Crate kdmp_parser

Source
Expand description

kdmp-parser

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.

This is a cross-platform crate that parses Windows kernel crash-dumps that Windows / WinDbg generates. It exposes read-only access to the physical memory pages as well as the register / exception context. It can also read virtual memory addresses by walking the page tables.

Compiled binaries are available in the releases section.

§Parser

The parser application is a small utility to show-case how to use the library and demonstrate its features. You can use it to dump memory, etc.

parser-usage

Here are the options supported:

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.

Usage: parser.exe [OPTIONS] <DUMP_PATH>

Arguments:
  <DUMP_PATH>
          The dump path

Options:
      --dump-headers
          Dump the dump headers

  -c, --context-record
          Dump the context record

  -e, --exception-record
          Dump the exception record

  -m, --mem[=<MEM>]
          Dump the first `len` bytes of every physical pages, unless an address is specified

      --virt
          The address specified is interpreted as a virtual address, not a physical address

      --len <LEN>
          The number of bytes to dump out

          [default: 16]

  -r, --reader <READER>
          Reader mode

          [default: mmap]

          Possible values:
          - mmap: The crash-dump is memory-mapped
          - file: The crash-dump is read as a file on disk

      --modules
          Dump the list of kernel & user modules

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

§Authors

§Contributors

contributors-img

Structs§

Context
Gpa
Strong type for Guest Physical Addresses.
Gva
Strong type for Guest Virtual Addresses.
Header64
Adjusted C struct for DUMP_HEADERS64 from MS Rust docs. Padding adjustment added from reversing nt!IoFillDumpHeader.
KernelDumpParser
A kernel dump parser that gives access to the physical memory space stored in the dump. It also offers virtual to physical memory translation as well as a virtual read facility.
MappedFileReader
A memory mapped file reader is basically a slice of bytes over the memory mapping and a cursor to be able to access the region.
Pfn
Strong type for a Page Frame Number.
Pxe
A Pxe is a set of flags (PxeFlags) and a Page Frame Number (PFN). This representation takes more space than a regular PXE but it is more convenient to split the flags / the pfn as bitflags! doesn’t seem to support bitfields.
PxeFlags
The various bits and flags that a Pxe has.

Enums§

AddrTranslationError
DumpType
Types of kernel crash dump.
KdmpParserError
PxeNotPresent

Traits§

Bits
Utility trait to make it easier to extract ranges of bits.
Gxa
A bunch of useful methods to manipulate 64-bit addresses of any kind.
Reader

Type Aliases§

Result