Unknown Type 0x6

[frendguo]

I crashed Windows via notmyfault.exe with debugging file option [Automatic memory dump]. The generated dump file is passed through the . \parser.exe -c -e -p 0x1000 D:\vmware_share\MEMORY.DMP Execution, hint: Unknown Type 0x6. The header looks wrong. ParseDmpHeader failed. Parsing of the dump failed, exiting. So this dump format itself won't be supported? How is it different from other types?

[frendguo]

When I debug parser.exe to parse a dmp file with dumptype 6 via windbg, I found that it is able to parse it. Does that mean it's supported?

[0vercl0k]

Let me see..

[0vercl0k]

Indeed, the type '6' isn't supported; here are the ones currently supported:

enum class DumpType_t : uint32_t {
  // Old dump types from dbgeng.dll
  FullDump = 0x1,
  KernelDump = 0x2,
  BMPDump = 0x5,

  // New stuff
  MiniDump = 0x4,                // Produced by `.dump /m`
  KernelMemoryDump = 0x8,        // Produced by `.dump /k`
  KernelAndUserMemoryDump = 0x9, // Produced by `.dump /ka`
  CompleteMemoryDump = 0xa,      // Produced by `.dump /f`
};

I don't think I have ever ran into a type 6 dump yet 😅

What you are saying is the first header of the dump file which is the same across dumps, but then it is followed by other header / data that depends on the type of dump it is. Because kdmp-parser doesn't know about this type 6, it doesn't know how to handle what follow the main header.

I'll leave this issue opened in case somebody feels like reverse-engineering / implementing it!

Thank you for your report :)

Cheers

[frendguo]

Thank you for your reply.

I've searched the web and haven't found a specific meaning for dumptype being BMPDump. What is the source of the various types of dumptype, please?

[0vercl0k]

Sorry I am not sure I understood the question - I believe 'BMP' means 'Bitmap' and refer to the way the physical memory is stored in the dump if I remember correctly.

Cheers

On Tue, Feb 20, 2024 at 10:29 PM frendguo @.***> wrote:

Thank you for your reply.

I've searched the web and haven't found a specific meaning for dumptype being BMPDump. What is the source of the various types of dumptype, please?

— Reply to this email directly, view it on GitHub https://github.com/0vercl0k/kdmp-parser/issues/26#issuecomment-1955979098, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORK7MBF77KK7FY23EH3YUWH25AVCNFSM6AAAAABDQXHKN6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJVHE3TSMBZHA . You are receiving this because you commented.Message ID: @.***>

[frendguo]

Thanks for the reply.

Cheers

[hugsy]

@frendguo I don't think I've ever seen a type 6 dump. How did you generate it?

[tandasat]

I came across this error.

Type 6 is a live kernel dump. We can create this with the task manager. On the process list view, right click on the System process -> Create live kernel memory dump file. You see two options but both generate a type 6 dump file.

[hugsy]

Type 6 is a live kernel dump. We can create this with the task manager. On the process list view, right click on the System process -> Create live kernel memory dump file. You see two options but both generate a type 6 dump file.

Thanks for that update @tandasat I can reproduce on Win11 22H2 and up. I will look into it!

[0vercl0k]

@tandasat / @frendguo FYI this should be fixed in v0.7.4.

Cheers

[tandasat]

Excellent. Thank you for fixing the issue!

[0vercl0k]

Thank you for sharing the repro information @tandasat, and thank you @hugsy for implementing it 🫡

[frendguo]

@hugsy @0vercl0k wow, thank you for fixing this issue!