Crate udmp_parser

udmp-parser: A Rust crate for parsing Windows user minidumps

This is a cross-platform crate that parses Windows user minidump dumps that you can generate via WinDbg or via right-click Create memory dump file in the Windows task manager.

The library supports Intel 32-bit / 64-bit dumps and provides read access to things like:

• The thread list and their context records,
• The virtual memory,
• The loaded modules.

Compiled binaries are available in the releases section.

Parser

The parser application is a small utility to show-case how to use the library and demonstrate its features. You can use it to dump memory, list the loaded modules, dump thread contexts, dump a memory map various, etc.

Here are the options supported:

parser.exe [-a] [-mods] [-mem] [-t [<TID>|main]] [-dump <addr>] <dump path>

Examples:
  Show all:
    parser.exe -a user.dmp
  Show loaded modules:
    parser.exe -mods user.dmp
  Show memory map:
    parser.exe -mem user.dmp
  Show all threads:
    parser.exe -t user.dmp
  Show thread w/ specific TID:
    parser.exe -t 1337 user.dmp
  Show foreground thread:
    parser.exe -t main user.dmp
  Show a memory page at a specific address:
    parser.exe -dump 0x7ff00 user.dmp

Authors

• Axel ‘@0vercl0k’ Souchet

Contributors

Structs

• FloatingSaveArea32
• MemBlock
  A block of memory in the address space that isn’t a Module. MemBlock can have data associated with it but isn’t a guarantee (think about a memory region that is mapped as PAGE_NOACCESS).
• Module
  A DLL loaded in the virtual address space.
• Thread
  A thread that was running when the dump was generated.
• ThreadContextX64
  The context of an Intel X64 thread.
• ThreadContextX86
  The context of an Intel X86 thread.
• UserDumpParser
  This stores useful information fished out of of Windows minidump file: thread contexts and memory blocks.

Enums

• Arch
  Architectures supported by the library.
• ThreadContext
  A ThreadContext stores the thread contexts for the architecture that are supported by the library.

Constants

• PAGE_EXECUTE
  Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation.
• PAGE_EXECUTE_READ
  Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation.
• PAGE_EXECUTE_READWRITE
  Enables execute, read-only, or read/write access to the committed region of pages.
• PAGE_EXECUTE_WRITECOPY
  Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_EXECUTE_READWRITE, and the change is written to the new page.
• PAGE_GUARD
  Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception and turn off the guard page status. Guard pages thus act as a one-time access alarm.
• PAGE_NOACCESS
  Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation.
• PAGE_NOCACHE
  Sets all pages to be non-cachable. Applications should not use this attribute except when explicitly required for a device. Using the interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
• PAGE_READONLY
  Enables read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. If Data Execution Prevention is enabled, an attempt to execute code in the committed region results in an access violation.
• PAGE_READWRITE
  Enables read-only or read/write access to the committed region of pages. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.
• PAGE_WRITECOMBINE
  Sets all pages to be write-combined. Applications should not use this attribute except when explicitly required for a device. Using the interlocked functions with memory that is mapped as write-combined can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
• PAGE_WRITECOPY
  Enables read-only or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_READWRITE, and the change is written to the new page. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.

Type Aliases

• MemBlocks
  Map a base address to a MemBlock.
• Modules
  Map a base address to a Module.
• Threads
  Map a thread id to a Thread.