Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up

A Windows kernel dump C++ parser library with Python 3 bindings.

License

NotificationsYou must be signed in to change notification settings

0vercl0k/kdmp-parser

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

76 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build statusDownloads

This C++ library parses Windows kernelfull dumps (.dump /f in WinDbg),BMP dumps (.dump /ka in WinDbg) as well as more recent dump types that were introduced in ~2022.

parser

The library supports loading 64-bit dumps and provides read access to things like:

  • The context record,
  • The exception record,
  • The bugcheck parameters,
  • The physical memory.

Compiled binaries are available in thereleases section.

Special thanks to:

Parser

Theparser.exe application is able to dump various information about the dump file: exception record, context record, etc.

>parser.exe -c -e -p 0x1000 full.dmp--------------------------------------------------------------------------------Context Record:  rax=0000000000000003 rbx=fffff8050f4e9f70 rcx=0000000000000001  rdx=fffff805135684d0 rsi=0000000000000100 rdi=fffff8050f4e9f80  rip=fffff805108776a0 rsp=fffff805135684f8 rbp=fffff80513568600   r8=0000000000000003  r9=fffff805135684b8 r10=0000000000000000  r11=ffffa8848825e000 r12=fffff8050f4e9f80 r13=fffff80510c3c958  r14=0000000000000000 r15=0000000000000052  cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b                 efl=00040202  fpcw=0000    fpsw=0000    fptw=0001    st0=fffff80510bbf000fffff80510c3c9c0       st1=0005e5a800ab2000fffff805106b3000    st2=4000000000200000fffff80510beaea8       st3=000000000a0d656c69666f7250206465    st4=0000000a0d656c69666f725000000010       st5=0000000000000000fffff80510b16900    st6=0000000000000000fffff805133e9000       st7=fffff47c02899f480000000000000000   xmm0=000000000a0d656c69666f7250206465      xmm1=0000000a0d656c69666f725000000010   xmm2=0000000000000000fffff80510b16900      xmm3=0000000000000000fffff805133e9000   xmm4=fffff47c02899f480000000000000000      xmm5=00000000000000000000000000000000   xmm6=00000000000000000000000000000000      xmm7=00000000000000000000000000000000   xmm8=00000000000000000000000000000000      xmm9=00000000000000000000000000000000  xmm10=00000000000000000000000000000000     xmm11=00000000000000000000000000000000  xmm12=00000000000000000000000000000000     xmm13=00000000000000000000000000000000  xmm14=00000000000000000000000000000000     xmm15=00000000000000000000000000000000--------------------------------------------------------------------------------Exception Record:  KDMP_PARSER_EXCEPTION_RECORD64    +0x0000: ExceptionCode            : 0x80000003.    +0x0004: ExceptionFlags           : 0x00000000.    +0x0008: ExceptionRecord          : 0x0000000000000000.    +0x0010: ExceptionAddress         : 0xfffff805108776a0.    +0x0018: NumberParameters         : 0x00000001.    +0x0020: ExceptionInformation[0]  : 0x0000000000000000.    +0x0028: ExceptionInformation[1]  : 0x0000000000000000.    +0x0030: ExceptionInformation[2]  : 0xffffa8848825e000.    +0x0038: ExceptionInformation[3]  : 0x00000000000002c0.    +0x0040: ExceptionInformation[4]  : 0xfffff80511022203.    +0x0048: ExceptionInformation[5]  : 0x0000000000004280.    +0x0050: ExceptionInformation[6]  : 0xfffff80510880524.    +0x0058: ExceptionInformation[7]  : 0xffffa88488282360.    +0x0060: ExceptionInformation[8]  : 0x0000000000000280.    +0x0068: ExceptionInformation[9]  : 0xfffff805135683d8.    +0x0070: ExceptionInformation[10] : 0xffffa8848d9d6fb0.    +0x0078: ExceptionInformation[11] : 0x0000000000004280.    +0x0080: ExceptionInformation[12] : 0x00001f8001004280.    +0x0088: ExceptionInformation[13] : 0x0000000000000003.    +0x0090: ExceptionInformation[14] : 0xfffff80513568578.--------------------------------------------------------------------------------Physical memory:00001000: 00 00 00 00 00 00 00 00 00 00 f9 ff 00 00 00 00  |................|00001010: 00 06 01 01 00 00 00 00 00 00 00 00 00 00 00 00  |................|00001020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|00001030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|00001040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|00001050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|00001060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|00001070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|00001080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|00001090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|000010a0: 00 00 00 00 00 00 00 00 00 a0 87 00 00 00 00 00  |................|000010b0: ff ff ff ff ff ff ff ff 00 00 60 11 05 f8 ff ff  |..........`.....|000010c0: 00 90 2f 00 00 00 00 00 ff ff ff ff 03 80 ff ff  |../.............|000010d0: f8 00 00 c0 c1 f7 ff ff 00 00 00 00 03 00 00 00  |................|000010e0: f8 00 00 c0 c1 f7 ff ff 00 00 00 00 03 00 00 00  |................|000010f0: 00 00 00 00 00 00 00 00 70 37 01 c0 c1 f7 ff ff  |........p7......|...

Building

You can build it yourself using CMake and it builds on Linux, Windows, OSX with the Microsoft, the LLVM Clang and GNU compilers.

Here is an example on Windows:

> mkdir build> cd build> cmake ..-- Building for: Visual Studio 17 2022...> cmake --build . --config RelWithDebInfoMSBuild version 17.8.3+195e7f5a3 for .NET Framework...> src\parser\RelWithDebInfo\parser.exeYou didn't provide the path to the dump file.parser.exe [-p [<physical address>]] [-c] [-e] [-h] <kdump path>Examples:  Show every structures of the dump:    parser.exe -a full.dmp  Show the context record:    parser.exe -c full.dmp  Show the exception record:    parser.exe -e full.dmp  Show all the physical memory (first 16 bytes of every pages):    parser.exe -p full.dmp  Show the context record as well as the page at physical address 0x1000:    parser.exe -c -p 0x1000 full.dmp

Here is another example on Linux (with the Python bindings):

$ mkdir build$ cd build$ cmake .. -DBUILD_PYTHON_BINDING=ON...$ cmake --build . --config RelWithDebInfo...$ ./src/parser/parserYou didn't provide the path to the dump file.parser.exe [-p [<physical address>]] [-c] [-e] [-h] <kdump path>Examples:  Show every structures of the dump:    parser.exe -a full.dmp  Show the context record:    parser.exe -c full.dmp  Show the exception record:    parser.exe -e full.dmp  Show all the physical memory (first 16 bytes of every pages):    parser.exe -p full.dmp  Show the context record as well as the page at physical address 0x1000:    parser.exe -c -p 0x1000 full.dmp

Python bindings

From PyPI

The easiest way is simply to:

pip install kdmp_parser

Using PIP

Run the following after installingCMake andPython 3.8+ /pip:

cd src/pythonpip install requirements.txtpip install .

To create a wheel pacakge:

cd src/pythonpip wheel .

Usage

Get context, print the program counter

importkdmp_parserdmp=kdmp_parser.KernelDumpParser("full.dmp")assertdmp.type==kdmp_parser.DumpType.FullDumpprint(f"Dump RIP={dmp.context.Rip:#x}")

Read a virtual memory page at address pointed by RIP

importkdmp_parserdmp=kdmp_parser.KernelDumpParser("full.dmp")dmp.read_virtual_page(dmp.context.Rip)

Explore the physical memory

importkdmp_parserdmp=kdmp_parser.KernelDumpParser("full.dmp")pml4=dmp.directory_table_baseprint(f"{pml4=:#x}")dmp.read_physical_page(pml4)

Translate a virtual address into a physical address

importkdmp_parserdmp=kdmp_parser.KernelDumpParser("full.dmp")VA=dmp.context.RipPA=dmp.translate_virtual(VA)print(f"{VA=:#x} ->{PA=:#x}")

Authors

Contributors

contributors-img

[8]ページ先頭
©2009-2025 Movatter.jp