search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.69k stars 360 forks source link

Improve Windows kernel dumps parsing and loading #189

Open XVilka opened 3 years ago

XVilka commented 3 years ago

Missing pieces

There is more information that can be extracted from Windows kernel dumps:

To extract those information, we need a way to translate those vaddr to physical memory address based on memory paging. Currently, the phyiscal memory pages from the dump are mapped. We should map the virtual memory space of the kernel instead of the physical memory pages. Here are a few examples that emulate the address space:

It should support different memory paging format (amd64, x86). Most implementations can be found in the rekall.

File Structure

Header structure (Notes: there are paddings in between properties) https://github.com/volatilityfoundation/volatility/wiki/Crash-Address-Space https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/overlays/windows/crashdump.py

How Physical Memory Runs work

https://computer.forensikblog.de/en/2006/03/dmp-file-structure.html

List of DumpType

https://crashdmp.wordpress.com/crash-mechanism/configuration/

Address Space

https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/addrspaces/crash.py

Header

PsLoadedModuleList - LDR_LOAD_TABLE_ENTRY KdDebuggerDataBlock - _KDDEBUGGER_DATA64 Kernel Base address = ntoskrnl base address which is also the first entry in PsLoadedModuleList

See also https://github.com/0vercl0k/kdmp-parser

In Rizin the relevant files are:

XVilka commented 2 years ago

@GustavoLCR could you please check it, especially in terms of the Windows ARM?

XVilka commented 2 years ago

@GustavoLCR please update this issue by removing (or ticking) of what had been done. Or maybe close this one and open a separate issues for things that are still missing or could be done, if there is anything valuable.