This training comprises of 2 sessions
Session -1 (Theory)
1. Understanding Dump File
2. Varieties of Dump File
3. Creation of Dump File
4. Terminologies for analyzing of Dump File
5. Introduction to WinDbg
Session -2 ( Lab)
1. Postmortem Debugger Settings
2. WinDbg Setup
3. Dump File creation using Tools
4. Dump File creation using Win32 API
5. Dump File Analyzing case study
For Download, drop mail to contactshanmugaks@gmail.com
4. Page 4 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File1
Varieties of Dump File2
Creation of Dump File3
Terminologies for analyzing of Dump File4
Introduction to WinDbg5
5. Page 5 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File1
Varieties of Dump File2
Creation of Dump File3
Terminologies for analyzing of Dump File4
Introduction to WinDbg5
6. Page 6 2013
By K.S.Shanmuga sundaram
Varieties of Bugs
Bugs
Arithmetic
Logical
syntax
Resource
Multi
Threaded
Perform -
ance
User
Interface
7. Page 7 2013
By K.S.Shanmuga sundaram
Impact of Bug on Application
Application may Malfunction
Application may Crash
Application may Hang
8. Page 8 2013
By K.S.Shanmuga sundaram
Application crash
Arises due to unhandled exception
9. Page 9 2013
By K.S.Shanmuga sundaram
Application Hang
May arise due to Deadlock.
May arise due to High CPU usage.
10. Page 10 2013
By K.S.Shanmuga sundaram
How to Fix Crash / Hang Issue?
1. Store Application state
i.e.
Process(s) Info,
Thread(s) Info,
Loaded Module Info,
Register Info,
Memory Info,
Handle Info,
Callstack Info,
Etc.,
2. Start Analyze to find the root cause of the issue.
Process
Dump
Information
11. Page 11 2013
By K.S.Shanmuga sundaram
What is Dump File?
Definition:- Static snap shot of an application at any given time.
Fact sheet
File Format Binary File Format
File
Extension
.DMP - Stands for Dump
Contents Process, Thread, Stack,Callstack, Handles, Modules, etc.,
Usage
(i) Debugging Crashing application.
(ii) Debugging Hanging application.
Other
terms
Crash dump, Core Dump, Hang Dump, Heap Dump,
Memory Dump, Process dump or just dump.
12. Page 12 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File1
Varieties of Dump File2
Creation of Dump File3
Terminologies for analyzing of Dump File4
Introduction to WinDbg5
13. Page 13 2013
By K.S.Shanmuga sundaram
Physical Memory Layout
User
Space
Kernel
Space
Kernel Process
User Process
Kernel Process
Kernel Process
User Process
User Process
Access Restricted
14. Page 14 2013
By K.S.Shanmuga sundaram
Physical Memory Layout – 32 bit
User
Space
Kernel
Space
4 GB
2 GB
0
2
32
15. Page 15 2013
By K.S.Shanmuga sundaram
Physical Memory Layout – 32 bit
User
Space
Kernel
Space
4 GB
3 GB
0
with /3GB switch in boot.ini file
2
32
17. Page 17 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File1
Varieties of Dump File2
Creation of Dump File3
Terminologies for analyzing of Dump File4
Introduction to WinDbg5
20. Page 20 2013
By K.S.Shanmuga sundaram
Dump File creation
using Win32 API
API Name MiniDumpWriteDump
DLL Dbghelp.dll
Header file Dbghelp.h
Arguments
HANDLE hProcess Target process handle.
DWORD ProcessId Target process ID.
HANDLE hFile Dump file handle.
MINIDUMP_TYPE DumpType Type of information to be written dump
file
PMINIDUMP_EXCEPTION_INFORMATION
ExceptionParam,
Pointer to Exception info like ThreadID,
Exception pointers.
PMINIDUMP_USER_STREAM_INFORMATION
UserStreamParam
Pointer to user defined information.
[Optional]
PMINIDUMP_CALLBACK_INFORMATION
CallbackParam
Callback to receive extended dump
information. [Optional].
21. Page 21 2013
By K.S.Shanmuga sundaram
Dump File creation
using Win32 API
Argument MINIDUMP_TYPE DumpType
Description
Enumerator constants. It can have any one of the values
MiniDumpNormal
MiniDumpWithDataSegs
MiniDumpWithFullMemory
MiniDumpWithHandleData
MiniDumpFilterMemory
MiniDumpScanMe
MiniDumpWithUnloadedModules
MiniDumpWithIndirectlyReferencedMe
mory
MiniDumpFilterModulePaths
MiniDumpWithProcessThreadData
MiniDumpWithPrivateReadWriteMe
mory
MiniDumpWithoutOptionalData
MiniDumpWithFullMemoryInfo
MiniDumpWithThreadInfo
MiniDumpWithCodeSegs
22. Page 22 2013
By K.S.Shanmuga sundaram
Kernel Dump creation
using System settings
23. Page 23 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File1
Varieties of Dump File2
Creation of Dump File3
Terminologies for analyzing of Dump File4
Introduction to WinDbg5
24. Page 24 2013
By K.S.Shanmuga sundaram
Symbols
Global variables
Local variables
Function names and the addresses of their entry points
Frame pointer omission (FPO) records
Source File name and line number for each Instruction
Functions (except for functions declared static)
Global variables specified as extern
(and any other global variables visible across multiple object files)
Also called as Full Symbol
Also called as Stripped Symbol
Stores Debugging information about a program
25. Page 25 2013
By K.S.Shanmuga sundaram
Symbols in detail
Name of the item
Address of the item in virtual memory
Frame pointer omission (FPO) records for each function
Data type of each variable, structure, and function
Types and names of the parameters for each function
Scope of each local variable
Symbols associated with each line in each source file
The name of the item.
The address of the item in the virtual memory space of its module.
For a function, this is the address of its entry point.
Frame pointer omission (FPO) records for each function.
26. Page 26 2013
By K.S.Shanmuga sundaram
Symbols Relation
Public symbol data can be thought of as a subset of the private symbol .
27. Page 27 2013
By K.S.Shanmuga sundaram
Symbol File Format
PDB stands for “Program Database”
Fact sheet
Microsoft proprietary file format (.pdb)
Extracted from Source files ( .cpp,.c, ,cs, etc.,).
PDB file information extracted by using the DIA (Debug Interface Access) SDK.
A .NET PDB file only contains only Source Filename, Line number , Local
variable names as .NET Metadata already contains rest of the symbols.
Visual studio 5.0 generates .dbg file format.
28. Page 28 2013
By K.S.Shanmuga sundaram
Dump file relation
• DMP
• PDB
• DBG
• C
• CPP
• H
• CS
• EXE
• DLL
• LIB
29. Page 29 2013
By K.S.Shanmuga sundaram
Application Dependency
30. Page 30 2013
By K.S.Shanmuga sundaram
Dump File Dependency
IMAGE SYMBOLS SOURCES
Required
Files
For
Dump
File
Analysing
31. Page 31 2013
By K.S.Shanmuga sundaram
Process & Threads
User
Space
Kernel
Space
User Process
Thread 1
Thread 2
Thread N
1 MB Stack Memory
1 MB Stack Memory
1 MB Stack Memory
32. Page 32 2013
By K.S.Shanmuga sundaram
Stack
User
Space
Kernel
Space
Stack Memory – Thread 1
Committed
Guard
ReservedStack Memory – Thread 2
Stack Memory – Thread 3
Stack
Growth
34. Page 34 2013
By K.S.Shanmuga sundaram
C compiler Name Mangling
Function
Name
Function
Address
Method1() 0x1234
Method1() 0x3423
Method2() 0x1654
Void Method1(int)
{
Do something…
}
Void Method1(char)
{
Do something…
}
Void Method2(int,int)
{
Do something…
}
Void main()
{
Method1(20);
Method1(‘a’);
Method2(40,50);
}
Typical Representation
__Method1_0x1234
__Method1_0x3423
__Method2_0x1654
35. Page 35 2013
By K.S.Shanmuga sundaram
C++ compiler Name Mangling
Void Method1(int)
{
Do something…
}
Void Method1(char)
{
Do something…
}
Void Method2(int,int)
{
Do something…
}
Void main()
{
Method1(20);
Method1(‘a’);
Method2(40,50);
}
Typical Representation
__Method1_1_@INT_0x1234
__Method1_1_@CHAR_0x3423
__Method2_2_@INT_@INT_0x1654
Function
Name
No of
Param
Param
Type
Function
Address
Method1() 1 Int 0x1234
Method1() 1 Char 0x3423
Method2() 2 Int,Int 0x1654
37. Page 37 2013
By K.S.Shanmuga sundaram
Calling convention comparison
38. Page 38 2013
By K.S.Shanmuga sundaram
Exception Dispatching
Debugger
Frame
Handlers
Operation System
Default
Post Mortem
Debugger
Windows Error
Reporting
First
Chance
exception
Second
Chance
exception
Unhandled
exceptions
1
2
3
4
6
8
Exception
5 7 9
39. Page 39 2013
By K.S.Shanmuga sundaram
C++ Exception Test
void TestMethod
{
int Temp = 100;
Temp = Temp /(Temp-Temp);
}
void main()
{
try
{
TestMethod();
}
catch(…)
{
printf(“ Exception Caught”);
}
}
Is
Program
will
crash?
40. Page 40 2013
By K.S.Shanmuga sundaram
C++ Exception Answer
C/C++ --> Code Generation --> Enable C++ Exceptions
C++
Exceptions
Command
line Option
Remarks
No No Exception handled.
Yes /EHsc Only C++ Exception handled.
With SEH /EHa
Both C++ and SEH exception handled.
(Destructor will not be called on stack unwinding)
42. Page 42 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File1
Varieties of Dump File2
Creation of Dump File3
Terminologies for analyzing of Dump File4
Introduction to WinDbg5
43. Page 43 2013
By K.S.Shanmuga sundaram
WinDbg – A Introduction
Microsoft Windows Debugger
GUI Debugger.
Both user and kernel mode debugger.
Non-Invasive Debugger.
Freeware.
Light weight
44. Page 44 2013
By K.S.Shanmuga sundaram
WinDbg – Command Types
Command Types Description
Regular Commands Used debug processes
Meta or Dot-Commands usually to control the behavior of the debugger
Extension Commands
implemented as exported functions in extension
DLLs
45. Page 45 2013
By K.S.Shanmuga sundaram
WinDbg – Commands
Command Types Examples
Regular Commands K
Meta or Dot-Commands .cls, .reload, .time
Extension Commands !analyze, !locks, !teb, !peb
46. Page 46 2013
By K.S.Shanmuga sundaram
WinDbg Commands
Command Description
!analyze –v Analyze Exceptions.
!analyze -hang –v Analyze Hanging.
!gle Get Last Error.
.lastevent Get last exception Event.
.ecxr Display Exception context.
!sym noisy While loading symbols displays error information. Be
default it is OFF.
K Display Call stack.
ld * Load all Modules.
!for_each_frame Display call stack with Frame number.
.frame N Set “N” Frame as context
47. Page 47 2013
By K.S.Shanmuga sundaram
WinDbg Commands
Command Description
.reload /f /v /i Load all modules forecefully with verbose
!teb Thread Environment block ( Formatted output)
!peb Process Environment block ( Formatted output)
!runaway Displays information about time consumed by each
thread.
dt nt!_TEB Full Thread Environment block
~ Display all threads Info
|| Display process Info
!wow64exts.sw Switches 64bit dump file into 32bit.
dt ModulName!* Display all available data type in a module.
dt ModulName!Type Display declaration for a given data type.
48. Page 48 2013
By K.S.Shanmuga sundaram
WinDbg Commands
Command Description
.symopt Display Current Symbol loading settings
.symopt +0x40 Forcefully try to match PDB with Target Binary.
set's flag of "SYMOPT_LOAD_ANYTHING".
It mean it will not check for timestamp
!locks Display critical section Info
!handles Display handles Info
49. Page 49 2013
By K.S.Shanmuga sundaram
Any Questions?
Session - 1
51. Page 51 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Settings1
WinDbg Setup2
Dump File creation using Tools3
Dump File creation using Win32 API4
Dump File Analyzing case study5
52. Page 52 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Setup1
WinDbg Setup2
Dump File creation using Tools3
Dump File creation using Win32 API4
Dump File Analyzing case study5
53. Page 53 2013
By K.S.Shanmuga sundaram
Registry Path
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NT
CurrentVersion AeDebug
Registry Values
Value Name Remarks
Debugger Debugger Executable full path
Auto
0 - message box will be displayed prior to postmortem
debugging.
1 - No message box.
Postmortem Debugger Setup
Registry Settings - Windows XP and prior OS.
54. Page 54 2013
By K.S.Shanmuga sundaram
Registry Path
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindow
s Error ReportingLocalDumps
In case of 64 bit set corrresponding registry locations (wow64).
Registry Path
Value Name Value Data
DumpFolder Dump file complete path
DumpCount Total Dump file count
DumpType 0 - custom, 1 - Mini, 2 – Full
CustomDumpFlags
Valid if DumpType=0, Possible hexadecimal values =
0,1,2,4,8,10,20,40,80,100,200,400,800,1000,2000,4000,100
00, 20000,40000,80000,100000,1fffff.
Refer MSDN for details.
Postmortem Debugger Setup
Registry Settings - Windows Server 2008, Vista with SP1 and 7.0.
58. Page 58 2013
By K.S.Shanmuga sundaram
WinDbg Setup
Symbol, Image & Source path Setup
Path
Type
File type Files
Symbol
path
Program database files (.pdb)
Target application,
Windows binaries,
and all dependents binaries.
Source
path
Source files (.cpp & .h, .cs)
Target application,
CRT libraries,
and all dependent binaries.
Image
Path
Binary files (.exe, .dll)
Target application,
Windows dll,
and all dependents.
59. Page 59 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Settings1
WinDbg Setup2
Dump File creation using Tools3
Dump File creation using Win32 API4
Dump File Analyzing case study5
60. Page 60 2013
By K.S.Shanmuga sundaram
Dump File Creation
Using Tools
Tool Remarks
Process
Explorer
Right Click Create Dump
ProcDump procdump.exe -ma Target.exe
WinDbg
WinDbg -pv -pn Target.exe -c ".dump /ma
DumpFileName.dmp;q"
Task
Manager
Right Click Create Dump
Dr.Watson Drwatson.exe (Enable Create Dump File)
61. Page 61 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Settings1
WinDbg Setup2
Dump File creation using Tools3
Dump File creation using Win32 API4
Dump File Analyzing case study5
62. Page 62 2013
By K.S.Shanmuga sundaram
Dump File Creation
Using Win32 API
Refer Sample MFC_1
63. Page 63 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Settings1
WinDbg Setup2
Dump File creation using Tools3
Dump File creation using Win32 API4
Dump File Analyzing case study5
64. Page 64 2013
By K.S.Shanmuga sundaram
Case Study - 1
Exception type Access violation exception
Sample code 1 – Refer Sample MFC_1
int* i = NULL;
*i = 100;
Sample code 2
Printf(“%s%s%s%s%s%s%s%s%s%s”);
65. Page 65 2013
By K.S.Shanmuga sundaram
Case Study - 2
Exception type Stack Overflow
Sample code 1 – Refer Sample MFC_1
Void TestMethod()
{
unsigned char Temp[1024*1024*1024];
}
Sample code 2
Void TestMethod()
{
TestMethod();
}
66. Page 66 2013
By K.S.Shanmuga sundaram
Case Study - 3
Exception type Divide by Zero
Sample code 1 - Refer Sample MFC_1
Void TestMethod()
{
int nTemp = 100;
nTemp = nTemp / (nTemp - nTemp )
}
67. Page 67 2013
By K.S.Shanmuga sundaram
Case Study - 4
Exception type High CPU usage
Sample code 1 – Refer Sample MFC_2
UINT ThreadProc1(LPVOID pParam_in)
{
while(1); eturn 1;
}
UINT ThreadProc2(LPVOID pParam_in)
{
for(long i=0;i<200000;i++); return 1;
}
UINT ThreadProc3(LPVOID pParam_in)
{
for(long i=0;i<900000;i++); return 1;
}
69. Page 69 2013
By K.S.Shanmuga sundaram
References
"Microsoft Windows
Internals” by Mark
Russinovich and David
Solomon 5th Edition
"Advanced Windows
Debugging" by Mario
Hewardt and Daniel
Pravat
“Memory Dump
Analysis Anthology“
by Dmitry Vostokov
70. Page 70 2013
By K.S.Shanmuga sundaram
Any Questions?
Session - 2
71. Page 71 2013
By K.S.Shanmuga sundaram
Questions?
For more details, please contact
http://www.linkedin.com/in/shanmugasundaramks
sundarammails@gmail.com
K.S.Shanmuga sundaram
Software Architect,
Bangalore, India