Friday, July 31, 2009

Grabs From The Gallery

Here are some grabs from HayWire. Clicking on an image will enlarge it for you to the full 640x480.

While Haywire has a lot of options for how to project memory contents onto the screen, they typically involve things like pixel format, columns per page, column width, starting address. The only post-production I do is to run them through JPEG compression so they are smaller and don't get me in trouble for software piracy or leak my darkest secrets.

This image comes from the WinLogon part of Windows, which is the program that asks for you name and password. I also found this image there. (I usually run a pretty bare system and don't use background screens, screen savers, etc. It keeps the debugging tractable).





The program has an option that dumps arbitrary files on the hard drive as well as memory resident stuff. You can use that feature to view crashdumps, program and data files, and in the above case, a huge AVI file that was stored months earlier, uncompressed.




One of the most useful features is perspective rendering. It lets me quadruple the amount of info on the screen. I just call a warp subroutine and don't use DirectX-3D, which makes the program slower but less configuration-dependent.

This image came from Firefox. I think the graphic was on the FrameWave web page describing a high-performance multimedia processing library. The graphic didn't look anything like it does here when I saw it on the web at some earlier time.




What happens when you fly over the memory that the system uses to generate the video display? It makes video feedback! The system dumps video memory to the video memory, creating an infinite mirror effect. (This slows everything down by a factor of 4). The way-cool animated effects are worth it.




The perspective display mode lets you adjust the vanishing points and orientation much the way an elaborate view camera does. Here is the flyover screen turned into a video wall effect. Heck - it may even turn into a flight simulator program with video game enemys made out of the resident icons.



Another "stairway to heaven" type effect. There are many ways to work with video feedback, most of them really deserve to be presented as animations. I already have the code in there for that, I just need to fix a few things and voila! my hard disk is full again!





This last one comes from the Windows Explorer (not Internet Explorer, but the program that MacHeads call the Finder) which draws windows, icons, trash cans, etc. It has this rocket blastoff image in there too, and I have no idea why.

Thursday, July 30, 2009

Haywire Screen Dumps

Haywire has a dump button. Whatever is in video screen window goes into a capture folder as a 640x480x32 bit BMP file. Whenever I see something strange, cool, or unusual, I push the button and eventually, go through the directory and preserve the most interesting stuff.

This dump shows an example (from several months ago) of what the GUI looked like then. (Its been improved since).


As a way of figuring out how Blogger feels about screen dumps, here are a few of them from my archive, that goes back 8 months or so.


This dump is from inside Firefox - which is home to lots of unusual imagery.

... and yes, you can see if somebody has visited a porn site - as long as they haven't powered the machine down or done something "anti-forensic".

Here is a shot of my development environment (VS-2005), taken on my birthday. It shows the 4 screen regions which are shown on the most complex interface screen. Left is the page map, Top is the main dump screen, Bottom is the exploratory dump screen, and between top and bottom is the spectrogram display.

The spectrogram display shows the auto correlation spectra of 8192 pixels starting at the cross-hair point (or 8-12 video lines). Stated more simply, I compare the image with itself, offset by one pixel, two pixels, three pixels, and so on. The computer calculates how close the resemblence is, and shows a peak on the graph, with the best matches standing taller.

The next two images show this effect. I am sniffing around in memory, looking at a DLL that Windows provides and has many icons in it.


The yellow tab at the top of the screen sets the horizontal size of the image decode for the bottom pane. I also have column-wrap turned on so you can see farther down in memory.
The position of the yellow tab is drawn as a dashed line in the spectrogram area.

By moving the yellow tab closer to the large peak slightly to the right, you can see why this is a useful tool:



Isn't comparing an image to itself 8192 times and scoring the results rather slow?

It can be, or you can do it much faster using the Fast Fourier Transform - which ranks high on my list of the most important inventions of the 20th Century. FFT Geeks should be able to follow this description: I convert 8192 32-bit pixels to 16384 complex numbers by padding with zeros. (This helps control distortion). I run a forward FFT, then square each value in the frequency domain, run an inverse FFT and then take the complex conjugate, scale and plot the result.

The FFT routine is very fast and very complicated. It was created by a system called SPIRAL, which is a genetic and heuristic algorithm for creating FFT programs (and related stuff like DCT, etc.) You go to their web page, describe the accuracy, number of samples, and so on, and it hands back a C program with lots of assignment statements which take values from various places in a large array and stuffs results into another array. They take into consideration stuff like memory cache architecture on the target machine. The code is ugly but its plenty fast.

Fast enough to be amazing to this old bird. Floating point used to be radically slower than integer math - that difference has disappeared.

HayWire, Haystack, and Barnburner

... are the names of 3 parts of my latest software release.

There is a lot more about them on the Seductive Logic home page, where one can download this stuff and play along at home.

For those who want to stay put, HayWire is a program for viewing your computer's memory contents on a video screen in real time. You dial in a hexidecimal address somewhere inside a program running on your machine and you see the bits mutate before your very eyes.

The program started out as a 4 hour hack to evaluate a plug-in framework for the Freeframe open-source video effects plug-in standard. Rather than just doing something simple like contrast and brightness, I thought I would copy memory into the buffer from a user-selected address. It worked, and then it got way out of hand...

One impitus for this was Dmitry Vostokov, whom I discovered while looking for debugging tools. He has a program that turns crash-dumps into fascinating pictures, among a wide-variety of diverse excursions around the crash-dump analysis discipline that has to be seen to be believed.

I sent him a copy of the video plug-in and a host program, and he had a look at it, then he grabbed the SourceForge version and played with that too. He wrote back and suggested doing a book project - which will get underway in earnest soon. (I am finishing the program now).

Anyway, the plug-in is still in there, with much more capability. The host program bloomed from a property page into a full-blown rich-multimedia-application framework.

A few minutes before starting this blog I discovered something amazing playing with the program. I will write about it soon, after I get a better idea of what the limits of this blog program are.

http://www.dumpanalysis.org/blog/index.php/about/