Tài liệu Memory Dump Analysis Anthology- P18 doc

MUSICAL DUMPS After listening to “An Anthology of Noise and Electronic Music” and remembering that long time ago I was asked to convert stock charts into sound waves an idea came to me t

What is a Software Defect? 511

WHAT IS A SOFTWARE DEFECT?

Software can be considered as models of real or imagined systems which may be

models themselves Any modeling act involves a mapping between a system and a

model that preserves causal, ordering and inclusion relationships and a mapping

from the model to the system that translates emerging relationships and causal

struc-tures back to that system The latter I call modeling expectations and any

ob-served deviations in structure and behavior between the model and the system I call

software defects which can be functional failures, error messages, crashes or hangs

(bold line on diagrams below):

Real or Imagined System or Model Software Model

Consider ATM software as a venerable example It models imagined world of

ATM transactions which we call ATM software requirements The latter specifies ACID

(atomic, consistent, isolated and durable) transaction rules If they are broken by the

written software we have the defect:

ATM software

What are software requirements? They are models of real or imagined systems

or can be models of past causal and relationship experiences If requirements are wrong

they do not translate back and we still consider software as having a defect:

Real System

or Causal Experiences

Model

Translating this to ATM example we have:

User expectations based on fair trading experience

ATM software requirements model ATM software

Another example where the perceived absence of failures can be considered as a

defect is the program designed to model memory leaks that might not be leaking due to

a defect in its source code

Dump Analysis and Voice Recognition 513 PART 6: FUN WITH CRASH DUMPS

DUMP ANALYSIS AND VOICE RECOGNITION

“Being so tired of typing endless !analyze -v one day an idea came to me about

using Voice Recognition

Taking advantage of spending 7 years in that field starting from 1992 and being

the architect and designer/developer of the first pioneer speech recognition systems on

Windows platforms (if you remember Covox and Voice Blaster - I was an employee there)

VoiceMouse, JustVoice, SpeakingMouse, and recently my own project OpenTask I

seriosly consider using this for Dump Analysis

More later…”

This was my first blog post ever and now you are reading this book!

SENDING SMS MESSAGES VIA DUMPS

SystemDump tool (page 646) allows to crash a computer and embed a message

in a memory dump Dump files are becoming a universal medium of discourse between

customers and support personnel

WinDbg as a Big Calculator 515

WINDBG AS A BIG CALCULATOR

I noticed one engineer frequently switching between WinDbg and Calc Now we

can forget about using calc.exe during debugging sessions and save valuable time In

other words we no longer need to multiprocess We can use ? and formats commands:

Time: Thu Jan 01 00:00:04 1970

Float: low 5.60519e-045 high 0

Double: 1.97626e-323

Now we can do our finance calculations in WinDbg too

The WinDbg Way!

DUMPS, DEBUGGERS AND VIRTUALIZATION

Everyone now speaks about virtualization and its benefit New horizons spring

here and there I would like to add my 2 cents from memory dump analysis and

debug-ging perspective There will be more complex debugdebug-ging environment as my recent

experience with WOW64 tells me:

A “Debugger” to debug “Virtualization layer”

A “Debugger plugin” to help the “Debugger” to understand the “Subject of

virtualization”

Various virtualized “debuggers” debugging their virtualized subjects

MUSICAL DUMPS

After listening to “An Anthology of Noise and Electronic Music” and remembering

that long time ago I was asked to convert stock charts into sound waves an idea came to

me to convert memory dump files into WAV files by appending an appropriate header in

front of them So depending on imposed sampling frequency (Hz), quantization

level (bits) and mono/stereo settings we can enjoy listening to memory dumps

Debugging the Debugger 519

DEBUGGING THE DEBUGGER

Is it possible to debug a debugger when it debugs a debuggee? Good question I

never asked it to myself until one today and tried And it works! First I tried to attach

WinDbg.exe to an instance of WinDbg.exe executing !analyze -v command and got

00ac44fc 0301e452 dbghelp!diaGetGlobals+0x8fe

00ac4524 0304967a dbghelp!diaGetSymbols+0x42

00ac453c 03045ca3 dbghelp!diaEnumSymbols+0x1a

00ac4554 03031e5a dbghelp!modEnumSymbols+0x43

00ac459c 030338a5 dbghelp!ModLoop+0x10a

00ac6570 030391d8 dbghelp!EnumSymbols+0x155

00ac65a0 0220947b dbghelp!SymEnumSymbolsW+0x48

00ac7600 0220a53d dbgeng!FindTypeInfoInMod+0x18b

00aca5cc 0220caa2 dbgeng!TypeInfoFound+0xced

00acd458 021415a2 dbgeng!ExtensionInfo::Call+0x129

00acd474 0213feb1 dbgeng!ExtensionInfo::CallAny+0x72

00acdee8 010283bf dbgeng!DebugClient::ExecuteWide+0x6a

00acdf88 0102883b windbg!ProcessCommand+0xff

00acffa4 0102aabc windbg!ProcessEngineCommands+0x8b

00acffb8 77e6608b windbg!EngineLoop+0x3dc

Next I thought, wait a moment, we are debugging the crash dump analysis

ses-sion Can we debug a debugger debugging a running process? So I attached WinDbg.exe

to an instance of WinDbg.exe attached to an instance of notepad.exe and got these

00adff10 77e6bad8 ntdll!NtWaitForSingleObject+0xc

00adff80 020bf8aa kernel32!WaitForSingleObjectEx+0xac

Given that many functions from dbghelp.dll and dbgeng.dll are described in

WinDbg help we can quickly reverse engineer WinDbg.exe and its extensions to

under-stand their mechanics from high level perspective

Musical Dumps: Dump2Wave 521

MUSICAL DUMPS: DUMP2WAVE

Dump2Wave command line tool is available for free download at

http://www.dumpanalysis.org/downloads/Dump2Wave.zip

Simply run it from the command prompt and specify full paths to a dump file and

output WAV file The dump file will be converted by default into 44.1KHz 16bit stereo

WAV file (CD quality) We can also specify our own conversion parameters like samples

per second (22050, 11025, etc), bits per sample (8 or 16) and the number of channels (1

- mono, 2 - stereo):

For example, I converted sndrec32.dmp to sndrec32.wav:

The dump was taken after sndrec32.exe played “Windows XP Logon Sound.wav”

file from \Windows\Media folder and that wave file was originally sampled as 22050Hz

16bits stereo By listening to sndrec32.dmp I was able to hear a fragment from that

lo-gon sound because it was stored in a buffer inside sndrec32.exe process

Note: Dump2Wave will not convert a dump file which is greater than 4Gb

DUMP TOMOGRAPHY

There is an idea to interpret a process or a system dump as a picture (similar to

interpreting it as a giant wave file: Dump2Wave:

http://www.dumpanalysis.org/forum/viewtopic.php?t=41

I would like to extend this idea and present it as Dump Tomography - a

combina-tion of images taken from a dump when looking at it from different perspectives, for

example, memory, resources and subsystem hierarchy

Dump Analysis becomes both Medicine and Art We can finally hear how

corrup-tion sounds and how it looks like

The Smallest Program 523

THE SMALLEST PROGRAM

Can the smallest program that crashes be smaller than the smallest program that

doesn’t? It depends on a platform and a compiler/linker set I chose x64 and MASM64

for my experiments The smallest working program I came up first was this:

; ml64 /Zi TheSmallestProgram64.asm /link

Then I thought about removing ret instruction and supposed that if we compile

and link and try to execute the program with 0 bytes we get straight to int 3 instruction

and in my case (I had NTSD set as a default postmortem debugger) a dump would be

saved So I did that but I found that unfortunately compiler inserts ret instruction if the

procedure body is empty So I cheated them by putting nop instruction (which is also

one byte) and got my dump!

; ml64 /Zi TheSmallestProgramWithBug64.asm /link

Loading Dump File [new_2006-10-25_12-40-06-500_076C.dmp]

So here is one answer to my question: The smallest working program and the

smallest crashing program have the same size unless we use some binary editors

Then I tried MS Visual C++ (this time a 32-bit project) and came up with the

following C or C++ program without any prolog and epilog code:

declspec(naked) void Main ()

{

}

I changed entry point from standard main function to my own capitalized Main

function and here were my compiler/link options:

Compiler:

/Od /GL /D "WIN32" /D "NDEBUG" /D "_CONSOLE"

/D "_UNICODE" /D "UNICODE" /D "_AFXDLL"

The Smallest Program 525

The program crashed immediately because the body was empty:

Loading Dump File [new_2006-10-25_15-18-03-109_13B0.dmp]

0:000> u Main

SmallestProgram!Main:

00401000 cc int 3

00401001 0000 add byte ptr [eax],al

00401003 0000 add byte ptr [eax],al

00401005 0000 add byte ptr [eax],al

00401007 0000 add byte ptr [eax],al

00401009 0000 add byte ptr [eax],al

0040100b 0000 add byte ptr [eax],al

0040100d 0000 add byte ptr [eax],al

So here is another answer to my question: The smallest crashing program can be

less than the smallest working program and is actually 0 bytes

VOICES FROM PROCESS SPACE

Following the release of Dump2Wave tool (page 521) some members of Citrix

community have been asking me to provide some interesting sound fragments from

dump files I was also particularly interested in catching voices from the past: embedded

fragments of human voice So I recorded my “Hello” message, played it by Media Player

and then saved a process dump Then I converted the dump to CD-quality wave file and

saved interesting sound fragments from it (to conserve space - the original wave file was

Voices from Process Space 527

horn

some interesting noise and fragments of electronic music

Of course, we can convert kernel memory dumps to wave files and hear voices

from kernel space too…

CRASH DUMP ANALYSIS CARD

I have been thinking for a while what kind of a useful marketing card I should

have and finally came up with the following design:

Front

Backside

I put the most used commands (at least for me) and hope the backside of this

card will be useful If you see me in person you have a chance to get this card (it is blue)

in hardcopy

Listening to Computer Memory 529

LISTENING TO COMPUTER MEMORY

An alternative to converting memory dumps to sound files is to save a memory

range to a binary file and then convert it to a wave file The latter is better for complete

memory dumps which can be several Gb in size

To save a memory range to a file we can use WinDbg writemem command:

.writemem d2w-range.bin 00400000 00433000

or

.writemem d2w-range.bin 00400000 L200

I wrote a WinDbg script that saves a specified memory range and then calls a

shell script which automatically converts the saved binary file to a wave file and then

runs whatever sound program is registered for wav extension On many systems it is

Microsoft Media Player

The WinDbg script code (memsounds.txt):

.writemem d2w-range.bin ${$arg1} ${$arg2}

The shell script (memsounds.cmd):

dump2wave %1.bin %1.wav %2 %3 %4

%1.wav

Because WinDbg installation folder is assumed to be the default directory for

both scripts and Dump2Wave.exe they should be copied to the same folder where

windbg.exe is located On my system it is

C:\Program Files\Debugging Tools for Windows

Both scripts are included in Dump2Wave package available for free download at:

http://www.dumpanalysis.org/downloads/Dump2Wave.zip

To call the script from WinDbg we can use the following command:

$$>a< memsounds.txt Range [Freq] [Bits] [Channels]

where Range can be in Address1 Address2 or Address Lxxx format, Freq can be 44100,

22050, 11025 or 8000, Bits can be 8 or 16, Channels can be 1 or 2 By default it is 44100,

16, 2

If we have a live debugging session or loaded a crash dump we can listen to a

memory range immediately For example, the range of memory from 00400000 to

00433000 interpreted as 44.1KHz 16bit stereo:

C:\Program Files\Debugging Tools for Windows>d2w-range.wav

.shell: Process exited

0:000>

or the same range interpreted as 8KHz 8bit mono:

0:000> $$>a< memsounds.txt 00400000 00433000 8000 8 1

Listening to Computer Memory 531

C:\Program Files\Debugging Tools for Windows>dump2wave range.bin

C:\Program Files\Debugging Tools for Windows>d2w-range.wav

.shell: Process exited

0:000>

The script starts Windows Media Player on my system and I only need to push

the play button to start listening

VISUALIZING MEMORY DUMPS

As the first step towards Memory Dump Tomography (page 522) I created a small

program that interprets a memory dump as a picture We can visualize crash dumps

with it The tool is available for free download at:

http://www.dumpanalysis.org/downloads/Dump2Picture.zip

Simply run it from the command prompt and specify full paths to a dump file and

an output BMP file The memory dump file will be converted by default into true color,

32 bits-per-pixel bitmap We can specify other values: 8, 16 and 24

C:\Dump2Picture>Dump2Picture.exe

Dump2Picture version 1.0

Written by Dmitry Vostokov, 2007

Usage: Dump2Picture dumpfile bmpfile [8|16|24|32]

Below are some screenshots of bitmap files created by the tool We can think

about them as visualized kernel or user address spaces

Visualizing Memory Dumps 533

Vista kernel memory dump (8 bits-per-pixel):

Vista kernel memory dump (16 bits-per-pixel):

Visualizing Memory Dumps 535

Vista kernel memory dump (24 bits-per-pixel):

Vista kernel memory dump (32 bits-per-pixel):

Visualizing Memory Dumps 537

Notepad process user memory dump (8 bits-per-pixel):

Notepad process user memory dump (16 bits-per-pixel):

Visualizing Memory Dumps 539

Notepad process user memory dump (24 bits-per-pixel):

Notepad process user memory dump (32 bits-per-pixel):