Visualizing Memory Dumps 541 Mspaint process user memory dump (32 bits-per-pixel): Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 542 PART 6: Fun with Crash Dumps Mspaint process user memory dump after loading “Toco Toucan.jpg” from Vista Sample Pictures folder (32 bits-per-pixel): Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Visualizing Memory Dumps 543 Citrix ICA client process (wfica32.exe) user memory dump (32 bits-per-pixel): Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 544 PART 6: Fun with Crash Dumps VISUALIZING MEMORY LEAKS Dump2Picture (page 532) can be used to explore memory leaks visually. I created the following small program in Visual C++ that leaks 64Kb every second: #include "stdafx.h" #include <windows.h> int _tmain(int argc, _TCHAR* argv[]) { while (true) { printf("%x\n", (UINT_PTR)malloc(0xFFFF)); Sleep(1000); } return 0; } Then I sampled 3 dumps at 7Mb, 17Mb and 32Mb process virtual memory size and converted them as 16 bits-per-pixel bitmaps. On the pictures below we can see that the middle black memory area grows significantly. Obviously malloc function allocates zeroed memory and therefore we see black color. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Visualizing Memory Leaks 545 7Mb process memory dump: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 546 PART 6: Fun with Crash Dumps 17Mb process memory dump: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Visualizing Memory Leaks 547 32Mb process memory dump: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 548 PART 6: Fun with Crash Dumps If we zoom in the black area we would see the following pattern: Colored lines inside are heap control structures that are created for every allo- cated block of memory. If this is correct then allocating smaller memory blocks would create a hatched pattern. And this is true indeed. The following program leaks 256 byte memory blocks: #include "stdafx.h" #include <windows.h> int _tmain(int argc, _TCHAR* argv[]) { while (true) { printf("%x\n", (UINT_PTR)malloc(0xFF)); Sleep(1000/0xFF); } return 0; } Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Visualizing Memory Leaks 549 The corresponding process memory picture and zoomed heap area are the following: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 550 PART 6: Fun with Crash Dumps Making allocations 4 times smaller makes heap area to look hatched and zoomed picture is more densely packed by heap control structures: #include "stdafx.h" #include <windows.h> int _tmain(int argc, _TCHAR* argv[]) { while (true) { printf("%x\n", (UINT_PTR)malloc(0xFF/4)); Sleep((1000/0xFF)/4); } return 0; } Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... www.verypdf.com to remove this watermark 556 PART 6: Fun with Crash Dumps PICTURING COMPUTER MEMORY An alternative to converting memory dumps to picture files is to save a memory range to a binary file and then convert it to a BMP file Thus we can view the particular DLL or driver mapped into address space, heap or pool region, etc To save a memory range to a file we can use WinDbg writemem command: writemem... dump analysis and vice versa to quickly learn GDB debugger commands because most debugging and crash dump analysis principles and techniques are the same for both worlds We need to disassemble, dump memory locations, list threads and their stack traces and so on GDB users starting with Windows crash dump analysis can learn WinDbg commands too Here I start mapping WinDbg commands to GDB commands and vice... (mempicture.cmd): dump2 picture %1.bin %1.bmp %2 %1.bmp Because WinDbg installation folder is assumed to be the default directory for both scripts and Dump2 Picture.exe they should be copied to the same folder where windbg.exe is located On my system it is C:\Program Files\Debugging Tools for Windows Both scripts are now included in Dump2 Picture package available for free download at: http://www.dumpanalysis.org/downloads /Dump2 Picture.zip... PDF Split-Merge on www.verypdf.com to remove this watermark Crash Dumps and Global Conspiracy 561 CRASH DUMPS AND GLOBAL CONSPIRACY There are Matrix-style conspiracy theories where we are like computer programs Looking from crash dump analysis and debugging perspective we ask a question whether a process can detect its own past crash dumps? Obviously yes, if it the code was written with such intention... crash dumps too Therefore, if we can see our past crash dumps then this will be the proof that we live in a Matrix-type world More questions spring to conspiracy-savvy mind Are there any secret software engineering societies (SSES)? Can we see patterns in memory dumps linking to alien code? Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 562 PART 6: Fun with Crash Dumps...Visualizing Memory Leaks 551 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 552 PART 6: Fun with Crash Dumps Here is another example One service was increasing its memory constantly The crash dump picture shows huge hatched dark region in the middle: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Visualizing Memory Leaks 553 Please... 00 00 00 r.l.d.! H.e.l.l.o and characters from ASCII encoding occupy one byte of memory: 0:000> db 008c72b4 l10 008c72b4 48 65 6c 6c 6f 20 57 6f-72 6c 64 21 00 00 00 00 World! Hello We can see that the second byte for Unicode English characters is zero I converted that memory dump into 8 bits-per-pixel bitmap using Dump2 Picture (page 532) and after zooming it sufficiently in Vista Photo Viewer until... purchase PDF Split-Merge on www.verypdf.com to remove this watermark 554 PART 6: Fun with Crash Dumps and if we zoom in this region we get: Because the pattern and allocation size look uniform it could be the true heap memory leak for some operation that allocates constant size buffers After opening the memory dump and looking at heap segments that had grown the most we can see the same allocation size... picture that illustrates the difference between Unicode and ASCII strings: Incidentally the same memory dump converted to 32 bits-per-pixel bitmap shows Unicode “Hello World!” strings in green colors Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 560 PART 6: Fun with Crash Dumps TEACHING BINARY TO DECIMAL CONVERSION Sometimes we have data in binary and we want to convert... x64 memory dump and visualized HAL (hardware abstraction layer) module: kd> lm start fffff800`00800000 fffff800`01000000 fffff97f`ff000000 end fffff800`0085e000 fffff800`0147b000 fffff97f`ff45d000 module name hal nt win32k kd> $$>a< mempicture.txt fffff800`00800000 fffff800`0085e000 Writing 5e001 bytes C:\Program Files\Debugging Tools for Windows >dump2 picture d2p-range.bin d2p-range.bmp Dump2 Picture . PART 6: Fun with Crash Dumps PICTURING COMPUTER MEMORY An alternative to converting memory dumps to picture files is to save a memory range to a binary. www.verypdf.com to remove this watermark. Visualizing Memory Dumps 543 Citrix ICA client process (wfica32.exe) user memory dump (32 bits-per-pixel): Please purchase