Crate udmp_parser

Source
Expand description

§udmp-parser: A Rust crate for parsing Windows user minidumps

Crates.io Documentation Build status

This is a cross-platform crate that parses Windows user minidump dumps that you can generate via WinDbg or via right-click Create memory dump file in the Windows task manager.

parser

The library supports Intel 32-bit / 64-bit dumps and provides read access to things like:

  • The thread list and their context records,
  • The virtual memory,
  • The loaded modules.

Compiled binaries are available in the releases section.

§Parser

The parser application is a small utility to show-case how to use the library and demonstrate its features. You can use it to dump memory, list the loaded modules, dump thread contexts, dump a memory map various, etc.

parser-usage

Here are the options supported:

parser.exe [-a] [-mods] [-mem] [-t [<TID>|main]] [-dump <addr>] <dump path>

Examples:
  Show all:
    parser.exe -a user.dmp
  Show loaded modules:
    parser.exe -mods user.dmp
  Show memory map:
    parser.exe -mem user.dmp
  Show all threads:
    parser.exe -t user.dmp
  Show thread w/ specific TID:
    parser.exe -t 1337 user.dmp
  Show foreground thread:
    parser.exe -t main user.dmp
  Show a memory page at a specific address:
    parser.exe -dump 0x7ff00 user.dmp

§Authors

§Contributors

contributors-img

Structs§

FloatingSaveArea32
MemBlock
A block of memory in the address space that isn’t a Module. MemBlock can have data associated with it but isn’t a guarantee (think about a memory region that is mapped as PAGE_NOACCESS).
Module
A DLL loaded in the virtual address space.
Thread
A thread that was running when the dump was generated.
ThreadContextX64
The context of an Intel X64 thread.
ThreadContextX86
The context of an Intel X86 thread.
UserDumpParser
This stores useful information fished out of of Windows minidump file: thread contexts and memory blocks.

Enums§

Arch
Architectures supported by the library.
ThreadContext
A ThreadContext stores the thread contexts for the architecture that are supported by the library.

Constants§

PAGE_EXECUTE
Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation.
PAGE_EXECUTE_READ
Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation.
PAGE_EXECUTE_READWRITE
Enables execute, read-only, or read/write access to the committed region of pages.
PAGE_EXECUTE_WRITECOPY
Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_EXECUTE_READWRITE, and the change is written to the new page.
PAGE_GUARD
Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception and turn off the guard page status. Guard pages thus act as a one-time access alarm.
PAGE_NOACCESS
Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation.
PAGE_NOCACHE
Sets all pages to be non-cachable. Applications should not use this attribute except when explicitly required for a device. Using the interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
PAGE_READONLY
Enables read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. If Data Execution Prevention is enabled, an attempt to execute code in the committed region results in an access violation.
PAGE_READWRITE
Enables read-only or read/write access to the committed region of pages. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.
PAGE_WRITECOMBINE
Sets all pages to be write-combined. Applications should not use this attribute except when explicitly required for a device. Using the interlocked functions with memory that is mapped as write-combined can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
PAGE_WRITECOPY
Enables read-only or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_READWRITE, and the change is written to the new page. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.

Type Aliases§

MemBlocks
Map a base address to a MemBlock.
Modules
Map a base address to a Module.
Threads
Map a thread id to a Thread.