Expand description
kdmp-parser
A KISS, dependency free, Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
This is a cross-platform crate that parses Windows kernel crash-dumps that Windows / WinDbg generates. It exposes read-only access to the physical memory pages as well as the register / exception context. It can also read virtual memory addresses by walking the page tables.
Compiled binaries are available in the releases section.
§How to use?
It starts by parsing a crash-dump file with by creating a KernelDumpParser. It gives you access to lists of where user / kernel mode modules are loaded at, as well as their names. It also gives you access to the physical memory pages found in the crash-dump.
To read the physical memory space, use phys::Reader and virt::Reader to read the virtual memory space.
Reading the physical or the virtual memory space from a crash-dump can fail because a page that might have been resident in memory when the crash happened, might not have been captured in the dump file; so you’re left with a hole. Reading the virtual memory space is even worse because accessing one byte of virtual memory means that you need to read multiple physical pages (as part of the virtual to physical translation) and any of those pages might not exist in the crash-dump.
If you prefer to read and ignore those memory errors, use virt::Reader::read. It won’t tell you why it might have failed to read as much as you wanted, but it will tell you how many bytes it successfully read. Similarly, if you want it to read a fixed amount of bytes (and still ignore memory read errors), use virt::Reader::try_read_exact.
If you care to know why a virtual translation failed, or why it wasn’t able to read a certain page; use virt::Reader::read_exact.
§Parser
The parser application is a small utility to show-case how to use the library and demonstrate its features. You can use it to dump memory, etc.
Here are the options supported:
A KISS, dependency free, Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
Usage: parser.exe [OPTIONS] -- <DUMP_PATH>
Arguments:
<DUMP_PATH>
The dump path
Options:
--dump-headers
Dump the dump headers
-c, --context-record
Dump the context record
-e, --exception-record
Dump the exception record
-m, --mem [<MEM>]
Dump the first `len` bytes of every physical pages, unless an address is specified
--virt
The address specified is interpreted as a virtual address, not a physical address
--len <LEN>
The number of bytes to dump out
[default: 128]
--dtb <DTB>
Directory table base address to use for virtual memory translations
-r, --reader <READER>
Reader mode
Possible values:
- mmap: The crash-dump is memory-mapped
- file: The crash-dump is read as a file on disk
[default: mmap]
--modules
Dump the list of kernel & user modules
-h, --help
Print help (see a summary with '-h')
-V, --version
Print version§Authors
- Axel ‘@0vercl0k’ Souchet
§Contributors
Modules§
- bits
- This defines and implements the
Bitstrait which allows user to extract bit / range of bits off regular integer. - error
- This is the error type used across the codebase.
- gxa
- This contains types that are useful to manipulate
Guest Virtual Addresses (
Gva) and Guest Physical Addresses (Gpa). Because ultimately they are bothu64under the hood, a lot of operations apply to bothGva&Gpa(Gxa::page_align, etc.) and those are implemented into the parent traitGxa. - map
- This implements logic that allows to memory map a file on both
Unix and Windows (cf
memory_map_file/unmap_memory_mapped_file). - parse
- This has all the parsing logic for parsing kernel crash-dumps.
- phys
- Everything related to physical memory.
- pxe
- This defines
Pxe/Pfntypes that makes it easier to manipulate PFNs and PXEs. - structs
- This has all the raw structures that makes up Windows kernel crash-dumps.
- virt
- Everything related to virtual memory.