This is a new methodology I’m working upon. The idea came from reading “About the Author” page in a book I got yesterday in my post:
The Nomadic Developer: Surviving and Thriving in the World of Technology Consulting
I post a review here and on Amazon when finished reading. Just a few words now. This is the first career book I’m reading where I find pages in roman numerals useful. The page xiii itself looks like a good template (or an example) for a business-oriented CV summary. Thinking now about updating my CV book (2nd edition?):
With fix-privet,
Dr. DebugLove
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Memory Dump ItToday we introduce an icon for False Positive Dump pattern:
B/W
Color
With fix-privet,
Dr. DebugLove
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Memory Dump ItWhile reading two balanced books about Trotsky I started to admire the signature “S kommunisticheskim privetom, <name>” that can be translated as “With communist greetings, <name>”. Did they laugh in their red sleeves? When I was at a primary school I loved History (that was long before I saw a computer at Moscow University and I loved Chemistry in a secondary and high schools). In fact, to realize my childhood dream, OpenTask, an iterative and incremental publisher, plans to publish a centennial balanced 2 volume bilingual history of Russian revolutions (the work has began already):
http://www.opentask.com/history-titles
While commuting today I devised a similar greeting to suffix all my future posts except traces:
With fix-privet,
Dr. DebugLove
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Memory Dump ItWhen the performance is a performative and the performative is a performance we think about performability:
A virtualization is virtualization.
Peter Brook, The Empty Space
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Memory Dump ItComments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Clock cycle counter for measuring CPU activity (p. 382)
Process Explorer usage to inspect hung threads (p. 383) - useful for coupled processes (http://www.dumpanalysis.org/blog/index.php/2007/09/26/crash-dump-analysis-patterns-part-28/) and could be great with simultaneous WinDbg session to inspect wait chains (http://www.dumpanalysis.org/blog/index.php/2009/02/17/wait-chain-patterns/)
Process Explorer shows both thread and WOW64 thread stacks on x64 (p. 384)
Thread stack and context query limitations for protected processes (pp. 384 - 386)
Thread pool mechanism was moved into kernel space in Vista (p. 387)
TpWorkerFactory and I/O completion ports and KQUEUE (pp. 387 - 388) - see also a “brief guide” to I/O completion ports: http://www.dumpanalysis.org/blog/index.php/2007/11/27/understanding-io-completion-ports/
The mystery of ntdll!TppWorkerThread in stack traces (pp. 389 - 390)
- Dmitry Vostokov @ SoftwareGeneralist.com -
Today we introduce an icon for Dynamic Memory Corruption (kernel pool) pattern:
B/W
Color
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Memory Dump ItComments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
W32THREAD (p. 371) - One candidate in _ETHREAD that points to it is Tcb.Win32Thread. One interesting code I found on how to extract window message queues from it: http://www.cc.gatech.edu/~brendan/volatility/dl/threadqueues.py. _W32THREAD structure on x64 W2K8 (we also see that is points to _ETHREAD):
0: kd> dt _W32THREAD
win32k!_W32THREAD
+0x000 pEThread : Ptr64 _ETHREAD
+0x008 RefCount : Uint4B
+0x010 ptlW32 : Ptr64 _TL
+0x018 pgdiDcattr : Ptr64 Void
+0x020 pgdiBrushAttr : Ptr64 Void
+0x028 pUMPDObjs : Ptr64 Void
+0x030 pUMPDHeap : Ptr64 Void
+0x038 pUMPDObj : Ptr64 Void
+0x040 pProxyPort : Ptr64 Void
+0x048 pClientID : Ptr64 Void
+0x050 GdiTmpTgoList : _LIST_ENTRY
!thread output fields (p. 376) - Stack Base and Limit fields can be useful to dump raw stack data via dps command to see execution residue or when reconstructing stack trace, see, for example, this pattern: http://www.dumpanalysis.org/blog/index.php/2009/10/23/crash-dump-analysis-patterns-part-88/
tlist utility (p. 377)
Thread creation calls (pp. 380 - 381) - a condensed view of top level function calls on x64 W2K8:
0: kd> uf /c CreateThread
kernel32!CreateThread (00000000`7731c1c0)
kernel32!CreateThread+0x28 (00000000`7731c1e8):
call to kernel32!CreateRemoteThread (00000000`7731c200)
0: kd> uf /c CreateRemoteThread
Flow analysis was incomplete, some code may be missing
kernel32!CreateRemoteThread (00000000`7731c200)
kernel32!CreateRemoteThread+0x134 (00000000`7731c334):
call to ntdll!NtCreateThreadEx (00000000`77477790)
kernel32!CreateRemoteThread+0×166 (00000000`7731c366):
call to ntdll!RtlAllocateActivationContextStack (00000000`77456900)
kernel32!CreateRemoteThread+0×1b4 (00000000`7731c3b4):
call to ntdll!RtlQueryInformationActivationContext (00000000`77456b20)
kernel32!CreateRemoteThread+0×241 (00000000`7731c441):
call to ntdll!CsrClientCallServer (00000000`7747a460)
kernel32!CreateRemoteThread+0×281 (00000000`7731c47d):
call to ntdll!ZwResumeThread (00000000`77477230)
kernel32!CreateRemoteThread+0×38b (00000000`7731c4ae):
call to kernel32!_security_check_cookie (00000000`7732c200)
0: kd> uf /c NtCreateThreadEx
ntdll!NtCreateThreadEx (00000000`77477790)
no calls found
0: kd> uf NtCreateThreadEx
ntdll!NtCreateThreadEx:
00000000`77477790 4c8bd1 mov r10,rcx
00000000`77477793 b8a5000000 mov eax,0A5h
00000000`77477798 0f05 syscall
00000000`7747779a c3 ret
0: kd> uf /c nt!NtCreateThreadEx
nt!NtCreateThreadEx (fffff800`01af60fc)
nt!NtCreateThreadEx+0x3d (fffff800`01af6139):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateThreadEx+0x5b (fffff800`01af6157):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateThreadEx+0x99 (fffff800`01af6195):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateThreadEx+0xc8 (fffff800`01af61c4):
call to nt!PspBuildCreateProcessContext (fffff800`01af5204)
nt!NtCreateThreadEx+0x1e1 (fffff800`01af62dd):
call to nt!PspCreateThread (fffff800`01af5d40)
nt!NtCreateThreadEx+0×1f0 (fffff800`01af62ec):
call to nt!PspDeleteCreateProcessContext (fffff800`01af68f0)
0: kd> uf /c nt!PspCreateThread
nt!PspCreateThread (fffff800`01af5d40)
nt!PspCreateThread+0x102 (fffff800`01af5e42):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!PspCreateThread+0x15b (fffff800`01af5e9b):
call to nt!ObfReferenceObject (fffff800`01883250)
nt!PspCreateThread+0x22f (fffff800`01af5f6f):
call to nt!PspAllocateThread (fffff800`01af6338)
nt!PspCreateThread+0x243 (fffff800`01af5f83):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateThread+0x2a6 (fffff800`01af5fe6):
call to nt!PspInsertThread (fffff800`01af4c10)
nt!PspCreateThread+0x318 (fffff800`01af6058):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateThread+0x32a (fffff800`01af606a):
call to nt!_security_check_cookie (fffff800`01895e50)
nt!PspCreateThread+0x36a (fffff800`01af60aa):
call to nt!ObfReferenceObject (fffff800`01883250)
nt!PspCreateThread+0x3a2 (fffff800`01af60e2):
call to nt!ExfAcquireRundownProtection (fffff800`0184f66c)
nt! ?? ::NNGAKEGL::`string'+0x2816e (fffff800`01b3628e):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x281ad (fffff800`01b362ca):
call to nt!ExfReleaseRundownProtection (fffff800`0184f690)
nt! ?? ::NNGAKEGL::`string'+0x281ce (fffff800`01b362eb):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x281d8 (fffff800`01b362f5):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt! ?? ::NNGAKEGL::`string'+0x281e7 (fffff800`01b36304):
call to nt!ExfReleaseRundownProtection (fffff800`0184f690)
nt! ?? ::NNGAKEGL::`string'+0x281ff (fffff800`01b3631c):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x2821a (fffff800`01b36337):
call to nt!PspTerminateThreadByPointer (fffff800`01ad30dc)
- Dmitry Vostokov @ SoftwareGeneralist.com -