Common troubleshooting tools and analysis artifacts are worth collecting

As a software developer , How can we improve our development efficiency ？ How to quickly solve the problems encountered in the development process ？ According to my years of development experience and experience , We need to master some common software analysis tools , With these tools , It can analyze and solve problems quickly and efficiently .

1 Process analysis tools

1.1 ProcessHacker

function ：ProcessHacker Is a good process analysis tool , You can view all process information , Including process loaded dll、 The file opened by the process 、 Process read / write registry ……, You can also set the memory space of a specific process Dump To local , You can also view the network connection .

The screenshot of the tool is as follows ：

notes ： View the details of a specific process , double-click Processes The name of the process in the list .

1.2 ProcessExplorer

function ：ProcessExplorer Is a good process analysis tool , Microsoft official recommended tool , The stability and compatibility are relatively good . You can view the information of all processes , Including its loaded dll、 Threads created 、 network connections ……, Can also be Dump Out of the memory space of the process to the local .

 1.3 ProcessMonitor

function ：ProcessMonitor Is a real-time refresh process information monitoring tool , Microsoft official recommended tool , Stability and compatibility are also relatively excellent . The information presented is comprehensive , And every open handle 、 The registry 、 network connections …… Are associated with specific processes .

 1.4 XueTr

function ：XueTr（ Official website www.xuetr.com） It's a Windows System information viewing software , Can assist in troubleshooting Trojans 、 Back door and other viruses , It can be used as an auxiliary tool for manual anti-virus ,XueTr( abbreviation XT) Is a powerful system information viewing software , It is also a powerful manual anti-virus software , It can easily find out the virus and Trojan horse in the computer , It is well known in the field of reverse and security . Its main functions include ：

process 、 Threads 、 Process module 、 Process window 、 Process memory 、 Timer 、 Hotkey information view , Killing process 、 Kill thread 、 Unload module and other functions . Registry Editor , Port information view , Message hook view , Kernel driver module view , Support memory copy of kernel driver module .

3.SSDT、Shadow SSDT、FSD、Keyboard、TCPIP、Classpnp、Atapi、Acpi、SCSI、Mouse、IDT、GDT Information view , And can detect and recover ssdt hook and inline hook.

4.CreateProcess、CreateThread、LoadImage、CmpCallback、BugCheckCallback、Shutdown、Lego etc. Notify Routine Information view , And support for these Notify Routine The deletion of .

disk 、 volume 、 keyboard 、 Network layer and other filter driven detection , And support to delete .

process iat、eat、inline hook、patches Detection and recovery .

File system view , Support basic file operation .

see （ edit ）IE plug-in unit 、SPI、 Start item 、 service 、Host file 、 Image hijacking 、 File associations 、 System firewall rules 、IME.

13.ObjectType Hook Detection and recovery .

14.DPC Timer detection and deletion .

15.MBR Rootkit Detect and repair .

Kernel object hijacking detection .

Other functions required for manual anti-virus , Such as repair LSP、 Fix safe mode, etc .

1.5 PCHunter

function ：XueTr Enhanced Edition , Function and XueTr almost , Please refer to the picture above . Recommend more use of PCHunter, Reduce the probability of failure .

1.6 ProcessDump

function ： The specified process can be , Separate all modules in its process space Dump come out , Even Dump Show hidden modules （ That is, the process loaded dll, This is usually injected ）.

notes ： This is a command line tool .

1.7 PsTools

function ：PsTools Is the command line tool set , Microsoft officially recommends , It has many functions , The subfunctions it covers （ command ） as follows ：

2 Traffic analysis tools

2.1 Wireshark

function ：Wireshark Is a commonly used network packet capture tool , It can also be used for flow analysis .

2.2 Kolai network analysis

function ： A flow analysis tool of Kelai company , contrast Wireshark Be relatively easy to use （ Especially for the beginner of traffic analysis ）, Besides , The tool will automatically classify and count the traffic . In a sense , It's more convenient .

2.3 TCPView

function ： View the network connection details of the system , The process corresponding to each connection 、 agreement 、 process 、 Source address 、 Source port 、 Connection status …… All in all , It can display all the details of the current active connection .

3 Launch item analysis tool

3.1 AutoRuns

function ： A good startup analysis tool , Microsoft officially recommends . As long as the information related to the startup item is involved , All kinds of work, no matter how big or trivial , All of them can be queried , It is very convenient to find the startup item of the virus .

4 Information collection tools

4.1 FastIR

function ： Collect critical logs for the operating system 、 The key information , Facilitate subsequent evidence collection, troubleshooting and analysis .

4.2 BrowsingHistoryView

function ： Collect browser history , Easy to trace the domain name 、URL Whether the access source of is derived from user behavior .

5 Auxiliary tool

5.1 Hash

function ： file hash Calculation tools , Computable file MD5、SHA1、CRC value , It can be used to help judge whether the file has been tampered with , Or use the hash value to check whether the Threat Intelligence website is a malicious file .

5.2 ntfsdir

function ： The virus may also keep running for a long time by creating a service startup entry , Click on Autoruns Of Services function , Here's the picture , Check if there is any abnormal service startup entry .

5.3 Unlocker

function ： You can forcibly delete files that are difficult to delete （ Include locked files ）, To be installed , Right click menu after installation ”Unlocker“ The following interface will pop up ：

6 Webshell Killing tools

6.1 wscan

function ： A product deeply convinced of self-development Webshell Killing tools .

6.2 D shield

function ：D Dun is a product of Di element technology Webshell Killing tools .

7 Special killing tools

7.1 The flying guest worm kills

function ： A tool for checking and killing the flying guest worm virus .

Flying guest worm killing tools include kidokiller（ Kaspersky ）、TMCleanTool（ Trend technology products ）.

Kidokiller The running screenshot is as follows , All of the red boxes 0 Value indicates that there is no fly worm , If not 0 value , That is to say, the flying guest worm .

TMCleanTool The operation screenshot of is as follows , If there is a threat item, it indicates that you have been hit by the flying guest worm .

7.2 Ramnit Specialized killing

function ： Specifically for Ramnit A tool for checking and killing family like viruses .

FxRamnit It is made by Symantec Ramnit Special killing tools , Its operation interface is as follows , Click on ”Start“ button ：

notes ： because Ramnit It's a total infectious virus , Therefore, the special killing tool runs for a long time , Wait patiently （FxRamnit It often gives people a kind of ” Feign death “ The feeling of ）.

8. Performance testing tools ——gperftools

gperftools google Launched a performance analysis tool , It mainly consists of four components ：

1、Tcmalloc Memory Analyzer  

2、Heap-profiler

Heap-profiler Is a memory monitor , You can know the memory usage at any time [2].

3、Heap-checker

Heap-checker Is a special tool for detecting memory leaks

4、Cpu-profiler

Cpu-profiler Mainly through sampling , Give the actual occupation of the program in a period of time cpu Statistics and analysis of time deviation .

Relevant introductions can be seen : Home · gperftools/gperftools Wiki · GitHub

9. Memory detection tools Sanitizers

GitHub ：https://github.com/google/Sanitizers

Using document ： https://github.com/google/sanitizers/wiki

C++ It is easy for the program to cross the line 、 Memory leak 、 Repeated memory release 、 Hanging pointer, etc , These problems are a novice's nightmare , But in general C++ Tutorials never teach you how to solve these problems , As a result, many self scholars are human beings , Since then, it has cast a shadow on the psychology . In fact, it is aimed at C++ There are many tools that can be used to locate these problems , One of the most readily available is sanitizers, Because it has been integrated into the compiler (gcc/clang/msvc) in , Directly add the relevant compilation options to use , For the legendary terrible memory problem, most of them are skilled at catching it .

Sanitizers It is an open source tool set initiated by Google , It includes AddressSanitizer, MemorySanitizer, ThreadSanitizer, LeakSanitizer,Sanitizers The project is LLVM Part of the project , but GNU This series of tools has also been added to our own GCC In the compiler .GCC from 4.8 Version starting support Address and Thread Sanitizer,4.9 Version starting support Leak Sanitizer and UB Sanitizer, These are all find hidden Bug The sharp weapon of .

gcc/g++ Use sanitizer：

gcc/g++ To compile, you just need to sanitizer As a symbol of flag Can be set , as follows ：

gcc/g++ -fsanitize=address -g -fno-omit-frame-pointer test.cpp

CMakeLists Use sanitizer ：

Use CMAKE_CXX_FLAGS or add_compile_options It's ready to use , as follows ：

set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fno-omit-frame-pointer")

Or use the following ：

add_compile_options(-fsanitize=address -fno-omit-frame-pointer)
link_libraries(-fsanitize=address)

10. Performance profiling tools perf

Wiki：https://perf.wiki.kernel.org/index.php/Main_Page

Perf It's built into Linux Performance analysis in kernel source tree (profiling) Tools . It is based on the principle of event sampling , Based on Performance Events , It is often used to find performance bottlenecks and locate hot code .

Performance tuning tools such as perf,Oprofile The basic principle is to sample the monitored object , The simplest case is based on tick Interrupt sampling , That is to say tick Trigger sampling point in interrupt , Determine the current context of the program in the sampling point . Suppose a program 90% All the time spent on the function foo() On , that 90% All of the sampling points should fall in the function foo In the context of . As long as the sampling frequency is high enough , The sampling time is long enough , Then the above inference is more reliable . therefore , adopt tick Trigger sampling , We can find out which parts of the program are the most time consuming , So we can focus on .

11. Debugger tools Windbg 

 Windbg yes windows A powerful debugger for the system , It is very useful in resolving abnormal software crashes , It is one of the tools we use most .

We can statically analyze what is caught when an exception occurs dump file , Can also be Windbg Dynamically mount to the target process for debugging . For example, when encountering a dead cycle , The method of dynamic debugging can be adopted , stay Windbg Set code breakpoints in , You can determine in which function the dead loop occurs .

 Windbg When troubleshooting abnormal problems , Its efficiency is much higher than that of checking the code directly .Windbg The introduction to is also relatively simple , You just need to master the common commands , Understand the stack distribution of function calls , Know the stack backtracking principle of function calls , But if you want to analyze it in depth , You need to have deep software development experience and assembly language foundation .

12.API Monitor

This tool can be used to explore which systems are called by other software when implementing some functions API：

13. The library depends on the viewing tool Dependency Walker

Depenency Walker It is a library dependency viewing tool , You can see dll Export interface information of the library , You can also view exe and dll Dependent library information for . The tool is early Visual Studio Built-in tools , current Visual Studio The tool is no longer packaged , Need to Depenency Walker Download it on the official website .

This tool is mainly used to troubleshoot the lack of Library errors when the program is started 、 No interface error is found .

quote

Netmail cup writeup-web part - _nul1 - Blog Garden

C++ performance Performance analysis tool (sanitizers valgrind gprof gperftools perf） Use _ Super big onion 806 The blog of -CSDN Blog _c++ Performance analysis tool

Performance testing tools gperftools Use - Let's have a look

gperftools Introduction to performance testing tools - Simple books

C++ Performance analysis tool gperftools - Simple books

The debugging artifact of the compiler sanitizers - You know

【 Memory 】 Memory detection tools sanitizer[ Memory leak 、 Memory out of bounds ] VS valgrind_bandaoyu The blog of -CSDN Blog

_nul1 - Blog Garden

Windows Develop ten recommended software analysis tools , It is worth collecting _dvlinker The blog of -CSDN Blog _ Software analysis tools