Crate udmp_parser
source ·Expand description
§udmp-parser: A Rust crate for parsing Windows user minidumps
This is a cross-platform crate that parses Windows user minidump dumps that you can generate via WinDbg or via right-click Create memory dump file in the Windows task manager.
The library supports Intel 32-bit / 64-bit dumps and provides read access to things like:
- The thread list and their context records,
- The virtual memory,
- The loaded modules.
Compiled binaries are available in the releases section.
§Parser
The parser application is a small utility to show-case how to use the library and demonstrate its features. You can use it to dump memory, list the loaded modules, dump thread contexts, dump a memory map various, etc.
Here are the options supported:
parser.exe [-a] [-mods] [-mem] [-t [<TID>|main]] [-dump <addr>] <dump path>
Examples:
Show all:
parser.exe -a user.dmp
Show loaded modules:
parser.exe -mods user.dmp
Show memory map:
parser.exe -mem user.dmp
Show all threads:
parser.exe -t user.dmp
Show thread w/ specific TID:
parser.exe -t 1337 user.dmp
Show foreground thread:
parser.exe -t main user.dmp
Show a memory page at a specific address:
parser.exe -dump 0x7ff00 user.dmp
§Authors
- Axel ‘@0vercl0k’ Souchet
§Contributors
Structs§
- A DLL loaded in the virtual address space.
- A thread that was running when the dump was generated.
- The context of an Intel X64 thread.
- The context of an Intel X86 thread.
- This stores useful information fished out of of Windows minidump file: thread contexts and memory blocks.
Enums§
- Architectures supported by the library.
- A
ThreadContext
stores the thread contexts for the architecture that are supported by the library.
Constants§
- Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation.
- Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation.
- Enables execute, read-only, or read/write access to the committed region of pages.
- Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_EXECUTE_READWRITE, and the change is written to the new page.
- Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception and turn off the guard page status. Guard pages thus act as a one-time access alarm.
- Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation.
- Sets all pages to be non-cachable. Applications should not use this attribute except when explicitly required for a device. Using the interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
- Enables read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. If Data Execution Prevention is enabled, an attempt to execute code in the committed region results in an access violation.
- Enables read-only or read/write access to the committed region of pages. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.
- Sets all pages to be write-combined. Applications should not use this attribute except when explicitly required for a device. Using the interlocked functions with memory that is mapped as write-combined can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
- Enables read-only or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_READWRITE, and the change is written to the new page. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.