Scribd
Upload
3 views

Accelerated Rust Windows Memory Dump Analysis Parts 1-2

The document outlines a training program focused on Windows memory dump analysis using WinDbg, emphasizing the importance of basic Windows troubleshooting and Rust knowledge. It covers training goals, principles, and various aspects of memory dump generation, analysis, and debugging strategies, including practical exercises. Additionally, it highlights the significance of maintaining PDB files and provides resources for further learning and exercises.

Uploaded by

parkashpaudel94
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

Accelerated Rust Windows Memory Dump Analysis Parts 1-2

The document outlines a training program focused on Windows memory dump analysis using WinDbg, emphasizing the importance of basic Windows troubleshooting and Rust knowledge. It covers training goals, principles, and various aspects of memory dump generation, analysis, and debugging strategies, including practical exercises. Additionally, it highlights the significance of maintaining PDB files and provides resources for further learning and exercises.

Uploaded by

parkashpaudel94
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

Rust

Windows Memory Dump Analysis


Accelerated

Dmitry Vostokov
Software Diagnostics Services
WinDbg Commands
Prerequisites We use these boxes to
introduce WinDbg commands
used in practice exercises

 Basic Windows troubleshooting

 Basic Rust knowledge

© 2024 Software Diagnostics Services


Training Goals
 Review fundamentals

 Review x64 disassembly

 Learn how to analyze process dumps

 Learn how to analyze complete (physical


memory) dumps

© 2024 Software Diagnostics Services


Training Principles
 Talk only about what I can show

 Lots of pictures

 Lots of examples

 Original content and examples

© 2024 Software Diagnostics Services


Fundamentals

© 2024 Software Diagnostics Services


Process Space (x64)
00000000`00000000

User Space

00007FFF`FFFFFFFF
FFFF8000`00000000

Kernel Space

FFFFFFFF`FFFFFFFF

© 2024 Software Diagnostics Services


Application/Process/Module (x64)
00007FF6`00000000

Notepad Notepad.exe

user32.dll

User Space (PID 7212)


kernel32.dll
win32u

user32 win32u.dll
kernel32

ntdll ntdll.dll
00007FFF`FFFFFFFF
FFFF8000`00000000

Kernel Space

FFFFFFFF`FFFFFFFF

© 2024 Software Diagnostics Services


Process Virtual Space (x64)
00000000`00000000

00007FF6`00000000
Notepad

User Space (PID 7212)


win32u

user32

kernel32
00000000`00000000 ...
ntdll
00007FFF`FFFFFFFF FFFFFFFF`FFFFFFFF
FFFF8000`00000000

Kernel Space

nt

Driver

FFFFFFFF`FFFFFFFF

© 2024 Software Diagnostics Services


Process Memory Dump (x64)
00000000`00000000

00007FF6`00000000
Notepad
Notepad.dmp
User Space (PID 7212)
win32u

user32

kernel32

ntdll
00007FFF`FFFFFFFF
FFFF8000`00000000

WinDbg Commands
Kernel Space
lmv command lists modules
nt
and their description

Driver

FFFFFFFF`FFFFFFFF

© 2024 Software Diagnostics Services


Complete Memory Dump (x64)
00000000`00000000
Notepad

kernel32
user32
win32u
Notepad
ntdll_77b00000
User Space (PID 7212) User Space (PID 9940)
win32u

user32
wow64
kernel32

ntdll
ntdll WinDbg Commands
00007FFF`FFFFFFFF
FFFF8000`00000000 MEMORY.DMP
.process switches between
process virtual spaces (kernel
space part remains the same)

Kernel Space

nt

Driver

FFFFFFFF`FFFFFFFF

© 2024 Software Diagnostics Services


Process Threads
ApplicationA

User Space (PID 306) TID WinDbg Commands


TID 204
102
Process dumps:
user32 ~<n>s switches between
threads
ntdll

nt

Kernel Space

Driver

© 2024 Software Diagnostics Services


Thread Stack Raw Data
ApplicationA

TID TID
102 204 WinDbg Commands
User Space (PID 306)
User Stack for TID 204 Process dumps:
User Stack for TID 102 !teb

user32 Data:
dc / dps / dpp / dpa / dpu
ntdll

Kernel Stack for TID 204

nt

Kernel Space
Kernel Stack for TID 102

Driver

© 2024 Software Diagnostics Services


Thread Stack Trace
FunctionA()
User Stack for TID 102 {
...
FunctionB(); WinDbg Commands
...
}
FunctionB() 0:000> k
{
Return address Module!FunctionC+130 ...
Module!FunctionD
FunctionC(); Module!FunctionC+130
...
}
Module!FunctionB+220
Module!FunctionA+110
FunctionC()
{
Return address Module!FunctionB+220 ...
FunctionD();
...
}

Module!FunctionA

Resumes from address Saves return address


Module!FunctionA+110 Module!FunctionA+110

Module!FunctionB
Return address Module!FunctionA+110

Resumes from address Saves return address


Module!FunctionB+220 Module!FunctionB+220

Module!FunctionC

Resumes from address Saves return address


Module!FunctionC+130 Module!FunctionC+130

Module!FunctionD

© 2024 Software Diagnostics Services


Thread Stack Trace (no PDB)
FunctionA()
User Stack for TID 102 { Symbol file Module.pdb
...
FunctionB();
... FunctionA 22000 - 23000
} FunctionB 32000 - 33000
FunctionB() FunctionC 43000 – 44000
{ FunctionD 54000 - 55000
Return address Module+43130 ...
FunctionC();
...
}

FunctionC()
{
Return address Module+32220 ... No symbols for Module
FunctionD();
...
}

Module+22000

Resumes from address Saves return address


Module+22110 Module+22110
WinDbg Commands
Module+32000
Return address Module+22110
0:000> k
Resumes from address Saves return address Module+0
Module+32220 Module+32220
Module+43130
Module+32220
Module+43000
Module+22110
Resumes from address Saves return address
Module+43130 Module+43130

Module+54000

© 2024 Software Diagnostics Services


Exceptions (Access Violation)
M00000000
NULL pointer

ApplicationA

User Space (PID 306) WinDbg Commands

Minvalid memory access address=????????

ModuleA Set exception context


TID (process dump):
102 .cxr
TID
204

User Stack for TID 102

User Space (PID 306)


User Stack for TID 204

user32

ntdll

© 2024 Software Diagnostics Services


Exceptions (Runtime)
ApplicationA

User Space (PID 306)

M throws error ModuleA


TID
102
TID
204

User Stack for TID 102

User Space (PID 306)


User Stack for TID 204

user32

ntdll

© 2024 Software Diagnostics Services


Pattern-Oriented Diagnostic Analysis
Diagnostic Pattern: a common recurrent identifiable problem together with a set of
recommendations and possible solutions to apply in a specific context.

Diagnostic Problem: a set of indicators (symptoms, signs) describing a problem.

Diagnostic Analysis Pattern: a common recurrent analysis technique and method


of diagnostic pattern identification in a specific context.

Diagnostics Pattern Language: common names of diagnostic and diagnostic analysis


patterns. The same language for any operating system: Windows, Mac OS X, Linux, ...

Problem Resolution

Information Collection Information Extraction Problem Identification Troubleshooting


(Scripts) (Checklists) (Patterns) Suggestions

Debugging Strategy

Checklist: http://www.dumpanalysis.org/windows-memory-analysis-checklist

Patterns: http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/

© 2024 Software Diagnostics Services


Memory Dump Collection

© 2024 Software Diagnostics Services


Process Dump Generation
 Crash or Hang, … ?
PID in Task Manager

 Windows W10, W11


 Crash: LocalDumps
 Hang / Leak / Spike: Task Manager, procdump -ma

© 2024 Software Diagnostics Services


Complete Dump Setup
 View Advanced System Settings (Control Panel)
 Page file size > physical memory + 100 MB

© 2024 Software Diagnostics Services


Complete Dump Generation
 Keyboard (KB972110, Step 6), NMI button

 Tools: NotMyFault

 VMware memory snapshot + vmss2core

© 2024 Software Diagnostics Services


Common Issues
 Truncated complete dumps

 No “Complete memory dump” option


HKLM \ SYSTEM \ CurrentControlSet \ Control \ CrashControl
CrashDumpEnabled = 1 (DWORD)

© 2024 Software Diagnostics Services


x64 Disassembly

© 2024 Software Diagnostics Services


x64 CPU Registers
 RAX  EAX  AX  {AH, AL} RAX 64-bit EAX 32-bit

 ALU: RAX, RDX

 Counter: RCX

 Memory copy: RSI (src), RDI (dst)

 Stack: RSP

 Frame Pointer: RSP, RBP

 Next instruction: RIP

 New: R8 – R15, Rx(D|W|B)


© 2024 Software Diagnostics Services
Instructions and Registers
 Opcode DST, SRC

 Examples:

mov rax, 10h ; RAX ← 0x10


mov r13, rdx ; R13 ← RDX
add r10, 10h ; R10 ← R10 + 0x10
imul edx, ecx ; EDX ← EDX * ECX
call rdx ; RDX already contains
; the address of func (&func)
; PUSH RIP; RIP ← &func
sub rsp, 30h ; RSP ← RSP–0x30
; make room for local variables

© 2024 Software Diagnostics Services


Memory and Stack Addressing
Lower addresses Values

RSP-0x20 → [RSP-0x20]
RSP-0x18 → [RSP-0x18]
Stack grows

RSP-0x10 → [RSP-0x10]
RSP-0x8 → [RSP-0x8]
RSP → [RSP]
RSP+0x8 → [RSP+0x8]
RSP+0x10 → [RSP+0x10]
RSP+0x18 → [RSP+0x18]
RSP+0x20 → [RSP+0x20]

Higher addresses
© 2024 Software Diagnostics Services
Memory Cell Sizes
RSP → BYTE PTR [RSP]

RSP → DWORD PTR [RSP]

RSP → QWORD PTR [RSP]

RSP+0x8 →

RSP+0x8 →

RSP+0x8 →

© 2024 Software Diagnostics Services


Memory Load Instructions
 Opcode DST, PTR [SRC+Offset]

 Opcode DST

 Examples:

mov rax, qword ptr [rsp+10h] ; RAX ←


; 64-bit value at address RSP+0x10
mov ecx, dword ptr [20] ; ECX ←
; 32-bit value at address 0x20
pop rdi ; RDI ← value at address RSP
; RSP ← RSP + 8
lea r8, [rsp+20h] ; R8 ← address RSP+0x20

© 2024 Software Diagnostics Services


Memory Store Instructions
 Opcode PTR [DST+Offset], SRC

 Opcode DST|SRC

 Examples:

mov qword ptr [rbp-20h], rcx ; 64-bit value at address RBP-0x20


; ← RCX
mov byte ptr [0], 1 ; 8-bit value at address 0 ← 1
push rsi ; RSP ← RSP - 8
; value at address RSP ← RSI
inc dword ptr [rcx] ; 32-bit value at address RCX ←
; 1 + 32-bit value at address RCX

© 2024 Software Diagnostics Services


Flow Instructions
 Opcode DST

 Opcode PTR [DST]

 Examples:

jmp 00007ff6`9ef2f008 ; RIP ← 0x7ff69ef2f008


; (“goto” 0x7ff69ef2f008)
jmp qword ptr [rax+10h] ; RIP ← value at address RAX+0x10
call 00007ff6`9ef21400 ; RSP ← RSP – 8
00007ff6`9ef21057: ; value at address RSP ← 0x7ff69ef21057
; RIP ← 0x7ff69ef21400
; (“goto” 0x7ff69ef21400)

© 2024 Software Diagnostics Services


Function Parameters
 fn func(...);

 Left to right via RCX, RDX, R8, R9, stack

 stack: [RSP+20], [RSP+28], [RSP+30], ...

© 2024 Software Diagnostics Services


Struct Function Parameters
 RCX
Implicit struct object memory address (&myStruct)

let myStruct: Struct = ...;


myStruct.func(...);

 RDX, R8, R9, stack


The rest of the struct function parameters

impl Struct {
fn func(&self, ...);
}
© 2024 Software Diagnostics Services
Windows API Parameters
x64: Left to right RCX, RDX, R8, R9, stack

Args to Child are not parameters

WinDbg Commands

0:000> kv
# Child-SP RetAddr : Args to Child : Call Site

© 2024 Software Diagnostics Services


Practice Exercises

© 2024 Software Diagnostics Services


Links
 Memory Dumps:

Included in Exercise RW1

 Exercise Transcripts:

Included in this book

© 2024 Software Diagnostics Services


Process Memory Dumps

Exercises RW1 – RW5

© 2024 Software Diagnostics Services


Exercise RW1
 Goal: Learn how to see dump file type and version, get a stack
trace, check its correctness, perform default analysis, list threads
and modules, check module version information, dump module
data, and check the process environment

 Patterns: Manual Dump (Process); Incorrect Stack Trace; Stack


Trace; Stack Trace Collection (Unmanaged Space); Main
Thread; System Call; Not My Version (Software); Environment
Hint; Unknown Component

 \ARWMDA-Dumps\Exercise-RW1.pdf

© 2024 Software Diagnostics Services


Supportability Best Practice

Keep PDB files from each release

© 2024 Software Diagnostics Services


Exercise RW2
 Goal: Learn how to analyze stack traces from debug versions

 Patterns: Technology-Specific Subtrace (Rust)

 \ARWMDA-Dumps\Exercise-RW2.pdf

© 2024 Software Diagnostics Services


Exercise RW3
 Goal: Learn how to analyze stack traces from release versions

 Patterns: Adjoint Stack Trace; Hidden Frame; Inline Function


Optimization (Unmanaged Code)

 \ARWMDA-Dumps\Exercise-RW3.pdf

© 2024 Software Diagnostics Services

You might also like