Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clean-ups from various static analysis engine. #9

Merged
merged 14 commits into from
Sep 27, 2020
Merged

Clean-ups from various static analysis engine. #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
0d1c72d
dead code found by pvs.
0vercl0k Sep 26, 2020
b6ca824
few nits
0vercl0k Sep 26, 2020
5783cc6
nits
0vercl0k Sep 26, 2020
9781136
fix a few /w4
0vercl0k Sep 26, 2020
232eb22
cosmetic
0vercl0k Sep 26, 2020
ae6435f
UNREFERENCED_PARAMETER is not xplat!
0vercl0k Sep 26, 2020
36639aa
nits
0vercl0k Sep 27, 2020
1cbecac
clean up readme
0vercl0k Sep 27, 2020
632de5a
nits
0vercl0k Sep 27, 2020
d3f7b52
nits
0vercl0k Sep 27, 2020
832e112
fix
0vercl0k Sep 27, 2020
37369b1
Merge branch 'master' into fbl_nits
0vercl0k Sep 27, 2020
e9c0ebf
fix merge
0vercl0k Sep 27, 2020
75141e4
nits
0vercl0k Sep 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/kdmp-parser.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ on: [push, pull_request]

jobs:
Linux2004Gcc:
name: Ubuntu 20.04 / GCC10
name: Ubuntu 20.04
runs-on: ubuntu-20.04
steps:
- name: Checkout
Expand Down
194 changes: 18 additions & 176 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,26 @@

![Build status](https://github.com/0vercl0k/kdmp-parser/workflows/Builds/badge.svg)

This is a small C++ library able to parse Windows kernel full dump (`.dump /f` in WinDbg) as well as BMP dump (`.dump /ka` in WinDbg). The format has been introduced around Windows 8 timeframe according to the [rekall](https://github.com/google/rekall) project. Note that most of the structures used in [kdmp-parser-structs.h](https://github.com/0vercl0k/kdmp-parser/blob/master/src/kdmp-parser/kdmp-parser-structs.h) have been adapted / taken from the [rekall](https://github.com/google/rekall) project and their [Python implementation](https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/overlays/windows/crashdump.py).
This C++ library parses Windows kernel [full](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/complete-memory-dump) dumps (`.dump /f` in WinDbg) as well as [BMP](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/active-memory-dump) dumps (`.dump /ka` in WinDbg).

![parser](pics/parser.jpg)

The library supports only loading 64-bit dumps (but either x86 or x64 build can do that). It provides read access (no write access) to:
The library supports loading 64-bit dumps and provides read access to things like:

- The context record,
- The exception record,
- The bugcheck parameters,
- The physical memory.

Special cheers to [yrp604](https://github.com/yrp604) for being knowledgeable about it.
Compiled binaries are available in the [releases](https://github.com/0vercl0k/kdmp-parser/releases) section.

## Python 3 bindings

The project includes Python 3 bindings (courtesy of [@masthoon](https://github.com/masthoon)) that allows you to: read the context, read physical memory as well as to do virtual memory translations.
Special thanks to:
- [yrp604](https://github.com/yrp604) for being knowledgeable about the format,
- the [rekall](https://github.com/google/rekall) project and their [Python implementation](https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/overlays/windows/crashdump.py) (most of the structures in [kdmp-parser-structs.h](https://github.com/0vercl0k/kdmp-parser/blob/master/src/kdmp-parser/kdmp-parser-structs.h) have been adapted from it).

If you don't want to compile them yourself, you can grab binaries directly from the CI [artifacts](https://github.com/0vercl0k/kdmp-parser/actions).
## Python 3 bindings

Here is an example:
The bindings (contributed by [@masthoon](https://github.com/masthoon)) allow you to: read the context, read physical memory and to do virtual memory translations:

```py
from kdmp import Dump, FullDump, BMPDump
Expand Down Expand Up @@ -49,7 +50,7 @@ assert(dmp.get_virtual_page(v) == dmp.get_physical_page(dmp.virt_translate(v)))

## Parser

The `parser.exe` application is a small utility made to dump various information about the dump file: exception record, context record, etc.
The `parser.exe` application is able to dump various information about the dump file: exception record, context record, etc.

```text
kdmp-parser\src>x64\Debug\parser.exe -c -e -p 0x1000 full.dmp
Expand Down Expand Up @@ -121,9 +122,11 @@ Physical memory:

## Building

You can build it yourself using `builder.py` or [CMake](https://cmake.org/) on either [Windows](#Windows) or [Linux](#Linux). More detailed information are described in the below sections.

### Linux

You can build it via the command line using `builder.py` or invoking `cmake` yourself (also works in WSL):
You can build it via the command line using `builder.py` or by invoking `cmake` yourself:

```text
over@oof:/kdmp-parser$ python3 builder.py -h
Expand All @@ -138,115 +141,30 @@ optional arguments:
--arch {x64,x86}

over@oof:/kdmp-parser$ python3 builder.py --configuration Debug
-- The C compiler identification is GNU 7.4.0
-- The CXX compiler identification is GNU 7.4.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: /kdmp-parser/build/linx64-Debug
...
[6/6] Linking CXX executable ../../bin/linx64-Debug/testapp
-- The C compiler identification is GNU 7.4.0
-- The CXX compiler identification is GNU 7.4.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: /kdmp-parser/build/linx86-Debug
[6/6] Linking CXX executable ../../bin/linx86-Debug/testapp

over@oof:/kdmp-parser/$ cd build/
over@oof:/kdmp-parser/build$ mkdir linx64-RelWithDebInfo/
over@oof:/kdmp-parser/build$ cd linx64-RelWithDebInfo/
over@oof:/kdmp-parser/build/linx64-RelWithDebInfo$ cmake --DCMAKE_RUNTIME_OUTPUT_DIRECTORY=/kdmp-parser/bin/linx64-RelWithDebInfo -DCMAKE_BUILD_TYPE=RelWithDebInfo ../../
-- The C compiler identification is GNU 7.4.0
-- The CXX compiler identification is GNU 7.4.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: /kdmp-parser/build/linx64-RelWithDebInfo

over@oof:/kdmp-parser/build/linx64-RelWithDebInfo$ cmake --build .
over@oof:/kdmp-parser/build/linx64-RelWithDebInfo$ cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo ../../ && cmake --build .
```

### Windows

You can build it using [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) by either using the "Open the folder" option or via command line using `builder.py` or `cmake` directly (from a Visual Studio shell):
You can build it using [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) by either using the *Open the folder* option or via the command line using `builder.py` / `cmake` directly:

```text
kdmp-parser>python builder.py --configuration Debug
-- The C compiler identification is MSVC 19.25.28614.0
-- The CXX compiler identification is MSVC 19.25.28614.0
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx64/x64/cl.exe
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx64/x64/cl.exe -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx64/x64/cl.exe
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx64/x64/cl.exe -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: kdmp-parser/build/x64-Debug
...
[6/6] Linking CXX executable ..\..\bin\x64-Debug\testapp.exe
-- The C compiler identification is MSVC 19.25.28614.0
-- The CXX compiler identification is MSVC 19.25.28614.0
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx86/x86/cl.exe
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx86/x86/cl.exe -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx86/x86/cl.exe
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx86/x86/cl.exe -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: kdmp-parser/build/x86-Debug
[6/6] Linking CXX executable ..\..\bin\x86-Debug\testapp.exe

kdmp-parser>cd build
kdmp-parser\build>mkdir x64-RelWithDebInfo
kdmp-parser\build>cd x64-RelWithDebInfo
kdmp-parser\build\x64-RelWithDebInfo>cmake -DCMAKE_RUNTIME_OUTPUT_DIRECTORY=c:\kdmp-parser\bin\x64-RelWithDebInfo -DCMAKE_BUILD_TYPE=RelWithDebInfo -GNinja ..\..\
kdmp-parser\build\x64-RelWithDebInfo>cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -GNinja ..\..\
-- The C compiler identification is MSVC 19.25.28614.0
-- The CXX compiler identification is MSVC 19.25.28614.0
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx64/x64/cl.exe
Expand All @@ -267,80 +185,4 @@ kdmp-parser\build\x64-RelWithDebInfo>cmake -DCMAKE_RUNTIME_OUTPUT_DIRECTORY=c:\k

kdmp-parser\build\x64-RelWithDebInfo>cmake --build .
[6/6] Linking CXX executable ..\..\bin\x64-RelWithDebInfo\parser.exe

kdmp-parser\build\x64-RelWithDebInfo>..\..\bin\x64-RelWithDebInfo\parser.exe
You didn't provide the path to the dump file.

parser.exe [-p [<physical address>]] [-c] [-e] [-h] <kdump path>

Examples:
Show every structures of the dump:
parser.exe -a full.dmp

Show the context record:
parser.exe -c full.dmp

Show the exception record:
parser.exe -e full.dmp

Show all the physical memory (first 16 bytes of every pages):
parser.exe -p full.dmp

Show the context record as well as the page at physical address 0x1000:
parser.exe -c -p 0x1000 full.dmp
```

## Testing

You can run `builder.py` with the `--run-tests` flag to run basic tests. First, it builds the matrix, then it downloads two kernel dumps (one full dump and one bitmap dump) and runs every flavor of the `testapp` application against the dumps.

```text
kdmp-parser>python builder.py --configuration RelWithDebInfo --run-tests
-- The C compiler identification is MSVC 19.25.28614.0
-- The CXX compiler identification is MSVC 19.25.28614.0
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx64/x64/cl.exe
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx64/x64/cl.exe -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx64/x64/cl.exe
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx64/x64/cl.exe -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: kdmp-parser/build/x64-RelWithDebInfo
[6/6] Linking CXX executable ..\..\bin\x64-RelWithDebInfo\parser.exe
-- The C compiler identification is MSVC 19.25.28614.0
-- The CXX compiler identification is MSVC 19.25.28614.0
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx86/x86/cl.exe
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx86/x86/cl.exe -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx86/x86/cl.exe
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.25.28610/bin/Hostx86/x86/cl.exe -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: kdmp-parser/build/x86-RelWithDebInfo
[6/6] Linking CXX executable ..\..\bin\x86-RelWithDebInfo\testapp.exe
Downloading https://github.com/0vercl0k/kdmp-parser/releases/download/v0.1/testdatas.zip..
Successfully downloaded the test datas in C:\Users\over\AppData\Local\Temp\tmp5o25eqtd, extracting..
Launching "bin\x64-RelWithDebInfo\testapp C:\Users\over\AppData\Local\Temp\full.dmp"..
GPRs matches the testdatas.
Launching "bin\x86-RelWithDebInfo\testapp C:\Users\over\AppData\Local\Temp\full.dmp"..
GPRs matches the testdatas.
Launching "bin\x64-RelWithDebInfo\testapp C:\Users\over\AppData\Local\Temp\bmp.dmp"..
GPRs matches the testdatas.
Launching "bin\x86-RelWithDebInfo\testapp C:\Users\over\AppData\Local\Temp\bmp.dmp"..
GPRs matches the testdatas.
All good!
```
39 changes: 18 additions & 21 deletions src/lib/filemap.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,29 +3,29 @@
#include <cstdio>

#if defined(WINDOWS)
class FileMap {
class FileMap_t {
//
// Handle to the input file.
//

HANDLE File_;
HANDLE File_ = nullptr;

//
// Handle to the file mapping.
//

HANDLE FileMap_;
HANDLE FileMap_ = nullptr;

//
// Base address of the file view.
//

PVOID ViewBase_;
PVOID ViewBase_ = nullptr;

public:
FileMap() : File_(nullptr), FileMap_(nullptr), ViewBase_(nullptr) {}
explicit FileMap_t() = default;

~FileMap() {
~FileMap_t() {
//
// Unmap the view of the mapping..
//
Expand Down Expand Up @@ -54,6 +54,9 @@ class FileMap {
}
}

FileMap_t(const FileMap_t &) = delete;
FileMap_t &operator=(const FileMap_t &) = delete;

void *ViewBase() { return ViewBase_; }

bool MapFile(const char *PathFile) {
Expand Down Expand Up @@ -139,15 +142,6 @@ class FileMap {

clean:

//
// Unmap the view of the mapping..
//

if (ViewBase != nullptr) {
UnmapViewOfFile(ViewBase);
ViewBase = nullptr;
}

//
// Close the handle to the file mapping..
//
Expand Down Expand Up @@ -179,15 +173,15 @@ class FileMap {
#include <sys/types.h>
#include <unistd.h>

class FileMap {
void *ViewBase_;
off_t ViewSize_;
int Fd_;
class FileMap_t {
void *ViewBase_ = nullptr;
off_t ViewSize_ = 0;
int Fd_ = -1;

public:
FileMap() : ViewBase_(nullptr), ViewSize_(0), Fd_(-1) {}
explicit FileMap_t() = default;

~FileMap() {
~FileMap_t() {
if (ViewBase_) {
munmap(ViewBase_, ViewSize_);
ViewBase_ = nullptr;
Expand All @@ -200,6 +194,9 @@ class FileMap {
}
}

FileMap_t(const FileMap_t &) = delete;
FileMap_t &operator=(const FileMap_t &) = delete;

void *ViewBase() { return ViewBase_; }

bool MapFile(const char *PathFile) {
Expand Down
Loading