SlideShare una empresa de Scribd logo

Memory Dump

Descargar como PPTX, PDF
N
niteshitimpulse
1 de 13
Memory Dump Prepared by Nitesh bhat Trainee at Itimpulse
Memory Dump  It is very hard to analysis memory the dump  Memory dump is located in c: drive in window’s folder  If we know how to analysis the memory dump we easy come to know why window is crash ?
Why window is crash  Something is wrong in kernel –mode Example :-  Unhandled exception  OS or driver detects severe inconsistency  Invalid memory references  hardware error
Memory Dump analysis  70% of window crash came from third party bugs  15% of window crash came which cant be explain  10% of window crash came from hardware s  5 % of window crash came from its windows code
Crash dump types  Complete (full) (64 KB for a 32-bit operating system, 128 KB for a 64-bit operating system) Default for servers  kernel OS/driver memory  Small (mini dump ) Default for xp Minimal crash information
Mini dump  Contents bug check code ,parameters list of drivers minimal information on current process  Unique file for crash windows minidump  Extract from kernel ,full dump  Best memory dump for analysis is kernel dump  If checksum does not match dump is not written
When ? “ DUMP “  Crash occurred before paging file was open  spontaneous reboot  hung system  paging file is too small  not enough free space to extract dump
Analysis Basics  Analysis tools parts of debugging tools for windows (free)  Two tools can open kernel crash dumps : winDbg - GUL kd - command line
Symbols  When applications are linked  The linker that creates the .exe and .dll files also creates a number of additional files known as symbol files.  Symbol files hold a variety of data which are not actually needed when running the binaries, but which could be very useful in the debugging process.  Typically, symbol files might contain: Global variables Local variables
Symbols  Symbol files contain names and location of internal data  debugging needs kernel symbol file to analyze dumps  kernel image : ntoskrnl.exe ntoskrnl.pdb is symbol file
How we do manually generate Dump Copy and Paste the following into Notepad: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesi8042prtParameters] "CrashOnCtrlScroll"=dword:00000001 Save as CrashOnCtrlScroll.reg and save as type All Files. Double-Click the file to merge it with the Registry. Restart your computer and you will be able to use it. To generate the minidump file you will need to press and hold the Right Cntrl key and tap the Scroll Lock key twice. You will be presented with the Blue Screen and your computer will Restart.
Now Demo with notmyfault Analysis Of memory Dump
Memory Dump

Recomendados

Introduction to multicore .ppt
Introduction to multicore .pptIntroduction to multicore .ppt
Introduction to multicore .pptRajagopal Nagarajan
 
“Making Edge AI Inference Programming Easier and Flexible,” a Presentation fr...
“Making Edge AI Inference Programming Easier and Flexible,” a Presentation fr...“Making Edge AI Inference Programming Easier and Flexible,” a Presentation fr...
“Making Edge AI Inference Programming Easier and Flexible,” a Presentation fr...Edge AI and Vision Alliance
 
Introduction to Linux Kernel
Introduction to Linux KernelIntroduction to Linux Kernel
Introduction to Linux KernelStryker King
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
Closing the RISC-V compliance gap via fuzzing
Closing the RISC-V compliance gap via fuzzingClosing the RISC-V compliance gap via fuzzing
Closing the RISC-V compliance gap via fuzzingRISC-V International
 
Advanced Micro Devices - AMD
Advanced Micro Devices - AMDAdvanced Micro Devices - AMD
Advanced Micro Devices - AMDVedavyas Sheoy
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Toursamrat das
 
Simulators for Wireless Sensor Networks (OMNeT++)
Simulators for Wireless Sensor Networks (OMNeT++)Simulators for Wireless Sensor Networks (OMNeT++)
Simulators for Wireless Sensor Networks (OMNeT++)Pradeep Kumar TS
 

Recomendados

Introduction to multicore .ppt
Introduction to multicore .pptIntroduction to multicore .ppt
Introduction to multicore .pptRajagopal Nagarajan
 
“Making Edge AI Inference Programming Easier and Flexible,” a Presentation fr...
“Making Edge AI Inference Programming Easier and Flexible,” a Presentation fr...“Making Edge AI Inference Programming Easier and Flexible,” a Presentation fr...
“Making Edge AI Inference Programming Easier and Flexible,” a Presentation fr...Edge AI and Vision Alliance
 
Introduction to Linux Kernel
Introduction to Linux KernelIntroduction to Linux Kernel
Introduction to Linux KernelStryker King
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
Closing the RISC-V compliance gap via fuzzing
Closing the RISC-V compliance gap via fuzzingClosing the RISC-V compliance gap via fuzzing
Closing the RISC-V compliance gap via fuzzingRISC-V International
 
Advanced Micro Devices - AMD
Advanced Micro Devices - AMDAdvanced Micro Devices - AMD
Advanced Micro Devices - AMDVedavyas Sheoy
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Toursamrat das
 
Simulators for Wireless Sensor Networks (OMNeT++)
Simulators for Wireless Sensor Networks (OMNeT++)Simulators for Wireless Sensor Networks (OMNeT++)
Simulators for Wireless Sensor Networks (OMNeT++)Pradeep Kumar TS
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
Database Security Management
Database Security Management Database Security Management
Database Security Management Ahsin Yousaf
 
Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questionsKavya Sri
 
Looking under the covers: Using SNMP to peek inside Erlang
Looking under the covers: Using SNMP to peek inside ErlangLooking under the covers: Using SNMP to peek inside Erlang
Looking under the covers: Using SNMP to peek inside ErlangDavid Dossot
 
Need for security
Need for securityNeed for security
Need for securityUniversity of Central Punjab
 
Mininet Basics
Mininet BasicsMininet Basics
Mininet BasicsEueung Mulyana
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editionhusseinalshomali
 
File systems for Embedded Linux
File systems for Embedded LinuxFile systems for Embedded Linux
File systems for Embedded LinuxEmertxe Information Technologies Pvt Ltd
 
5 pc maintenance
5 pc maintenance5 pc maintenance
5 pc maintenanceRheigh Henley Calderon
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2MLG College of Learning, Inc
 
06. security concept
06. security concept06. security concept
06. security conceptMuhammad Ahad
 
Basic Network And Hardware Troubleshooting
Basic Network And Hardware TroubleshootingBasic Network And Hardware Troubleshooting
Basic Network And Hardware Troubleshootingsl0wupl0ads
 
SolarWInds-Incident-ppt.pptx
SolarWInds-Incident-ppt.pptxSolarWInds-Incident-ppt.pptx
SolarWInds-Incident-ppt.pptxTusharPuri20
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPSMLG College of Learning, Inc
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Resume_DharshanBM
Resume_DharshanBMResume_DharshanBM
Resume_DharshanBMDarshan Bm
 
27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcapFreddy Buenaño
 
GPU Computing
GPU ComputingGPU Computing
GPU ComputingKhan Mostafa
 
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Camilo Alvarez Rivera
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharingJames Hsieh
 

Más contenido relacionado

La actualidad más candente

Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
Database Security Management
Database Security Management Database Security Management
Database Security Management Ahsin Yousaf
 
Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questionsKavya Sri
 
Looking under the covers: Using SNMP to peek inside Erlang
Looking under the covers: Using SNMP to peek inside ErlangLooking under the covers: Using SNMP to peek inside Erlang
Looking under the covers: Using SNMP to peek inside ErlangDavid Dossot
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editionhusseinalshomali
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2MLG College of Learning, Inc
 
06. security concept
06. security concept06. security concept
06. security conceptMuhammad Ahad
 
Basic Network And Hardware Troubleshooting
Basic Network And Hardware TroubleshootingBasic Network And Hardware Troubleshooting
Basic Network And Hardware Troubleshootingsl0wupl0ads
 
SolarWInds-Incident-ppt.pptx
SolarWInds-Incident-ppt.pptxSolarWInds-Incident-ppt.pptx
SolarWInds-Incident-ppt.pptxTusharPuri20
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Resume_DharshanBM
Resume_DharshanBMResume_DharshanBM
Resume_DharshanBMDarshan Bm
 
27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcapFreddy Buenaño
 

La actualidad más candente (20)

Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
 
Database Security Management
Database Security Management Database Security Management
Database Security Management
 
Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questions
 
Looking under the covers: Using SNMP to peek inside Erlang
Looking under the covers: Using SNMP to peek inside ErlangLooking under the covers: Using SNMP to peek inside Erlang
Looking under the covers: Using SNMP to peek inside Erlang
 
Need for security
Need for securityNeed for security
Need for security
 
Mininet Basics
Mininet BasicsMininet Basics
Mininet Basics
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
 
File systems for Embedded Linux
File systems for Embedded LinuxFile systems for Embedded Linux
File systems for Embedded Linux
 
5 pc maintenance
5 pc maintenance5 pc maintenance
5 pc maintenance
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptx
 
Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2
 
06. security concept
06. security concept06. security concept
06. security concept
 
Basic Network And Hardware Troubleshooting
Basic Network And Hardware TroubleshootingBasic Network And Hardware Troubleshooting
Basic Network And Hardware Troubleshooting
 
SolarWInds-Incident-ppt.pptx
SolarWInds-Incident-ppt.pptxSolarWInds-Incident-ppt.pptx
SolarWInds-Incident-ppt.pptx
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPS
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
Resume_DharshanBM
Resume_DharshanBMResume_DharshanBM
Resume_DharshanBM
 
27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap
 
GPU Computing
GPU ComputingGPU Computing
GPU Computing
 

Similar a Memory Dump

Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Camilo Alvarez Rivera
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharingJames Hsieh
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
Debugging performance issues, memory issues and crashes in .net applications rev
Debugging performance issues, memory issues and crashes in .net applications revDebugging performance issues, memory issues and crashes in .net applications rev
Debugging performance issues, memory issues and crashes in .net applications revTess Ferrandez
 
Ankit Phadia Hacking tools (2)
Ankit Phadia Hacking tools (2)Ankit Phadia Hacking tools (2)
Ankit Phadia Hacking tools (2)Chandra Pr. Singh
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyBrian Lyttle
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиSergey Platonov
 
Batch file programming
Batch file programmingBatch file programming
Batch file programmingalan moreno
 
Batch file-programming
Batch file-programmingBatch file-programming
Batch file-programmingjamilur
 
Diagnosing Application Problems using Microsoft WinDbg Debugger
Diagnosing Application Problems using Microsoft WinDbg DebuggerDiagnosing Application Problems using Microsoft WinDbg Debugger
Diagnosing Application Problems using Microsoft WinDbg DebuggerDmitry Vostokov
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxchristinemaritza
 
Debugging a .NET program after crash (Post-mortem debugging)
Debugging a .NET program after crash (Post-mortem debugging)Debugging a .NET program after crash (Post-mortem debugging)
Debugging a .NET program after crash (Post-mortem debugging)Mirco Vanini
 
Sql Bits Sql Server Crash Dump Analysis
Sql Bits Sql Server Crash Dump AnalysisSql Bits Sql Server Crash Dump Analysis
Sql Bits Sql Server Crash Dump AnalysisPablo Alvarez Doval
 

Similar a Memory Dump (20)

Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharing
 
Win7guide
Win7guideWin7guide
Win7guide
 
C++ Production Debugging
C++ Production DebuggingC++ Production Debugging
C++ Production Debugging
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
Debugging performance issues, memory issues and crashes in .net applications rev
Debugging performance issues, memory issues and crashes in .net applications revDebugging performance issues, memory issues and crashes in .net applications rev
Debugging performance issues, memory issues and crashes in .net applications rev
 
Windows Crash Dump Analysis
Windows Crash Dump AnalysisWindows Crash Dump Analysis
Windows Crash Dump Analysis
 
Ankit Phadia Hacking tools (2)
Ankit Phadia Hacking tools (2)Ankit Phadia Hacking tools (2)
Ankit Phadia Hacking tools (2)
 
Troubleshooting
TroubleshootingTroubleshooting
Troubleshooting
 
Users guide
Users guideUsers guide
Users guide
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствами
 
Batch file programming
Batch file programmingBatch file programming
Batch file programming
 
Batch file-programming
Batch file-programmingBatch file-programming
Batch file-programming
 
Readme
ReadmeReadme
Readme
 
Diagnosing Application Problems using Microsoft WinDbg Debugger
Diagnosing Application Problems using Microsoft WinDbg DebuggerDiagnosing Application Problems using Microsoft WinDbg Debugger
Diagnosing Application Problems using Microsoft WinDbg Debugger
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
 
Debugging a .NET program after crash (Post-mortem debugging)
Debugging a .NET program after crash (Post-mortem debugging)Debugging a .NET program after crash (Post-mortem debugging)
Debugging a .NET program after crash (Post-mortem debugging)
 
Sql Bits Sql Server Crash Dump Analysis
Sql Bits Sql Server Crash Dump AnalysisSql Bits Sql Server Crash Dump Analysis
Sql Bits Sql Server Crash Dump Analysis
 

Memory Dump

  • 1. Memory Dump Prepared by Nitesh bhat Trainee at Itimpulse
  • 2. Memory Dump  It is very hard to analysis memory the dump  Memory dump is located in c: drive in window’s folder  If we know how to analysis the memory dump we easy come to know why window is crash ?
  • 3. Why window is crash  Something is wrong in kernel –mode Example :-  Unhandled exception  OS or driver detects severe inconsistency  Invalid memory references  hardware error
  • 4. Memory Dump analysis  70% of window crash came from third party bugs  15% of window crash came which cant be explain  10% of window crash came from hardware s  5 % of window crash came from its windows code
  • 5. Crash dump types  Complete (full) (64 KB for a 32-bit operating system, 128 KB for a 64-bit operating system) Default for servers  kernel OS/driver memory  Small (mini dump ) Default for xp Minimal crash information
  • 6. Mini dump  Contents bug check code ,parameters list of drivers minimal information on current process  Unique file for crash windows minidump  Extract from kernel ,full dump  Best memory dump for analysis is kernel dump  If checksum does not match dump is not written
  • 7. When ? “ DUMP “  Crash occurred before paging file was open  spontaneous reboot  hung system  paging file is too small  not enough free space to extract dump
  • 8. Analysis Basics  Analysis tools parts of debugging tools for windows (free)  Two tools can open kernel crash dumps : winDbg - GUL kd - command line
  • 9. Symbols  When applications are linked  The linker that creates the .exe and .dll files also creates a number of additional files known as symbol files.  Symbol files hold a variety of data which are not actually needed when running the binaries, but which could be very useful in the debugging process.  Typically, symbol files might contain: Global variables Local variables
  • 10. Symbols  Symbol files contain names and location of internal data  debugging needs kernel symbol file to analyze dumps  kernel image : ntoskrnl.exe ntoskrnl.pdb is symbol file
  • 11. How we do manually generate Dump Copy and Paste the following into Notepad: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesi8042prtParameters] "CrashOnCtrlScroll"=dword:00000001 Save as CrashOnCtrlScroll.reg and save as type All Files. Double-Click the file to merge it with the Registry. Restart your computer and you will be able to use it. To generate the minidump file you will need to press and hold the Right Cntrl key and tap the Scroll Lock key twice. You will be presented with the Blue Screen and your computer will Restart.
  • 12. Now Demo with notmyfault Analysis Of memory Dump