- Notifications
You must be signed in to change notification settings - Fork32
A Windows kernel dump C++ parser library with Python 3 bindings.
License
NotificationsYou must be signed in to change notification settings
0vercl0k/kdmp-parser
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This C++ library parses Windows kernelfull dumps (.dump /f in WinDbg),BMP dumps (.dump /ka in WinDbg) as well as more recent dump types that were introduced in ~2022.
The library supports loading 64-bit dumps and provides read access to things like:
- The context record,
- The exception record,
- The bugcheck parameters,
- The physical memory.
Compiled binaries are available in thereleases section.
Special thanks to:
- hugsy for numerous contributions: the new Python bindings, CI improvements, new dump types, etc.,
- masthoon for the initial version of the Python bindings,
- yrp604 for being knowledgeable about the format,
- therekall project and theirPython implementation (most of the structures inkdmp-parser-structs.h have been adapted from it).
Theparser.exe application is able to dump various information about the dump file: exception record, context record, etc.
>parser.exe -c -e -p 0x1000 full.dmp--------------------------------------------------------------------------------Context Record: rax=0000000000000003 rbx=fffff8050f4e9f70 rcx=0000000000000001 rdx=fffff805135684d0 rsi=0000000000000100 rdi=fffff8050f4e9f80 rip=fffff805108776a0 rsp=fffff805135684f8 rbp=fffff80513568600 r8=0000000000000003 r9=fffff805135684b8 r10=0000000000000000 r11=ffffa8848825e000 r12=fffff8050f4e9f80 r13=fffff80510c3c958 r14=0000000000000000 r15=0000000000000052 cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040202 fpcw=0000 fpsw=0000 fptw=0001 st0=fffff80510bbf000fffff80510c3c9c0 st1=0005e5a800ab2000fffff805106b3000 st2=4000000000200000fffff80510beaea8 st3=000000000a0d656c69666f7250206465 st4=0000000a0d656c69666f725000000010 st5=0000000000000000fffff80510b16900 st6=0000000000000000fffff805133e9000 st7=fffff47c02899f480000000000000000 xmm0=000000000a0d656c69666f7250206465 xmm1=0000000a0d656c69666f725000000010 xmm2=0000000000000000fffff80510b16900 xmm3=0000000000000000fffff805133e9000 xmm4=fffff47c02899f480000000000000000 xmm5=00000000000000000000000000000000 xmm6=00000000000000000000000000000000 xmm7=00000000000000000000000000000000 xmm8=00000000000000000000000000000000 xmm9=00000000000000000000000000000000 xmm10=00000000000000000000000000000000 xmm11=00000000000000000000000000000000 xmm12=00000000000000000000000000000000 xmm13=00000000000000000000000000000000 xmm14=00000000000000000000000000000000 xmm15=00000000000000000000000000000000--------------------------------------------------------------------------------Exception Record: KDMP_PARSER_EXCEPTION_RECORD64 +0x0000: ExceptionCode : 0x80000003. +0x0004: ExceptionFlags : 0x00000000. +0x0008: ExceptionRecord : 0x0000000000000000. +0x0010: ExceptionAddress : 0xfffff805108776a0. +0x0018: NumberParameters : 0x00000001. +0x0020: ExceptionInformation[0] : 0x0000000000000000. +0x0028: ExceptionInformation[1] : 0x0000000000000000. +0x0030: ExceptionInformation[2] : 0xffffa8848825e000. +0x0038: ExceptionInformation[3] : 0x00000000000002c0. +0x0040: ExceptionInformation[4] : 0xfffff80511022203. +0x0048: ExceptionInformation[5] : 0x0000000000004280. +0x0050: ExceptionInformation[6] : 0xfffff80510880524. +0x0058: ExceptionInformation[7] : 0xffffa88488282360. +0x0060: ExceptionInformation[8] : 0x0000000000000280. +0x0068: ExceptionInformation[9] : 0xfffff805135683d8. +0x0070: ExceptionInformation[10] : 0xffffa8848d9d6fb0. +0x0078: ExceptionInformation[11] : 0x0000000000004280. +0x0080: ExceptionInformation[12] : 0x00001f8001004280. +0x0088: ExceptionInformation[13] : 0x0000000000000003. +0x0090: ExceptionInformation[14] : 0xfffff80513568578.--------------------------------------------------------------------------------Physical memory:00001000: 00 00 00 00 00 00 00 00 00 00 f9 ff 00 00 00 00 |................|00001010: 00 06 01 01 00 00 00 00 00 00 00 00 00 00 00 00 |................|00001020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00001030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00001040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00001050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00001060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00001070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00001080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00001090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|000010a0: 00 00 00 00 00 00 00 00 00 a0 87 00 00 00 00 00 |................|000010b0: ff ff ff ff ff ff ff ff 00 00 60 11 05 f8 ff ff |..........`.....|000010c0: 00 90 2f 00 00 00 00 00 ff ff ff ff 03 80 ff ff |../.............|000010d0: f8 00 00 c0 c1 f7 ff ff 00 00 00 00 03 00 00 00 |................|000010e0: f8 00 00 c0 c1 f7 ff ff 00 00 00 00 03 00 00 00 |................|000010f0: 00 00 00 00 00 00 00 00 70 37 01 c0 c1 f7 ff ff |........p7......|...You can build it yourself using CMake and it builds on Linux, Windows, OSX with the Microsoft, the LLVM Clang and GNU compilers.
Here is an example on Windows:
> mkdir build> cd build> cmake ..-- Building for: Visual Studio 17 2022...> cmake --build . --config RelWithDebInfoMSBuild version 17.8.3+195e7f5a3 for .NET Framework...> src\parser\RelWithDebInfo\parser.exeYou didn't provide the path to the dump file.parser.exe [-p [<physical address>]] [-c] [-e] [-h] <kdump path>Examples: Show every structures of the dump: parser.exe -a full.dmp Show the context record: parser.exe -c full.dmp Show the exception record: parser.exe -e full.dmp Show all the physical memory (first 16 bytes of every pages): parser.exe -p full.dmp Show the context record as well as the page at physical address 0x1000: parser.exe -c -p 0x1000 full.dmpHere is another example on Linux (with the Python bindings):
$ mkdir build$ cd build$ cmake .. -DBUILD_PYTHON_BINDING=ON...$ cmake --build . --config RelWithDebInfo...$ ./src/parser/parserYou didn't provide the path to the dump file.parser.exe [-p [<physical address>]] [-c] [-e] [-h] <kdump path>Examples: Show every structures of the dump: parser.exe -a full.dmp Show the context record: parser.exe -c full.dmp Show the exception record: parser.exe -e full.dmp Show all the physical memory (first 16 bytes of every pages): parser.exe -p full.dmp Show the context record as well as the page at physical address 0x1000: parser.exe -c -p 0x1000 full.dmpThe easiest way is simply to:
pip install kdmp_parserRun the following after installingCMake andPython 3.8+ /pip:
cd src/pythonpip install requirements.txtpip install .To create a wheel pacakge:
cd src/pythonpip wheel .importkdmp_parserdmp=kdmp_parser.KernelDumpParser("full.dmp")assertdmp.type==kdmp_parser.DumpType.FullDumpprint(f"Dump RIP={dmp.context.Rip:#x}")
importkdmp_parserdmp=kdmp_parser.KernelDumpParser("full.dmp")dmp.read_virtual_page(dmp.context.Rip)
importkdmp_parserdmp=kdmp_parser.KernelDumpParser("full.dmp")pml4=dmp.directory_table_baseprint(f"{pml4=:#x}")dmp.read_physical_page(pml4)
importkdmp_parserdmp=kdmp_parser.KernelDumpParser("full.dmp")VA=dmp.context.RipPA=dmp.translate_virtual(VA)print(f"{VA=:#x} ->{PA=:#x}")
- Axel '@0vercl0k' Souchet
About
A Windows kernel dump C++ parser library with Python 3 bindings.
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Packages0
No packages published
Uh oh!
There was an error while loading.Please reload this page.
Contributors3
Uh oh!
There was an error while loading.Please reload this page.