Struct KernelDumpParser

pub struct KernelDumpParser { /* private fields */ }

A kernel dump parser that gives access to the physical memory space stored in the dump. It also offers virtual to physical memory translation as well as a virtual read facility.

Implementations

impl KernelDumpParser

pub fn with_reader(reader: impl Reader + 'static) -> Result<Self>

Create an instance from a file path. This memory maps the file and parses it.

pub fn new(dump_path: impl AsRef<Path>) -> Result<Self>

pub fn physmem(&self) -> impl ExactSizeIterator<Item = (Gpa, u64)> + '_

Physical memory map that maps page aligned Gpa to offset where the content of the page can be found. The offset is relevant with the associated reader.

pub fn kernel_modules( &self, ) -> impl ExactSizeIterator<Item = (&Range<Gva>, &str)> + '_

Kernel modules loaded when the dump was taken.

pub fn user_modules( &self, ) -> impl ExactSizeIterator<Item = (&Range<Gva>, &str)> + '_

User modules loaded when the dump was taken.

pub fn dump_type(&self) -> DumpType

What kind of dump is it?

pub fn headers(&self) -> &Header64

Get the dump headers.

pub fn exception_record(&self) -> &ExceptionRecord64

Get the exception record.

pub fn context_record(&self) -> &Context

Get the context record.

pub fn phys_translate(&self, gpa: Gpa) -> Result<u64>

Translate a Gpa into a file offset of where the content of the page resides in.

pub fn phys_read(&self, gpa: Gpa, buf: &mut [u8]) -> Result<usize>

Read physical memory starting at gpa into a buffer.

pub fn phys_read_exact(&self, gpa: Gpa, buf: &mut [u8]) -> Result<()>

Read an exact amount of physical memory starting at gpa into a buffer.

pub fn phys_read_struct<T>(&self, gpa: Gpa) -> Result<T>

Read a T from physical memory.

pub fn virt_translate(&self, gva: Gva) -> Result<Gpa>

Translate a Gva into a Gpa.

pub fn virt_read(&self, gva: Gva, buf: &mut [u8]) -> Result<usize>

Read virtual memory starting at gva into a buffer.

pub fn try_virt_read(&self, gva: Gva, buf: &mut [u8]) -> Result<Option<usize>>

Try to read virtual memory starting at gva into a buffer. If a memory translation error occurs, it’ll return None instead of an error.

pub fn virt_read_exact(&self, gva: Gva, buf: &mut [u8]) -> Result<()>

Read an exact amount of virtual memory starting at gva.

pub fn try_virt_read_exact( &self, gva: Gva, buf: &mut [u8], ) -> Result<Option<()>>

Try to read an exact amount of virtual memory starting at gva. If a memory translation error occurs, it’ll return None instead of an error.

pub fn virt_read_struct<T>(&self, gva: Gva) -> Result<T>

Read a T from virtual memory.

pub fn try_virt_read_struct<T>(&self, gva: Gva) -> Result<Option<T>>

Try to read a T from virtual memory. If a memory translation error occurs, it’ll return None instead of an error.

pub fn seek(&self, pos: SeekFrom) -> Result<u64>

pub fn read(&self, buf: &mut [u8]) -> Result<usize>

Trait Implementations

impl Debug for KernelDumpParser

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.