Open XVilka opened 3 years ago
@GustavoLCR could you please check it, especially in terms of the Windows ARM?
@GustavoLCR please update this issue by removing (or ticking) of what had been done. Or maybe close this one and open a separate issues for things that are still missing or could be done, if there is anything valuable.
Missing pieces
There is more information that can be extracted from Windows kernel dumps:
PsLoadedModuleList
which is a vaddr toLDR_LOAD_TABLE_ENTRY
struct.PfnDataBase
https://rayanfam.com/topics/inside-windows-page-frame-number-part1/, which is a vaddrKdDebuggerDataBlock
, which is a vaddr to_KDDEBUGGER_DATA64
structPsActiveProcessHead
, which is a vaddr to_EPROCESS.ActiveProcessLinks
To extract those information, we need a way to translate those vaddr to physical memory address based on memory paging. Currently, the phyiscal memory pages from the dump are mapped. We should map the virtual memory space of the kernel instead of the physical memory pages. Here are a few examples that emulate the address space:
It should support different memory paging format (amd64, x86). Most implementations can be found in the rekall.
File Structure
Header structure (Notes: there are paddings in between properties) https://github.com/volatilityfoundation/volatility/wiki/Crash-Address-Space https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/overlays/windows/crashdump.py
How Physical Memory Runs work
https://computer.forensikblog.de/en/2006/03/dmp-file-structure.html
List of DumpType
https://crashdmp.wordpress.com/crash-mechanism/configuration/
Address Space
https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/addrspaces/crash.py
Header
PsLoadedModuleList
-LDR_LOAD_TABLE_ENTRY
KdDebuggerDataBlock
-_KDDEBUGGER_DATA64
Kernel Base address =ntoskrnl
base address which is also the first entry inPsLoadedModuleList
See also https://github.com/0vercl0k/kdmp-parser
In Rizin the relevant files are:
librz/bin/p/bin_dmp*.c
librz/bin/format/dmp/*
test/db/formats/dmp/*
shlr/winkd/*