GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → bulentrahimkazanci → Windbg Cheat Sheet

bulentrahimkazanci / Windbg Cheat Sheet

A practical guide to analyze memory dumps of .Net applications by using Windbg

Labels

memory-leakwindbg

Projects that are alternatives of or similar to Windbg Cheat Sheet

Memoscope.net
Dump and analyze .Net applications memory ( a gui for WinDbg and ClrMd )
Stars: ✭ 626 (+1355.81%)
Mutual labels:  windbg, memory-leak
Js Leakage Patterns
🎯这是关于JavaScript内存泄露和CSS优化相关序列文章,相信你读完会有所收获的✈️
Stars: ✭ 756 (+1658.14%)
Mutual labels:  memory-leak
cfgdump
Windbg extension that allows you analyze Control Flow Guard map
Stars: ✭ 18 (-58.14%)
Mutual labels:  windbg
Php Memory Profiler
Memory leak profiler for PHP
Stars: ✭ 544 (+1165.12%)
Mutual labels:  memory-leak
Khypervisor
kHypervisor is a lightweight bluepill-like nested VMM for Windows, it provides and emulating a basic function of Intel VT-x
Stars: ✭ 264 (+513.95%)
Mutual labels:  windbg
Dbgshell
A PowerShell front-end for the Windows debugger engine.
Stars: ✭ 566 (+1216.28%)
Mutual labels:  windbg
PrivFu
Kernel mode WinDbg extension and PoCs for token privilege investigation.
Stars: ✭ 244 (+467.44%)
Mutual labels:  windbg
Cpputest
CppUTest unit testing and mocking framework for C/C++
Stars: ✭ 896 (+1983.72%)
Mutual labels:  memory-leak
Leakcanary
A memory leak detection library for Android.
Stars: ✭ 27,029 (+62758.14%)
Mutual labels:  memory-leak
Wdbgark
WinDBG Anti-RootKit Extension
Stars: ✭ 450 (+946.51%)
Mutual labels:  windbg
Superdump
A service for automated crash-dump analysis
Stars: ✭ 384 (+793.02%)
Mutual labels:  windbg
Mirage
kernel-mode Anti-Anti-Debug plugin. based on intel vt-x && ept technology
Stars: ✭ 272 (+532.56%)
Mutual labels:  windbg
Sinsofmemoryleaks
Some common patterns of memory leaks in Android development and how to fix/avoid them
Stars: ✭ 343 (+697.67%)
Mutual labels:  memory-leak
AMLeaksFinder
A small tool for automatically detecting the [controller, view memory leak] in the project. 一款用于自动检测项目中【控制器内存泄漏,View 内存泄漏】的小工具,支持 ObjC,Swift。
Stars: ✭ 89 (+106.98%)
Mutual labels:  memory-leak
Winobjex64
Windows Object Explorer 64-bit
Stars: ✭ 775 (+1702.33%)
Mutual labels:  windbg
WinDbg Scripts
Useful scripts for WinDbg using the debugger data model
Stars: ✭ 92 (+113.95%)
Mutual labels:  windbg
Memleax
debugs memory leak of running process. Not maintained anymore, try `libleak` please.
Stars: ✭ 564 (+1211.63%)
Mutual labels:  memory-leak
Immutable Tuple
Immutable finite list objects with constant-time equality testing (===) and no memory leaks.
Stars: ✭ 29 (-32.56%)
Mutual labels:  memory-leak
Free checker
Simple memory leak finder (for C program) using LD_PRELOAD.
Stars: ✭ 5 (-88.37%)
Mutual labels:  memory-leak
Voltron
A hacky debugger UI for hackers
Stars: ✭ 5,599 (+12920.93%)
Mutual labels:  windbg
View All Similar Projects ➔

Windbg-Cheat-Sheet

A practical guide to analyze memory dumps of .Net applications by using Windbg.

Environment

  • Install SOS.dll(Son of strike) to same path with WinDBG.
  • Install psscor4
  • Set symbol path
.sympath srv*d:\dumps\symbols;https://msdl.microsoft.com/download/symbols
  • Run command of .loadby sos clr to load sos.

Dump Generation

1. Manual Dump Generation

There are multiple manners to generate dumps ranging from task manager and debug diagnostic. I prefer to use procdump for manual generation. To generate dump manually, follow instructions below.

  • Download procdump from this link.
  • Run command prompt as administrator and switch the path of procdump. Following is an example from my local.
cd \BrkDev\Procdump
  • Procdump provides a variety of parameters which change characteristic of generated dump. List of parameters can be seen in the link above. I will use following command to get full memory dump of all process memory.
procdump -ma [process identifier] [folder path]

2. Automatic Dump Generation

Sometimes it is not possible to find a chance to collect dump before application crashes. Therefore, Windows Error Reporting can be configured so that dumps can be collected in a situation of crash; however, applications handling their own custom crash reporting are not supported by this feature. Ultimately, in order to collect dumps automatically, follow the steps below.

  • Open Registery Editor(Regedit).
  • Go to following record.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
  • If the record does not exist, create it. Otherwise, check the values of following parameters.
Value Description Type Default Value
Dump Folder The path where dump files will be stored. REG_EXPAND_SZ %LOCALAPPDATA%\CrashDumps
DumpCount Max. number of the dump files in folder. REG_DWORD 10
DumpType Type of dump file. 2 is Full dump. REG_DWORD 1
CustomDumpFlags Custom dump options. REG_DWORD MiniDumpWithDataSegs, MiniDumpWithUnloadedModules, MiniDumpWithProcessThreadData.
  • Locate and delete following registry entries.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger

Memory Leak

1. General Heap Check

  • Verify dump file. Make sure that heap is not corrupted.
!verifyheap
  • Look at commited memory with following command. The best command to look at memory as whole.
!address -summary

Sections in result

  • Image: memory used for executables and dlls.

  • Stack: stack space for threads.

  • https://blogs.msdn.microsoft.com/webtopics/2010/04/02/address-summary-explained/

  • Following command shows gc heap and loader heap usages. Look at the amount of space that heaps allocate. (Reminder: gcheap is collected by gc but loader heap is not. Loader heap is for static objects.) Make sure that both values are under certain size.

!eeheap
  • Run following command to see full list of objects in memory(name, count, size etc.)
!dumpheap -stat
  • If there is an object looking suspicious(having more size or count) dump that object.
!dumpheap -type [class name space]
  • Pick the one allocationg more space than others and go to its details.
!do [address]

2. Check Finalizer Queue and Finalizer Thread

  • list all the objects in memory
!dumpheap -stat
  • Take the suspicious one. following command only gives addresses of objects of that type.
!dumpheap -type [type of object] -short
  • To see what keeps the reference to those objects run following command. the example below is valid for bytearray. Find the one(above) waiting for being finalized.
.foreach(bytearr {!dumpheap -type System.Byte[] -short}){!gcroot bytearr; .echo - - - - - }
  • check the finalizer queue with following command.
!finalizequeue
  • If there are many objects waiting for finalizing analyze the finalizer thread stack. Switch the finalizer thread.
!clrstack

High CPU Usage

  • Check threadpool whether CPU utilization is greater than 80%. If it is greater, no more .Net thread will be created and Garbage Collector will run.
!threadpool
  • Check uptime of threads
!runaway

  • Get list of an arbitrary number of threads on top of the list

  • Switch thread contexes one by one

  • Check their clr stack

  • If all of them waits for the same method. Analyze the method.

Deadlock

Static Field Access

  • List application domains.
!dumpdomain
  • Delve into selected module
!dumpmodule  -mt [module identifier]
  • Dump class
!dumpclass [class identifier]
  • Get value of static field
!do [field identifier]

Command List

  • Evaluates given expression.
?
Example usage: `?e186fa28`
  • Gives list of threads.
!threads
  • Switches thread context to specified id's context.
~[id]s
~5s
  • Gives detailed information about that thread pool.
!threadpool
  • Check this if you look for high cpu usage. You can see which thread works for how long.
!runaway
  • Lists all .net call stacks. Lists contexts of all threads.
!eestack
  • Lists exceptions of current thread.
!printexception
  • Shows usage statistics of heaps. Heap count equals to core counts.
!heapstat
  • If you do not dispose object, it is alive during 2 GC process. If you dispose, it is alive during 1 GC process.
!fq(finalizer queue)
  • Kernel time: cpu operations like siscall, interrupt, tcp call etc. User time: cpu operations like read, multiplication.
.time
  • First command related to memory.
!address -summary
  • Gives process info like computer name. Process environment block.
!peb
  • Gives managed heap usage.(.net heap) Size of heaps should be nearly equal to each other.
!eeheap -gc
  • Lists all objects on heap.
!dumpheap -stat
  • Gives address list of specified type of objects.
!dumpheap -mt [address]
  • Lists the objects refers to specified address. If it says that there is no unique root found, the object will be collected in next gc cycle.
!gcroot [address]
  • Gives details of method.
!dumpmd
  • Gives call stack of current thread.
!clrstack
  • Shows thread locks if there is.
!syncblk
  • Lists modules loaded by application.
lm
  • Makes windbg more talkative - shows detailed messages
.srcnoisy 3

Articles

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].