.254 14:31:10.341 …

Time

# PID TID Time Message

Page 18: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

No Activity Expecting messages from Module X Absence of such messages may

suggest that a process or a thread was hang / blocked

© 2011 Memory Dump Analysis Services

Page 19: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Guest Component Sudden appearance of an unexpected

module, for example, werfault.exe or faultrep.dll

© 2011 Memory Dump Analysis Services

Page 20: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Statement Current The flood of messages

Normal case: 15 msg/s Abnormal case: 3500 msg/s

May point to a CPU spike

© 2011 Memory Dump Analysis Services

Page 21: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Resources DumpAnalysis.org Pattern-Driven Memory Dump Analysis Memory Dump and Trace Analysis: A Unified Pattern Approach Introduction to Pattern-Driven Software Problem Solving Advanced Software Debugging Reference:

OpenTask publishes this talk with extra case studies (ISBN: 978-1908043238)

© 2011 Memory Dump Analysis Services

http://www.dumpanalysis.org/
http://community.citrix.com/blogs/citrite/dmitryv
http://www.debuggingexperts.com/memory-dump-trace-analysis-unified-pattern-approach
http://www.dumpanalysis.com/PDSPSI-materials
http://www.forensicanalysis.org/advanced-software-debugging-reference
http://www.opentask.com/
http://www.dumpanalysis.org/Memory+Dump+Analysis+Anthology+Volume+1
http://www.dumpanalysis.org/Forthcoming+Memory+Dump+Analysis+Anthology+Volume+2
http://www.dumpanalysis.org/Memory+Dump+Analysis+Anthology+Volume+3
http://www.dumpanalysis.org/Memory+Dump+Analysis+Anthology+Volume+4
http://www.dumpanalysis.org/Memory+Dump+Analysis+Anthology+Volume+5
Page 22: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

More Resources August remote training season: Accelerated Windows Memory Dump Analysis Complete Physical Memory Dump Analysis

Visit Memory Dump Analysis Services for registration details:

www.DumpAnalysis.com

© 2011 Memory Dump Analysis Services

http://www.dumpanalysis.com/
http://www.dumpanalysis.com/
http://www.dumpanalysis.com/
Page 23: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Free Summer Webinars The Old New Crash: Cloud Memory Dump

Analysis (June 6th) Cyber Warfare Memory Dump Analysis

(forthcoming in July-August)

Visit Memory Dump Analysis Services for registration details:

www.DumpAnalysis.com

© 2011 Memory Dump Analysis Services

http://www.dumpanalysis.com/
http://www.dumpanalysis.com/
http://www.dumpanalysis.com/
Page 24: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Q&A

Please send your feedback using the contact form on DumpAnalysis.com

© 2011 Memory Dump Analysis Services

http://www.dumpanalysis.com/contact
http://www.dumpanalysis.com/contact
Page 25: Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Thank you!

© 2011 Memory Dump Analysis Services

Join DA+TA Facebook Group

http://www.facebook.com/group.php?gid=95282722070

10. VARIATION OF TRACE FOSSILS AND …...Analysis of the incidence and relative abundance of trace fossils in sediments from the eastern equatorial Pacific Ocean reveals distinct patterns

10. VARIATION OF TRACE FOSSILS AND …...Analysis of the incidence and relative abundance of trace fossils in sediments from the eastern equatorial Pacific Ocean reveals distinct patterns

Documents
Implementing Cisco Network Security fileMicrosoft Exams List 70-246 Dump PDF VCE 70-485 Dump PDF VCE 70-742 Dump PDF VCE 98-366 Dump PDF VCE 70-247 Dump PDF VCE 70-486 Dump PDF VCE

Implementing Cisco Network Security fileMicrosoft Exams List 70-246 Dump PDF VCE 70-485 Dump PDF VCE 70-742 Dump PDF VCE 98-366 Dump PDF VCE 70-247 Dump PDF VCE 70-486 Dump PDF VCE

Documents
Compatibility Testing using Patterns-based Trace Comparison

Compatibility Testing using Patterns-based Trace Comparison

Software
Handwriting-Patterns-Playbooks New/Handwritin… · A pattern that’s just for you! Decorate the T-shirt with a mixture of these patterns and create your own unique design. Trace

Handwriting-Patterns-Playbooks New/Handwritin… · A pattern that’s just for you! Decorate the T-shirt with a mixture of these patterns and create your own unique design. Trace

Documents
Parametric Dump

Parametric Dump

Documents
Compaq Visual Fortran Error Messages - XLsoft.comjp.xlsoft.com/documents/intel/cvf/cvf_rter.pdf · 2018-08-09 · lA hexadecimal dump of the call stack (program counter trace) is

Compaq Visual Fortran Error Messages - XLsoft.comjp.xlsoft.com/documents/intel/cvf/cvf_rter.pdf · 2018-08-09 · lA hexadecimal dump of the call stack (program counter trace) is

Documents
Microsoft...Microsoft Exams List 70-246 Dump PDF VCE 70-485 Dump PDF VCE 70-742 Dump PDF VCE 98-366 Dump PDF VCE 70-247 Dump PDF VCE 70-486 Dump PDF VCE 70-743 Dump PDF VCE 98-367

Microsoft...Microsoft Exams List 70-246 Dump PDF VCE 70-485 Dump PDF VCE 70-742 Dump PDF VCE 98-366 Dump PDF VCE 70-247 Dump PDF VCE 70-486 Dump PDF VCE 70-743 Dump PDF VCE 98-367

Documents
Software Trace Analysis · 2020-02-19 · Software Trace Analysis Dmitry Vostokov Software Diagnostics Services Revised Version Part 1: Fundamentals and Basic Patterns

Software Trace Analysis · 2020-02-19 · Software Trace Analysis Dmitry Vostokov Software Diagnostics Services Revised Version Part 1: Fundamentals and Basic Patterns

Documents
Dump Series Debris Dump FINAL - Wil-Ro Truck Bodies · 2021. 1. 7. · DEBRIS DUMP BODY MANUAL TARP PINTLE HOOK HITCH FOLD-DOWN SIDES DUMP SERIES DEBRIS DUMP HEAVY DUTY DUMP BOARD

Dump Series Debris Dump FINAL - Wil-Ro Truck Bodies · 2021. 1. 7. · DEBRIS DUMP BODY MANUAL TARP PINTLE HOOK HITCH FOLD-DOWN SIDES DUMP SERIES DEBRIS DUMP HEAVY DUTY DUMP BOARD

Documents
dump Body & Dump Hoist Installation And ... - DownEasterdowneastermfg.com/wp-content/uploads/2015/07/Dump-Body-Dump-Hoist...INSTALLATION AND OPERATION MANUAL ... which may lead to

dump Body & Dump Hoist Installation And ... - DownEasterdowneastermfg.com/wp-content/uploads/2015/07/Dump-Body-Dump-Hoist...INSTALLATION AND OPERATION MANUAL ... which may lead to

Documents
MAINTANACE ARIA IP - 60 Anton Hattingh. System Monitoring Trace (Device, Board) Other (Memory Dump/Modification, STA/CO Status) System Maintenance/Diagnostic

MAINTANACE ARIA IP - 60 Anton Hattingh. System Monitoring Trace (Device, Board) Other (Memory Dump/Modification, STA/CO Status) System Maintenance/Diagnostic

Documents
Memory Dump Analysis Anthology · Memory Dump Analysis Anthology ... 452 A Bug in a Bag (Collections, Ex-hi-bit 1) ... RPC, LPC and ALPC Patterns and Case Studies

Memory Dump Analysis Anthology · Memory Dump Analysis Anthology ... 452 A Bug in a Bag (Collections, Ex-hi-bit 1) ... RPC, LPC and ALPC Patterns and Case Studies

Documents
Sifting through the ASHes - Oracle · yASH report yEM Diagnostic Pack. Dumping ASH to file >oradebug setmypid >oradebug dump ashdump 10 >alter session set events 'immediate trace

Sifting through the ASHes - Oracle · yASH report yEM Diagnostic Pack. Dumping ASH to file >oradebug setmypid >oradebug dump ashdump 10 >alter session set events 'immediate trace

Documents
Spatial and temporal patterns in trace element deposition ... · Supporting Online Material for: Spatial and temporal patterns in trace element deposition in the Athabasca oil sands

Spatial and temporal patterns in trace element deposition ... · Supporting Online Material for: Spatial and temporal patterns in trace element deposition in the Athabasca oil sands

Documents
Huawei Dump

Huawei Dump

Documents
Encyclopedia of Crash Dump Analysis Patterns Second · PDF fileEncyclopedia of Crash Dump Analysis Patterns Second Edition ... Region 557 Reserved Virtual ... Encyclopedia of Crash

Encyclopedia of Crash Dump Analysis Patterns Second · PDF fileEncyclopedia of Crash Dump Analysis Patterns Second Edition ... Region 557 Reserved Virtual ... Encyclopedia of Crash

Documents
Waste Dump

Waste Dump

Documents
Trace Element Patterns in Otoliths: The Role of

Trace Element Patterns in Otoliths: The Role of

Documents
DISTRIBUTION PATTERNS OF TRACE METALS IN SOILS OF …ijs.oauife.edu.ng/wp-content/uploads/2013/06/Adesiyan-et-al-12.pdfIfe Journal of Science vol. 20, no. 3 (2018) DISTRIBUTION PATTERNS

DISTRIBUTION PATTERNS OF TRACE METALS IN SOILS OF …ijs.oauife.edu.ng/wp-content/uploads/2013/06/Adesiyan-et-al-12.pdfIfe Journal of Science vol. 20, no. 3 (2018) DISTRIBUTION PATTERNS

Documents
Dmitry Vostokov Software Diagnostics Services...Memory Analysis Patterns: Unloaded Module, Memory Leak (process heap), Abnormal Value (from trace analysis patterns) Debugging Implementation

Dmitry Vostokov Software Diagnostics Services...Memory Analysis Patterns: Unloaded Module, Memory Leak (process heap), Abnormal Value (from trace analysis patterns) Debugging Implementation

Documents
Automatic trace analysis with Scalasca · Automatic trace analysis • Idea – Automatic search for patterns of inefficient behavior – Classification of behavior & quantification

Automatic trace analysis with Scalasca · Automatic trace analysis • Idea – Automatic search for patterns of inefficient behavior – Classification of behavior & quantification

Documents
SACRAMENTO COUNTY LEA CASE STUDIES WARING’S DUMP OBIE’S DUMP

SACRAMENTO COUNTY LEA CASE STUDIES WARING’S DUMP OBIE’S DUMP

Documents
JacquelynneSteves€¦ · JacquelynneSteves.com Free Pattern- Commercial Use Prohibited Copyright JacquelynneSteves- All rights reserved. 2 Trace the appliqué patterns onto paper

JacquelynneSteves€¦ · JacquelynneSteves.com Free Pattern- Commercial Use Prohibited Copyright JacquelynneSteves- All rights reserved. 2 Trace the appliqué patterns onto paper

Documents
Dump Truck

Dump Truck

Documents
Software Trace and Memory Dump Analysis

Software Trace and Memory Dump Analysis

Documents
SAP HANA Security Checklists and Recommendations · PDF file2.6 Recommendations for Trace and Dump Files ... SAP HANA Security Checklists and Recommendations SAP HANA Security Checklists

SAP HANA Security Checklists and Recommendations · PDF file2.6 Recommendations for Trace and Dump Files ... SAP HANA Security Checklists and Recommendations SAP HANA Security Checklists

Documents
Contamination by trace metals (ETM) assessment of the plants populating the dump mining Zaida (High Moulouya, Morocco)

Contamination by trace metals (ETM) assessment of the plants populating the dump mining Zaida (High Moulouya, Morocco)

Science
Theoretical Software Diagnostics · Introduction to Software Trace Analysis Patterns opened the thread of trace and log analysis patterns. There are more than 130 such patterns at

Theoretical Software Diagnostics · Introduction to Software Trace Analysis Patterns opened the thread of trace and log analysis patterns. There are more than 130 such patterns at

Documents
Microsofttestdumps.com/killtest/2017-download-free-Microsoft-77-420-dump… · 70-684 Dump PDF VCE 77-882 Dump PDF VCE MB5-705 Dump PDF VCE 70-463 Dump PDF VCE 70-685 Dump PDF VCE

Microsofttestdumps.com/killtest/2017-download-free-Microsoft-77-420-dump… · 70-684 Dump PDF VCE 77-882 Dump PDF VCE MB5-705 Dump PDF VCE 70-463 Dump PDF VCE 70-685 Dump PDF VCE

Documents
Software Narratology - patterndiagnostics.comSoftware Trace Patterns and Narremes Software Post-construction Narrative ... Software Trace and Memory Dump Analysis: Patterns, Tools,

Software Narratology - patterndiagnostics.comSoftware Trace Patterns and Narremes Software Post-construction Narrative ... Software Trace and Memory Dump Analysis: Patterns, Tools,

Documents