Skip to content

Commit 6049f79

Browse files
0vercl0k0vercl0k
authored
kdmp-parser v072 (#198)
1 parent 393bea0 commit 6049f79

File tree

2 files changed

+26
-1
lines changed

2 files changed

+26
-1
lines changed

src/libs/kdmp-parser/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,8 @@ The library supports loading 64-bit dumps and provides read access to things lik
1717
Compiled binaries are available in the [releases](https://github.com/0vercl0k/kdmp-parser/releases) section.
1818

1919
Special thanks to:
20+
- [hugsy](https://github.com/hugsy) for numerous contributions: the new Python bindings, CI improvements, new dump types, etc.,
21+
- [masthoon](https://github.com/masthoon) for the initial version of the Python bindings,
2022
- [yrp604](https://github.com/yrp604) for being knowledgeable about the format,
2123
- the [rekall](https://github.com/google/rekall) project and their [Python implementation](https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/overlays/windows/crashdump.py) (most of the structures in [kdmp-parser-structs.h](https://github.com/0vercl0k/kdmp-parser/blob/master/src/kdmp-parser/kdmp-parser-structs.h) have been adapted from it).
2224

src/libs/kdmp-parser/src/lib/kdmp-parser.h

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -585,6 +585,8 @@ class KernelDumpParser {
585585
uint8_t *Page = nullptr;
586586
uint64_t MetadataSize = 0;
587587
uint8_t *Bitmap = nullptr;
588+
uint64_t TotalNumberOfPages = 0;
589+
uint64_t CurrentPageCount = 0;
588590

589591
switch (Type) {
590592
case DumpType_t::KernelMemoryDump:
@@ -597,10 +599,11 @@ class KernelDumpParser {
597599
}
598600

599601
case DumpType_t::CompleteMemoryDump: {
600-
FirstPageOffset = DmpHdr_->u3.RdmpHeader.Hdr.FirstPageOffset;
602+
FirstPageOffset = DmpHdr_->u3.FullRdmpHeader.Hdr.FirstPageOffset;
601603
Page = (uint8_t *)DmpHdr_ + FirstPageOffset;
602604
MetadataSize = DmpHdr_->u3.FullRdmpHeader.Hdr.MetadataSize;
603605
Bitmap = DmpHdr_->u3.FullRdmpHeader.Bitmap.data();
606+
TotalNumberOfPages = DmpHdr_->u3.FullRdmpHeader.TotalNumberOfPages;
604607
break;
605608
}
606609

@@ -626,13 +629,33 @@ class KernelDumpParser {
626629
uint64_t NumberOfPages;
627630
};
628631

632+
// Sanity check
633+
if (MetadataSize % sizeof(PfnRange)) {
634+
return false;
635+
}
636+
629637
for (uint64_t Offset = 0; Offset < MetadataSize;
630638
Offset += sizeof(PfnRange)) {
639+
640+
if (Type == DumpType_t::CompleteMemoryDump) {
641+
// `CompleteMemoryDump` type seems to be bound by the
642+
// `TotalNumberOfPages` field, *not* by `MetadataSize`.
643+
if (CurrentPageCount == TotalNumberOfPages) {
644+
break;
645+
}
646+
647+
if (CurrentPageCount > TotalNumberOfPages) {
648+
return false;
649+
}
650+
}
651+
631652
const PfnRange &Entry = (PfnRange &)Bitmap[Offset];
632653
if (!FileMap_.InBounds(&Entry, sizeof(Entry))) {
633654
return false;
634655
}
635656

657+
CurrentPageCount += Entry.NumberOfPages;
658+
636659
const uint64_t Pfn = Entry.PageFileNumber;
637660
if (!Pfn) {
638661
break;

0 commit comments

Comments
 (0)