SlideShare ist ein Scribd-Unternehmen logo

Sql Bits Sql Server Crash Dump Analysis

Als PPTX, PDF herunterladen
Pablo Alvarez Doval
Pablo Alvarez Doval

Deck used in my session on debugging SQLServer crash dumps at SQL Bits VI.

1 von 33
SQL Server CrashDumpAnalysis A brief tour withWinDbg and otheruglytools Pablo Álvarez Doval Debugging & OptimizationTeam Lead pablod@plainconcepts.com
Who am I?
SessionObjectives Whatisthissessionabout? Whatisn’tthissessionabout?
Who are you?
Agenda Tools of theTrade Brief Windows ArchitectureRefresher SQL Server Post-mortem Debugging Handling SQL Server dumps Analyzing SQL Server dumps Debugging .NET Applicationswith SOS
Debugging Tools for Windows Free download: http://www.microsoft.com/whdc/devtools/debugging Updated several times a year Debuggers, extensions, tools and a great help file: windbg.exe, kd.exe, cdb.exe gflags.exe, tlist.exe, etc debugger.chm Can be installed via xcopy
Demo 0: … isitreally so ugly?
Thesaurus Just to keep with the forensics analogy: Corpse  Dump file Forensic Lab  WinDbg Forensic Scientist  You! Gray’s Anathomy  Windows Internals 5th Ed.  We are not going to get into details, but we will do a little refresher of some key concepts
Usermode vs. Kernelmode Windows on Windows wowexec.exe UNIX LSA Shell Lsass.exe Client/Server csrss.exe Notepad notepad.exe Virtual DOS Machine ntvdm.exe Win32 Interix User Mode Kernel Mode ExecutiveServices I/O IPC Memory Processes Security WM PNP GraphicsController Object Manager FS Device Drivers Microkernel Hardware AbstractionLayer (HAL)
Application, Processes and Threads An application is formed by one or more processes A process is an in-memory executable, which is made up of one or more threads and its resources A thread is the basic unit of execution and schedulingin the OS.
… isitreallyworthit?
Othergoodreasons…
Win32 Virtual MemoryAddressing (I) sqlsrv.exe Process n Process 1 Process 2 Thread 1 Thread 1 Thread 1 Thread 1 Thread2 Thread2 Thread2 Thread2 … : : : : 2 Gb Thread n Thread n Thread n Thread n 4Gb Kernel 2 Gb
Win32 Virtual MemoryAddressing(II)
Thread Call Stacks Shows part of the history of the function calls of the thread Each thread has its own Call Stack i.e: ntdll!KiFastSystemCallRet USER32!NtUserGetMessage+0xc notepad!WinMain+0xe5 notepad!WinMainCRTStartup+0x174 kernel32!BaseProcessStart+0x23
CallStacks (I) Eachthread of theprocess has itsowncallstack:
CallStacks (II) Eachframe has thefollowingstructure: Frame Parameters ReturnAddress Frame Pointer ExceptionHandler Local Variables Registros
Symbols Symbols make the call stack useful: Without Symbols: With Symbols: kernel32!+136aa kernel32!CreateFileW+0x35f
Symbol formats Current format: .PDB Old Format: .DBG Retail vs. Debug (Free vs. Checked) builds Private symbols vs. public symbols
Symbol Servers Uses the File System as a Symbol’s database: Organized by name and a unique identifier Folder structure: SymSrvile_name.pdbnique_number___ i.e: Symbolstdll.pdbB5EDCA52tdll.pdb Symbolstdll.pdb80FCC4F2tdll.pdb
Demo 1: Scheduler Non-Yielding
Scenario A customer’s SQL Server 2000 ishanging, showing 17883 errors in SQL Server’sErrorLog Whenthese errores ocurr, SQL Server automaticallytriggersthecreation of a dump … 2007-02-12 11:17:14.10 server Error: 17883, Severity: 1, State: 0 2007-02-12 11:17:14.10 server Process 59:0 (834) UMS Context 0x125ABD80 appears to be non-yielding on Scheduler 1. …
Demo 2: DBCC CHECKDB
Demo 3: ClusterResources
ManagedDebuggingwith .NET WinDbgis a nativedebugger In ordertodebug .NET codeweneedto use debuggerextensions: SOS.dll (untilframework .NET 3.5) CLR.dll (framework 4.0) Whyallthis? Isitworthit?
Demo 4: ManagedDebuggingwith SOS
Somecooltips… Didwereallygettothisslide in time?! Well.. enjoysome free tips!  Using SOS from VS.NET Memorydumpanalysisfrominside VS2010
Resources pablod@plainconcepts.com @Plain Concepts http://www.geeks.ms/blogs/palvarez http://www.geeks.ms/blogs/rcorral http://www.geeks.ms/blogs/luisguerrero @MSDN: http://blogs.msdn.com/tess/ Books: Microsoft Windows Internals, 5th Ed. [Mark E. Russinovich and David A. Solomon]Microsoft Press. Debugging Applications for Microsoft .NET and Microsoft Windows[John Robbins]Microsoft Press.
AnyQuestions? Thanks! 

Empfohlen

Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharingJames Hsieh
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
VS Debugging Tricks
VS Debugging TricksVS Debugging Tricks
VS Debugging TricksSasha Goldshtein
 
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? ESET
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSSasha Goldshtein
 

Empfohlen

Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharingJames Hsieh
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
VS Debugging Tricks
VS Debugging TricksVS Debugging Tricks
VS Debugging TricksSasha Goldshtein
 
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? ESET
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSSasha Goldshtein
 
Mem forensic
Mem forensicMem forensic
Mem forensicChong-Kuan Chen
 
Unpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresESET
 
Os Cook
Os CookOs Cook
Os Cookoscon2007
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbgDror Helper
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsSysdig
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Part 03 File System Implementation in Linux
Part 03 File System Implementation in LinuxPart 03 File System Implementation in Linux
Part 03 File System Implementation in LinuxTushar B Kute
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
An Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsAn Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsGreat Wide Open
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Configuring Syslog by Octavio
Configuring Syslog by OctavioConfiguring Syslog by Octavio
Configuring Syslog by OctavioRowell Dionicio
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog ProtocolsMartin Schütte
 
C++ Production Debugging
C++ Production DebuggingC++ Production Debugging
C++ Production DebuggingSasha Goldshtein
 
An Introduction to User Space Filesystem Development
An Introduction to User Space Filesystem DevelopmentAn Introduction to User Space Filesystem Development
An Introduction to User Space Filesystem DevelopmentMatt Turner
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 

Weitere ähnliche Inhalte

Was ist angesagt?

Unpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresESET
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbgDror Helper
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsSysdig
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Part 03 File System Implementation in Linux
Part 03 File System Implementation in LinuxPart 03 File System Implementation in Linux
Part 03 File System Implementation in LinuxTushar B Kute
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
An Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsAn Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsGreat Wide Open
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Configuring Syslog by Octavio
Configuring Syslog by OctavioConfiguring Syslog by Octavio
Configuring Syslog by OctavioRowell Dionicio
 
An Introduction to User Space Filesystem Development
An Introduction to User Space Filesystem DevelopmentAn Introduction to User Space Filesystem Development
An Introduction to User Space Filesystem DevelopmentMatt Turner
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 

Was ist angesagt? (20)

Mem forensic
Mem forensicMem forensic
Mem forensic
 
Unpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasures
 
Os Cook
Os CookOs Cook
Os Cook
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbg
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Part 03 File System Implementation in Linux
Part 03 File System Implementation in LinuxPart 03 File System Implementation in Linux
Part 03 File System Implementation in Linux
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
 
An Overview of Next-Gen Filesystems
An Overview of Next-Gen FilesystemsAn Overview of Next-Gen Filesystems
An Overview of Next-Gen Filesystems
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
 
Configuring Syslog by Octavio
Configuring Syslog by OctavioConfiguring Syslog by Octavio
Configuring Syslog by Octavio
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
 
C++ Production Debugging
C++ Production DebuggingC++ Production Debugging
C++ Production Debugging
 
An Introduction to User Space Filesystem Development
An Introduction to User Space Filesystem DevelopmentAn Introduction to User Space Filesystem Development
An Introduction to User Space Filesystem Development
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 

Ähnlich wie Sql Bits Sql Server Crash Dump Analysis

.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 
Creating user-mode debuggers for Windows
Creating user-mode debuggers for WindowsCreating user-mode debuggers for Windows
Creating user-mode debuggers for WindowsMithun Shanbhag
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Advanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyAdvanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyBurlacu Sergiu
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet IntroductionWei Sun
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyBrian Lyttle
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Virtual platform
Virtual platformVirtual platform
Virtual platformsean chen
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...DevOpsDays Tel Aviv
 
01 Introduction to programming
01 Introduction to programming01 Introduction to programming
01 Introduction to programmingmaznabili
 
01. introduction to-programming
01. introduction to-programming01. introduction to-programming
01. introduction to-programmingStoian Kirov
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
Windows Embedded in the Real World
Windows Embedded in the Real WorldWindows Embedded in the Real World
Windows Embedded in the Real Worldukdpe
 
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Camilo Alvarez Rivera
 
Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02Wei Sun
 

Ähnlich wie Sql Bits Sql Server Crash Dump Analysis (20)

.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Creating user-mode debuggers for Windows
Creating user-mode debuggers for WindowsCreating user-mode debuggers for Windows
Creating user-mode debuggers for Windows
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Advanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyAdvanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copy
 
Introduction to Programming Lesson 01
Introduction to Programming Lesson 01Introduction to Programming Lesson 01
Introduction to Programming Lesson 01
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Virtual platform
Virtual platformVirtual platform
Virtual platform
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
 
01 Introduction to programming
01 Introduction to programming01 Introduction to programming
01 Introduction to programming
 
01. introduction to-programming
01. introduction to-programming01. introduction to-programming
01. introduction to-programming
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
 
Debugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to LinuxDebugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to Linux
 
Windows Embedded in the Real World
Windows Embedded in the Real WorldWindows Embedded in the Real World
Windows Embedded in the Real World
 
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
 
Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02
 

Sql Bits Sql Server Crash Dump Analysis

  • 1. SQL Server CrashDumpAnalysis A brief tour withWinDbg and otheruglytools Pablo Álvarez Doval Debugging & OptimizationTeam Lead pablod@plainconcepts.com
  • 3.
  • 4.
  • 6.
  • 8. Agenda Tools of theTrade Brief Windows ArchitectureRefresher SQL Server Post-mortem Debugging Handling SQL Server dumps Analyzing SQL Server dumps Debugging .NET Applicationswith SOS
  • 9. Debugging Tools for Windows Free download: http://www.microsoft.com/whdc/devtools/debugging Updated several times a year Debuggers, extensions, tools and a great help file: windbg.exe, kd.exe, cdb.exe gflags.exe, tlist.exe, etc debugger.chm Can be installed via xcopy
  • 10. Demo 0: … isitreally so ugly?
  • 11. Thesaurus Just to keep with the forensics analogy: Corpse  Dump file Forensic Lab  WinDbg Forensic Scientist  You! Gray’s Anathomy  Windows Internals 5th Ed.  We are not going to get into details, but we will do a little refresher of some key concepts
  • 12. Usermode vs. Kernelmode Windows on Windows wowexec.exe UNIX LSA Shell Lsass.exe Client/Server csrss.exe Notepad notepad.exe Virtual DOS Machine ntvdm.exe Win32 Interix User Mode Kernel Mode ExecutiveServices I/O IPC Memory Processes Security WM PNP GraphicsController Object Manager FS Device Drivers Microkernel Hardware AbstractionLayer (HAL)
  • 13. Application, Processes and Threads An application is formed by one or more processes A process is an in-memory executable, which is made up of one or more threads and its resources A thread is the basic unit of execution and schedulingin the OS.
  • 15.
  • 17. Win32 Virtual MemoryAddressing (I) sqlsrv.exe Process n Process 1 Process 2 Thread 1 Thread 1 Thread 1 Thread 1 Thread2 Thread2 Thread2 Thread2 … : : : : 2 Gb Thread n Thread n Thread n Thread n 4Gb Kernel 2 Gb
  • 19. Thread Call Stacks Shows part of the history of the function calls of the thread Each thread has its own Call Stack i.e: ntdll!KiFastSystemCallRet USER32!NtUserGetMessage+0xc notepad!WinMain+0xe5 notepad!WinMainCRTStartup+0x174 kernel32!BaseProcessStart+0x23
  • 20. CallStacks (I) Eachthread of theprocess has itsowncallstack:
  • 21. CallStacks (II) Eachframe has thefollowingstructure: Frame Parameters ReturnAddress Frame Pointer ExceptionHandler Local Variables Registros
  • 22. Symbols Symbols make the call stack useful: Without Symbols: With Symbols: kernel32!+136aa kernel32!CreateFileW+0x35f
  • 23. Symbol formats Current format: .PDB Old Format: .DBG Retail vs. Debug (Free vs. Checked) builds Private symbols vs. public symbols
  • 24. Symbol Servers Uses the File System as a Symbol’s database: Organized by name and a unique identifier Folder structure: SymSrvile_name.pdbnique_number___ i.e: Symbolstdll.pdbB5EDCA52tdll.pdb Symbolstdll.pdb80FCC4F2tdll.pdb
  • 25. Demo 1: Scheduler Non-Yielding
  • 26. Scenario A customer’s SQL Server 2000 ishanging, showing 17883 errors in SQL Server’sErrorLog Whenthese errores ocurr, SQL Server automaticallytriggersthecreation of a dump … 2007-02-12 11:17:14.10 server Error: 17883, Severity: 1, State: 0 2007-02-12 11:17:14.10 server Process 59:0 (834) UMS Context 0x125ABD80 appears to be non-yielding on Scheduler 1. …
  • 27. Demo 2: DBCC CHECKDB
  • 29. ManagedDebuggingwith .NET WinDbgis a nativedebugger In ordertodebug .NET codeweneedto use debuggerextensions: SOS.dll (untilframework .NET 3.5) CLR.dll (framework 4.0) Whyallthis? Isitworthit?
  • 31. Somecooltips… Didwereallygettothisslide in time?! Well.. enjoysome free tips!  Using SOS from VS.NET Memorydumpanalysisfrominside VS2010
  • 32. Resources pablod@plainconcepts.com @Plain Concepts http://www.geeks.ms/blogs/palvarez http://www.geeks.ms/blogs/rcorral http://www.geeks.ms/blogs/luisguerrero @MSDN: http://blogs.msdn.com/tess/ Books: Microsoft Windows Internals, 5th Ed. [Mark E. Russinovich and David A. Solomon]Microsoft Press. Debugging Applications for Microsoft .NET and Microsoft Windows[John Robbins]Microsoft Press.