Expand description
§udmp-parser: A Rust crate for parsing Windows user minidumps
This is a cross-platform crate that parses Windows user minidump dumps that you can generate via WinDbg or via right-click Create memory dump file in the Windows task manager.
The library supports Intel 32-bit / 64-bit dumps and provides read access to things like:
- The thread list and their context records,
- The virtual memory,
- The loaded modules.
Compiled binaries are available in the releases section.
§Parser
The parser application is a small utility to show-case how to use the library and demonstrate its features. You can use it to dump memory, list the loaded modules, dump thread contexts, dump a memory map various, etc.
Here are the options supported:
parser.exe [-a] [-mods] [-mem] [-t [<TID>|main]] [-dump <addr>] <dump path>
Examples:
Show all:
parser.exe -a user.dmp
Show loaded modules:
parser.exe -mods user.dmp
Show memory map:
parser.exe -mem user.dmp
Show all threads:
parser.exe -t user.dmp
Show thread w/ specific TID:
parser.exe -t 1337 user.dmp
Show foreground thread:
parser.exe -t main user.dmp
Show a memory page at a specific address:
parser.exe -dump 0x7ff00 user.dmp
§Authors
- Axel ‘@0vercl0k’ Souchet
§Contributors
Structs§
- Floating
Save Area32 - MemBlock
- A block of memory in the address space that isn’t a
Module
.MemBlock
can havedata
associated with it but isn’t a guarantee (think about a memory region that is mapped asPAGE_NOACCESS
). - Module
- A DLL loaded in the virtual address space.
- Thread
- A thread that was running when the dump was generated.
- Thread
Context X64 - The context of an Intel X64 thread.
- Thread
Context X86 - The context of an Intel X86 thread.
- User
Dump Parser - This stores useful information fished out of of Windows minidump file: thread contexts and memory blocks.
Enums§
- Arch
- Architectures supported by the library.
- Thread
Context - A
ThreadContext
stores the thread contexts for the architecture that are supported by the library.
Constants§
- PAGE_
EXECUTE - Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation.
- PAGE_
EXECUTE_ READ - Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation.
- PAGE_
EXECUTE_ READWRITE - Enables execute, read-only, or read/write access to the committed region of pages.
- PAGE_
EXECUTE_ WRITECOPY - Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_EXECUTE_READWRITE, and the change is written to the new page.
- PAGE_
GUARD - Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception and turn off the guard page status. Guard pages thus act as a one-time access alarm.
- PAGE_
NOACCESS - Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation.
- PAGE_
NOCACHE - Sets all pages to be non-cachable. Applications should not use this attribute except when explicitly required for a device. Using the interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
- PAGE_
READONLY - Enables read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. If Data Execution Prevention is enabled, an attempt to execute code in the committed region results in an access violation.
- PAGE_
READWRITE - Enables read-only or read/write access to the committed region of pages. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.
- PAGE_
WRITECOMBINE - Sets all pages to be write-combined. Applications should not use this attribute except when explicitly required for a device. Using the interlocked functions with memory that is mapped as write-combined can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
- PAGE_
WRITECOPY - Enables read-only or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_READWRITE, and the change is written to the new page. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.