Awesome
kdmp-parser
This C++ library parses Windows kernel full dumps (.dump /f
in WinDbg), BMP dumps (.dump /ka
in WinDbg) as well as more recent dump types that were introduced in ~2022.
The library supports loading 64-bit dumps and provides read access to things like:
- The context record,
- The exception record,
- The bugcheck parameters,
- The physical memory.
Compiled binaries are available in the releases section.
Special thanks to:
- hugsy for numerous contributions: the new Python bindings, CI improvements, new dump types, etc.,
- masthoon for the initial version of the Python bindings,
- yrp604 for being knowledgeable about the format,
- the rekall project and their Python implementation (most of the structures in kdmp-parser-structs.h have been adapted from it).
Parser
The parser.exe
application is able to dump various information about the dump file: exception record, context record, etc.
>parser.exe -c -e -p 0x1000 full.dmp
--------------------------------------------------------------------------------
Context Record:
rax=0000000000000003 rbx=fffff8050f4e9f70 rcx=0000000000000001
rdx=fffff805135684d0 rsi=0000000000000100 rdi=fffff8050f4e9f80
rip=fffff805108776a0 rsp=fffff805135684f8 rbp=fffff80513568600
r8=0000000000000003 r9=fffff805135684b8 r10=0000000000000000
r11=ffffa8848825e000 r12=fffff8050f4e9f80 r13=fffff80510c3c958
r14=0000000000000000 r15=0000000000000052
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040202
fpcw=0000 fpsw=0000 fptw=0001
st0=fffff80510bbf000fffff80510c3c9c0 st1=0005e5a800ab2000fffff805106b3000
st2=4000000000200000fffff80510beaea8 st3=000000000a0d656c69666f7250206465
st4=0000000a0d656c69666f725000000010 st5=0000000000000000fffff80510b16900
st6=0000000000000000fffff805133e9000 st7=fffff47c02899f480000000000000000
xmm0=000000000a0d656c69666f7250206465 xmm1=0000000a0d656c69666f725000000010
xmm2=0000000000000000fffff80510b16900 xmm3=0000000000000000fffff805133e9000
xmm4=fffff47c02899f480000000000000000 xmm5=00000000000000000000000000000000
xmm6=00000000000000000000000000000000 xmm7=00000000000000000000000000000000
xmm8=00000000000000000000000000000000 xmm9=00000000000000000000000000000000
xmm10=00000000000000000000000000000000 xmm11=00000000000000000000000000000000
xmm12=00000000000000000000000000000000 xmm13=00000000000000000000000000000000
xmm14=00000000000000000000000000000000 xmm15=00000000000000000000000000000000
--------------------------------------------------------------------------------
Exception Record:
KDMP_PARSER_EXCEPTION_RECORD64
+0x0000: ExceptionCode : 0x80000003.
+0x0004: ExceptionFlags : 0x00000000.
+0x0008: ExceptionRecord : 0x0000000000000000.
+0x0010: ExceptionAddress : 0xfffff805108776a0.
+0x0018: NumberParameters : 0x00000001.
+0x0020: ExceptionInformation[0] : 0x0000000000000000.
+0x0028: ExceptionInformation[1] : 0x0000000000000000.
+0x0030: ExceptionInformation[2] : 0xffffa8848825e000.
+0x0038: ExceptionInformation[3] : 0x00000000000002c0.
+0x0040: ExceptionInformation[4] : 0xfffff80511022203.
+0x0048: ExceptionInformation[5] : 0x0000000000004280.
+0x0050: ExceptionInformation[6] : 0xfffff80510880524.
+0x0058: ExceptionInformation[7] : 0xffffa88488282360.
+0x0060: ExceptionInformation[8] : 0x0000000000000280.
+0x0068: ExceptionInformation[9] : 0xfffff805135683d8.
+0x0070: ExceptionInformation[10] : 0xffffa8848d9d6fb0.
+0x0078: ExceptionInformation[11] : 0x0000000000004280.
+0x0080: ExceptionInformation[12] : 0x00001f8001004280.
+0x0088: ExceptionInformation[13] : 0x0000000000000003.
+0x0090: ExceptionInformation[14] : 0xfffff80513568578.
--------------------------------------------------------------------------------
Physical memory:
00001000: 00 00 00 00 00 00 00 00 00 00 f9 ff 00 00 00 00 |................|
00001010: 00 06 01 01 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000010a0: 00 00 00 00 00 00 00 00 00 a0 87 00 00 00 00 00 |................|
000010b0: ff ff ff ff ff ff ff ff 00 00 60 11 05 f8 ff ff |..........`.....|
000010c0: 00 90 2f 00 00 00 00 00 ff ff ff ff 03 80 ff ff |../.............|
000010d0: f8 00 00 c0 c1 f7 ff ff 00 00 00 00 03 00 00 00 |................|
000010e0: f8 00 00 c0 c1 f7 ff ff 00 00 00 00 03 00 00 00 |................|
000010f0: 00 00 00 00 00 00 00 00 70 37 01 c0 c1 f7 ff ff |........p7......|
...
Building
You can build it yourself using CMake and it builds on Linux, Windows, OSX with the Microsoft, the LLVM Clang and GNU compilers.
Here is an example on Windows:
> mkdir build
> cd build
> cmake ..
-- Building for: Visual Studio 17 2022
...
> cmake --build . --config RelWithDebInfo
MSBuild version 17.8.3+195e7f5a3 for .NET Framework
...
> src\parser\RelWithDebInfo\parser.exe
You didn't provide the path to the dump file.
parser.exe [-p [<physical address>]] [-c] [-e] [-h] <kdump path>
Examples:
Show every structures of the dump:
parser.exe -a full.dmp
Show the context record:
parser.exe -c full.dmp
Show the exception record:
parser.exe -e full.dmp
Show all the physical memory (first 16 bytes of every pages):
parser.exe -p full.dmp
Show the context record as well as the page at physical address 0x1000:
parser.exe -c -p 0x1000 full.dmp
Here is another example on Linux (with the Python bindings):
$ mkdir build
$ cd build
$ cmake .. -DBUILD_PYTHON_BINDING=ON
...
$ cmake --build . --config RelWithDebInfo
...
$ ./src/parser/parser
You didn't provide the path to the dump file.
parser.exe [-p [<physical address>]] [-c] [-e] [-h] <kdump path>
Examples:
Show every structures of the dump:
parser.exe -a full.dmp
Show the context record:
parser.exe -c full.dmp
Show the exception record:
parser.exe -e full.dmp
Show all the physical memory (first 16 bytes of every pages):
parser.exe -p full.dmp
Show the context record as well as the page at physical address 0x1000:
parser.exe -c -p 0x1000 full.dmp
Python bindings
From PyPI
The easiest way is simply to:
pip install kdmp_parser
Using PIP
Run the following after installing CMake and Python 3.8+ / pip
:
cd src/python
pip install requirements.txt
pip install .
To create a wheel pacakge:
cd src/python
pip wheel .
Usage
Get context, print the program counter
import kdmp_parser
dmp = kdmp_parser.KernelDumpParser("full.dmp")
assert dmp.type == kdmp_parser.DumpType.FullDump
print(f"Dump RIP={dmp.context.Rip:#x}")
Read a virtual memory page at address pointed by RIP
import kdmp_parser
dmp = kdmp_parser.KernelDumpParser("full.dmp")
dmp.read_virtual_page(dmp.context.Rip)
Explore the physical memory
import kdmp_parser
dmp = kdmp_parser.KernelDumpParser("full.dmp")
pml4 = dmp.directory_table_base
print(f"{pml4=:#x}")
dmp.read_physical_page(pml4)
Translate a virtual address into a physical address
import kdmp_parser
dmp = kdmp_parser.KernelDumpParser("full.dmp")
VA = dmp.context.Rip
PA = dmp.translate_virtual(VA)
print(f"{VA=:#x} -> {PA=:#x}")
Authors
- Axel '@0vercl0k' Souchet