mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
745 lines
22 KiB
745 lines
22 KiB
//-----------------------------------------------------------------------
|
|
// @doc
|
|
//
|
|
// @module convert crash dump to triage dump for crash dump utilities
|
|
//
|
|
// Copyright 1999 Microsoft Corporation. All Rights Reserved
|
|
//
|
|
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <time.h>
|
|
#include <tchar.h>
|
|
|
|
#include <nt.h>
|
|
#include <ntrtl.h>
|
|
#include <nturtl.h>
|
|
#include <windows.h>
|
|
|
|
#include <triage.h>
|
|
#include <crash.h>
|
|
#include <ntiodump.h>
|
|
#define NOEXTAPI
|
|
#include "wdbgexts.h"
|
|
#include "ntdbg.h"
|
|
|
|
|
|
inline ALIGN_8(unsigned offset)
|
|
{
|
|
return (offset + 7) & 0xfffffff8;
|
|
}
|
|
|
|
typedef struct _MI_TRIAGE_STORAGE
|
|
{
|
|
ULONG Version;
|
|
ULONG Size;
|
|
ULONG MmSpecialPoolTag;
|
|
ULONG MiTriageActionTaken;
|
|
|
|
ULONG MmVerifyDriverLevel;
|
|
ULONG KernelVerifier;
|
|
ULONG_PTR MmMaximumNonPagedPool;
|
|
ULONG_PTR MmAllocatedNonPagedPool;
|
|
|
|
ULONG_PTR PagedPoolMaximum;
|
|
ULONG_PTR PagedPoolAllocated;
|
|
|
|
ULONG_PTR CommittedPages;
|
|
ULONG_PTR CommittedPagesPeak;
|
|
ULONG_PTR CommitLimitMaximum;
|
|
} MI_TRIAGE_STORAGE, *PMI_TRIAGE_STORAGE;
|
|
|
|
KDDEBUGGER_DATA64 g_DebuggerData;
|
|
|
|
extern PKDDEBUGGER_DATA64 blocks[];
|
|
|
|
|
|
#define ExtractValue(NAME, val) { \
|
|
if (!g_DebuggerData.NAME) { \
|
|
val = 0; \
|
|
printf("g_DebuggerData.NAME is NULL"); \
|
|
} else { \
|
|
DmpReadMemory(g_DebuggerData.NAME, &(val), sizeof(val)); \
|
|
} \
|
|
}
|
|
|
|
|
|
//BUGBUG
|
|
#define PAGE_SHIFT 12
|
|
#define PAGE_SIZE 0x1000
|
|
|
|
|
|
#define ALIGN_DOWN_POINTER(address, type) \
|
|
((PVOID)((ULONG_PTR)(address) & ~((ULONG_PTR)sizeof(type) - 1)))
|
|
|
|
#define ALIGN_UP_POINTER(address, type) \
|
|
(ALIGN_DOWN_POINTER(((ULONG_PTR)(address) + sizeof(type) - 1), type))
|
|
|
|
|
|
const MAX_UNLOADED_NAME_LENGTH = 12;
|
|
|
|
typedef struct _DUMP_UNLOADED_DRIVERS
|
|
{
|
|
UNICODE_STRING Name;
|
|
WCHAR DriverName[MAX_UNLOADED_NAME_LENGTH];
|
|
PVOID StartAddress;
|
|
PVOID EndAddress;
|
|
} DUMP_UNLOADED_DRIVERS, *PDUMP_UNLOADED_DRIVERS;
|
|
|
|
class CCrashDumpWrapper
|
|
{
|
|
public:
|
|
// @cmember constructor
|
|
CCrashDumpWrapper() { }
|
|
|
|
~CCrashDumpWrapper() {}
|
|
|
|
unsigned GetCallStackSize();
|
|
|
|
unsigned GetDriverCount(PULONG cbNames);
|
|
|
|
void WriteDriverList(BYTE *pb, unsigned offset, unsigned stringOffset);
|
|
|
|
void WriteCurrentProcess(BYTE *pb, ULONG offset);
|
|
|
|
void WriteUnloadedDrivers(BYTE *pb, ULONG offset);
|
|
|
|
void WriteMmTriageInformation(BYTE *pb, ULONG offset);
|
|
|
|
};
|
|
|
|
|
|
BOOL g_fVerbose;
|
|
PDUMP_HEADER m_pHeader;
|
|
PX86_CONTEXT m_pcontext;
|
|
PEXCEPTION_RECORD m_pexception;
|
|
|
|
|
|
const unsigned MAX_TRIAGE_STACK_SIZE = 16 * 1024;
|
|
|
|
extern "C" {
|
|
// processor block. We fill this in and it is accessed by crashlib
|
|
PVOID KiProcessors[MAXIMUM_PROCESSORS];
|
|
|
|
// ignored but needed for linking
|
|
ULONG KiPcrBaseAddress = 0;
|
|
}
|
|
|
|
|
|
#define MI_UNLOADED_DRIVERS 50
|
|
|
|
typedef struct _UNLOADED_DRIVERS {
|
|
UNICODE_STRING Name;
|
|
PVOID StartAddress;
|
|
PVOID EndAddress;
|
|
LARGE_INTEGER CurrentTime;
|
|
} UNLOADED_DRIVERS, *PUNLOADED_DRIVERS;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
VOID
|
|
GetCurrentThread(LPBYTE pthread)
|
|
{
|
|
// get current processor
|
|
unsigned iProcessor = DmpGetCurrentProcessor();
|
|
|
|
// get KPCRB for current processor
|
|
PX86_PARTIAL_KPRCB pkprcb = (PX86_PARTIAL_KPRCB)(KiProcessors[iProcessor]);
|
|
ULONG64 threadAddr = 0;
|
|
|
|
// read current thread pointer from KPCRB
|
|
DmpReadMemory((ULONG64) &pkprcb->CurrentThread, &threadAddr, sizeof(ULONG));
|
|
|
|
// read current thread
|
|
DmpReadMemory(threadAddr, pthread, X86_ETHREAD_SIZE);
|
|
}
|
|
|
|
|
|
unsigned CCrashDumpWrapper::GetDriverCount(PULONG cbNames)
|
|
{
|
|
|
|
LIST_ENTRY le;
|
|
PLIST_ENTRY pleNext;
|
|
PLDR_DATA_TABLE_ENTRY pdte;
|
|
LDR_DATA_TABLE_ENTRY dte;
|
|
unsigned cModules = 0;
|
|
*cbNames = 0;
|
|
|
|
// first entry is pointed to by the the PsLoadedModuleList field in the dump header
|
|
LIST_ENTRY *pleHead = (PLIST_ENTRY) m_pHeader->PsLoadedModuleList;
|
|
|
|
// read list element
|
|
if (!DmpReadMemory((ULONG64) pleHead, (PVOID) &le, sizeof(LIST_ENTRY)))
|
|
{
|
|
printf("Could not read base of PsLoadedModuleList");
|
|
}
|
|
|
|
// obtain pointer to next list element
|
|
pleNext = le.Flink;
|
|
if (pleNext == NULL)
|
|
{
|
|
printf("PsLoadedModuleList is empty");
|
|
}
|
|
|
|
// while next list element is not pointer to headed
|
|
while(pleNext != pleHead)
|
|
{
|
|
// obtain pointerr to loader entry
|
|
pdte = CONTAINING_RECORD
|
|
(
|
|
pleNext,
|
|
LDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks
|
|
);
|
|
|
|
// read loader entry
|
|
if (!DmpReadMemory((ULONG64) pdte, (PVOID) &dte, sizeof(dte)))
|
|
{
|
|
printf("memory read failed addr=0x%08x", (ULONG)(ULONG_PTR) pdte);
|
|
}
|
|
|
|
// compute length of module name
|
|
*cbNames += ALIGN_8((dte.BaseDllName.Length + 1) * sizeof(WCHAR) + sizeof(DUMP_STRING));
|
|
|
|
// get pointer to next loader entry
|
|
pleNext = dte.InLoadOrderLinks.Flink;
|
|
|
|
|
|
// if name is not null then this is a valid entry
|
|
if (dte.BaseDllName.Length >= 0 && dte.BaseDllName.Buffer != NULL)
|
|
cModules++;
|
|
|
|
if (cModules > 10000)
|
|
{
|
|
printf("PsLoadedModuleList is empty");
|
|
exit(-1);
|
|
}
|
|
}
|
|
|
|
// return # of modules
|
|
return cModules;
|
|
}
|
|
|
|
|
|
unsigned CCrashDumpWrapper::GetCallStackSize()
|
|
{
|
|
BYTE thread[X86_ETHREAD_SIZE];
|
|
|
|
// get current thread
|
|
GetCurrentThread(thread);
|
|
|
|
// if kernel stack is not resident, then we can't do anything
|
|
//if (!thread.Tcb.KernelStackResident)
|
|
// return 0;
|
|
|
|
// obtain stack base from thread
|
|
ULONG StackBase = ((X86_THREAD *)(&thread[0]))->InitialStack;
|
|
|
|
// obtain top of stack from register ESP
|
|
ULONG_PTR StackPtr = m_pcontext->Esp;
|
|
|
|
// make sure pointers make sense
|
|
if (StackBase < StackPtr)
|
|
{
|
|
printf("Stack base pointer is invalid StackBase = %08x, esp=%08x", StackBase, StackPtr);
|
|
return MAX_TRIAGE_STACK_SIZE;
|
|
}
|
|
|
|
// return stack size limited by max triage stack size (16K)
|
|
return min((ULONG) StackBase - (ULONG) StackPtr, MAX_TRIAGE_STACK_SIZE);
|
|
}
|
|
|
|
void CCrashDumpWrapper::WriteDriverList(
|
|
BYTE *pb,
|
|
unsigned offset,
|
|
unsigned stringOffset
|
|
)
|
|
{
|
|
PLIST_ENTRY pleNext;
|
|
PLDR_DATA_TABLE_ENTRY pdte;
|
|
PDUMP_DRIVER_ENTRY pdde;
|
|
PDUMP_STRING pds;
|
|
PDUMP_STRING pdsInitial;
|
|
LIST_ENTRY le;
|
|
LDR_DATA_TABLE_ENTRY dte;
|
|
ULONG i = 0;
|
|
|
|
// pointer to first driver entry to write out
|
|
pdde = (PDUMP_DRIVER_ENTRY) (pb + offset);
|
|
|
|
// pointer to first module name to write out
|
|
pds = (PDUMP_STRING) (pb + stringOffset);
|
|
pdsInitial = pds;
|
|
|
|
// obtain pointer to list head from dump header
|
|
PLIST_ENTRY pleHead = (PLIST_ENTRY) m_pHeader->PsLoadedModuleList;
|
|
|
|
// read in list head
|
|
if (!DmpReadMemory((ULONG64) pleHead, &le, sizeof(le)))
|
|
{
|
|
printf("Could not read base of the PsModuleList");
|
|
}
|
|
|
|
// get pointer to first link
|
|
pleNext = le.Flink;
|
|
|
|
while (pleNext != pleHead)
|
|
{
|
|
// obtain pointer to loader entry
|
|
pdte = CONTAINING_RECORD(pleNext,
|
|
LDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks
|
|
);
|
|
|
|
// read in loader entry
|
|
if (!DmpReadMemory((ULONG64) pdte, (PVOID) &dte, sizeof(dte)))
|
|
{
|
|
printf("memory read failed addr=0x%08x", (DWORD)(ULONG_PTR) pdte);
|
|
}
|
|
|
|
// Build the entry in the string pool. We guarantee all strings are
|
|
// NULL terminated as well as length prefixed.
|
|
pds->Length = dte.BaseDllName.Length / 2;
|
|
|
|
if (!DmpReadMemory((ULONG64) dte.BaseDllName.Buffer,
|
|
pds->Buffer,
|
|
pds->Length * sizeof (WCHAR)))
|
|
{
|
|
printf("memory read failed addr=0x%08x", (DWORD)(ULONG_PTR) dte.BaseDllName.Buffer);
|
|
}
|
|
|
|
// null terminate string
|
|
pds->Buffer[pds->Length] = '\0';
|
|
|
|
// read in loader entry
|
|
memcpy(&pdde->LdrEntry, &dte, sizeof(pdde->LdrEntry));
|
|
|
|
// replace pointer to string
|
|
pdde->DriverNameOffset = (ULONG)((ULONG_PTR) pds - (ULONG_PTR) pb);
|
|
|
|
// get pointer to next string
|
|
pds = (PDUMP_STRING) ALIGN_UP_POINTER(((LPBYTE) pds) + sizeof(DUMP_STRING) +
|
|
sizeof(WCHAR) * (pds->Length + 1),
|
|
ULONGLONG);
|
|
|
|
// extract timestamp and image size
|
|
IMAGE_DOS_HEADER hdr;
|
|
IMAGE_NT_HEADERS nthdr;
|
|
unsigned cb;
|
|
cb = DmpReadMemory((ULONG64) dte.DllBase, &hdr, sizeof(hdr));
|
|
if (cb == sizeof(IMAGE_DOS_HEADER) &&
|
|
hdr.e_magic == IMAGE_DOS_SIGNATURE &&
|
|
(hdr.e_lfanew & 3) == 0)
|
|
{
|
|
cb = DmpReadMemory((ULONG64) dte.DllBase + hdr.e_lfanew, &nthdr, sizeof(nthdr));
|
|
if (cb == sizeof(IMAGE_NT_HEADERS) &&
|
|
nthdr.Signature == IMAGE_NT_SIGNATURE)
|
|
{
|
|
// repoace next link with link date timestap and image size
|
|
pdde->LdrEntry.TimeDateStamp = nthdr.FileHeader.TimeDateStamp;
|
|
pdde->LdrEntry.SizeOfImage = nthdr.OptionalHeader.SizeOfImage;
|
|
}
|
|
}
|
|
|
|
|
|
pleNext = dte.InLoadOrderLinks.Flink;
|
|
pdde = (PDUMP_DRIVER_ENTRY)(((PUCHAR) pdde) + sizeof(*pdde));
|
|
}
|
|
}
|
|
|
|
|
|
void CCrashDumpWrapper::WriteCurrentProcess(BYTE *pb, ULONG offset)
|
|
{
|
|
BYTE thread[X86_ETHREAD_SIZE];
|
|
|
|
// get current htread
|
|
GetCurrentThread(thread);
|
|
|
|
// read process from pointer from thread
|
|
DmpReadMemory((DWORD) ((X86_THREAD *)(&thread[0]))->ApcState.Process,
|
|
pb + offset,
|
|
X86_NT5_EPROCESS_SIZE);
|
|
|
|
// validate type of object
|
|
//if (process.Pcb.Header.Type != ProcessObject)
|
|
//{
|
|
// printf("Current process object type is incorrect. The symbols are probably wrong.");
|
|
//}
|
|
}
|
|
|
|
|
|
|
|
void CCrashDumpWrapper::WriteUnloadedDrivers(BYTE *pb, ULONG offset)
|
|
{
|
|
ULONG64 addr;
|
|
ULONG i;
|
|
ULONG Index;
|
|
UNLOADED_DRIVERS *pud;
|
|
UNLOADED_DRIVERS ud;
|
|
PDUMP_UNLOADED_DRIVERS pdud;
|
|
PVOID pvMiUnloadedDrivers;
|
|
ULONG ulMiLastUnloadedDriver;
|
|
|
|
// find location of unloaded drivers
|
|
if (!(addr = g_DebuggerData.MmUnloadedDrivers))
|
|
{
|
|
// if can't be found then no unloaded drivers
|
|
*(PULONG) (pb + offset) = 0;
|
|
return;
|
|
}
|
|
else
|
|
// read in pointer to start of unloaded drivers
|
|
DmpReadMemory(addr, &pvMiUnloadedDrivers, sizeof(PVOID));
|
|
|
|
// try finding symbol indicating offset of last unloaded driver
|
|
if (!(addr = g_DebuggerData.MmLastUnloadedDriver))
|
|
{
|
|
// if not found, then no unloaded drivers
|
|
*(PULONG) (pb + offset) = 0;
|
|
return;
|
|
}
|
|
else
|
|
// read in offset of last unloaded driver
|
|
DmpReadMemory(addr, &ulMiLastUnloadedDriver, sizeof(ULONG));
|
|
|
|
|
|
if (pvMiUnloadedDrivers == NULL)
|
|
{
|
|
// if unloaded driver pointer is null, then no unloaded drivers
|
|
*(PULONG)(pb + offset) = 0;
|
|
return;
|
|
}
|
|
|
|
// point to last unloaded drivers
|
|
pdud = (PDUMP_UNLOADED_DRIVERS)((PULONG)(pb + offset) + 1);
|
|
PUNLOADED_DRIVERS rgud = (PUNLOADED_DRIVERS) pvMiUnloadedDrivers;
|
|
|
|
//
|
|
// Write the list with the most recently unloaded driver first to the
|
|
// least recently unloaded driver last.
|
|
//
|
|
|
|
Index = ulMiLastUnloadedDriver - 1;
|
|
|
|
for (i = 0; i < MI_UNLOADED_DRIVERS; i += 1)
|
|
{
|
|
if (Index >= MI_UNLOADED_DRIVERS)
|
|
Index = MI_UNLOADED_DRIVERS - 1;
|
|
|
|
// read in unloaded driver
|
|
if (!DmpReadMemory((ULONG64) &rgud[Index], &ud, sizeof(ud)))
|
|
{
|
|
printf("can't read memory from %08x", (ULONG)(ULONG_PTR)(&rgud[Index]));
|
|
}
|
|
|
|
// copy name lengths
|
|
pdud->Name.MaximumLength = ud.Name.MaximumLength;
|
|
pdud->Name.Length = ud.Name.Length;
|
|
if (ud.Name.Buffer == NULL)
|
|
break;
|
|
|
|
// copy start and end address
|
|
pdud->StartAddress = ud.StartAddress;
|
|
pdud->EndAddress = ud.EndAddress;
|
|
|
|
// restrict name length and maximum name length to 12 characters
|
|
if (pdud->Name.Length > MAX_UNLOADED_NAME_LENGTH * 2)
|
|
pdud->Name.Length = MAX_UNLOADED_NAME_LENGTH * 2;
|
|
|
|
if (pdud->Name.MaximumLength > MAX_UNLOADED_NAME_LENGTH * 2)
|
|
pdud->Name.MaximumLength = MAX_UNLOADED_NAME_LENGTH * 2;
|
|
|
|
// setup pointer to driver name and read it in
|
|
pdud->Name.Buffer = pdud->DriverName;
|
|
if (!DmpReadMemory((ULONG64) ud.Name.Buffer,
|
|
pdud->Name.Buffer,
|
|
pdud->Name.MaximumLength))
|
|
{
|
|
printf("cannot read memory at address %08x", (ULONG)(ULONG64)(ud.Name.Buffer));
|
|
}
|
|
|
|
// move to previous driver
|
|
pdud += 1;
|
|
Index -= 1;
|
|
}
|
|
|
|
// number of drivers in the list
|
|
*(PULONG) (pb + offset) = i;
|
|
}
|
|
|
|
void CCrashDumpWrapper::WriteMmTriageInformation(BYTE *pb, ULONG offset)
|
|
{
|
|
MI_TRIAGE_STORAGE TriageInformation;
|
|
ULONG64 pMmVerifierData;
|
|
ULONG64 pvMmPagedPoolInfo;
|
|
ULONG_PTR cbNonPagedPool;
|
|
ULONG_PTR cbPagedPool;
|
|
|
|
|
|
// version information
|
|
TriageInformation.Version = 1;
|
|
|
|
// size information
|
|
TriageInformation.Size = sizeof(MI_TRIAGE_STORAGE);
|
|
|
|
// get special pool tag
|
|
ExtractValue(MmSpecialPoolTag, TriageInformation.MmSpecialPoolTag);
|
|
|
|
// get triage action taken
|
|
ExtractValue(MmTriageActionTaken, TriageInformation.MiTriageActionTaken);
|
|
pMmVerifierData = g_DebuggerData.MmVerifierData;
|
|
|
|
// read in verifier level
|
|
// BUGBUG - should not read internal data structures in MM
|
|
//if (pMmVerifierData)
|
|
// DmpReadMemory(
|
|
// (ULONG64) &((MM_DRIVER_VERIFIER_DATA *) pMmVerifierData)->Level,
|
|
// &TriageInformation.MmVerifyDriverLevel,
|
|
// sizeof(TriageInformation.MmVerifyDriverLevel));
|
|
//else
|
|
TriageInformation.MmVerifyDriverLevel = 0;
|
|
|
|
// read in verifier
|
|
ExtractValue(KernelVerifier, TriageInformation.KernelVerifier);
|
|
|
|
// read non paged pool info
|
|
ExtractValue(MmMaximumNonPagedPoolInBytes, cbNonPagedPool);
|
|
TriageInformation.MmMaximumNonPagedPool = cbNonPagedPool >> PAGE_SHIFT;
|
|
ExtractValue(MmAllocatedNonPagedPool, TriageInformation.MmAllocatedNonPagedPool);
|
|
|
|
// read paged pool info
|
|
ExtractValue(MmSizeOfPagedPoolInBytes, cbPagedPool);
|
|
TriageInformation.PagedPoolMaximum = cbPagedPool >> PAGE_SHIFT;
|
|
pvMmPagedPoolInfo = g_DebuggerData.MmPagedPoolInformation;
|
|
|
|
// BUGBUG - should not read internal data structures in MM
|
|
//if (pvMmPagedPoolInfo)
|
|
// DmpReadMemory(
|
|
// (ULONG64) &((MM_PAGED_POOL_INFO *) pvMmPagedPoolInfo)->AllocatedPagedPool,
|
|
// &TriageInformation.PagedPoolAllocated,
|
|
// sizeof(TriageInformation.PagedPoolAllocated));
|
|
//else
|
|
TriageInformation.PagedPoolAllocated = 0;
|
|
|
|
// read committed pages info
|
|
ExtractValue(MmTotalCommittedPages, TriageInformation.CommittedPages);
|
|
ExtractValue(MmPeakCommitment, TriageInformation.CommittedPagesPeak);
|
|
ExtractValue(MmTotalCommitLimitMaximum, TriageInformation.CommitLimitMaximum);
|
|
memcpy(pb + offset, &TriageInformation, sizeof(TriageInformation));
|
|
}
|
|
|
|
|
|
//-------------------------------------------------------------------
|
|
// @mfunc initialize the triage dump header from a full or kernel
|
|
// dump
|
|
//
|
|
void InitTriageDumpHeader(
|
|
TRIAGE_DUMP *ptdh, // out | triage dump header
|
|
CCrashDumpWrapper &wrapper // in | wrapper for dump extraction functions
|
|
)
|
|
{
|
|
ULONG cbNames;
|
|
|
|
// copy build number
|
|
ExtractValue(CmNtCSDVersion, ptdh->ServicePackBuild);
|
|
|
|
// set size of dump to 64K
|
|
ptdh->SizeOfDump = TRIAGE_DUMP_SIZE;
|
|
|
|
// valid offset is last DWORD in tiage dump
|
|
ptdh->ValidOffset = TRIAGE_DUMP_SIZE - sizeof(ULONG);
|
|
|
|
// context offset is fixed position on first page
|
|
ptdh->ContextOffset = FIELD_OFFSET (DUMP_HEADER, ContextRecord);
|
|
|
|
// exception offset is fixed position on first page
|
|
ptdh->ExceptionOffset = FIELD_OFFSET (DUMP_HEADER, Exception);
|
|
|
|
// starting offset in triage dump follows the triage dump header
|
|
unsigned offset = ALIGN_8(PAGE_SIZE + sizeof(TRIAGE_DUMP));
|
|
|
|
// mm information is first
|
|
ptdh->MmOffset = offset;
|
|
|
|
// mm information is fixed size structure
|
|
offset += ALIGN_8(sizeof(MI_TRIAGE_STORAGE));
|
|
|
|
// unloaded module list is next
|
|
ptdh->UnloadedDriversOffset = offset;
|
|
offset += sizeof(ULONG) + MI_UNLOADED_DRIVERS * sizeof(DUMP_UNLOADED_DRIVERS);
|
|
|
|
// processor control block is next
|
|
ptdh->PrcbOffset = offset;
|
|
offset += ALIGN_8(X86_NT5_KPRCB_SIZE);
|
|
|
|
// current process is next
|
|
ptdh->ProcessOffset = offset;
|
|
offset += ALIGN_8(X86_NT5_EPROCESS_SIZE);
|
|
|
|
// current thread is next
|
|
ptdh->ThreadOffset = offset;
|
|
offset += ALIGN_8(X86_ETHREAD_SIZE);
|
|
|
|
// call stack is next
|
|
ptdh->CallStackOffset = offset;
|
|
ptdh->SizeOfCallStack = wrapper.GetCallStackSize();
|
|
ptdh->TopOfStack = m_pcontext->Esp;
|
|
offset += ALIGN_8(ptdh->SizeOfCallStack); // Offset of Driver List
|
|
|
|
// loaded driver list is next
|
|
ptdh->DriverListOffset = offset;
|
|
ptdh->DriverCount = wrapper.GetDriverCount(&cbNames);
|
|
offset += ALIGN_8(ptdh->DriverCount * sizeof(DUMP_DRIVER_ENTRY));
|
|
ptdh->StringPoolOffset = offset;
|
|
ptdh->StringPoolSize = (ULONG) cbNames;
|
|
ptdh->BrokenDriverOffset = 0;
|
|
|
|
// all options are enabled
|
|
ptdh->TriageOptions = 0xffffffff;
|
|
}
|
|
|
|
//------------------------------------------------------------------------
|
|
// @func convert a full or kernel dump to a triage dump
|
|
//
|
|
extern "C"
|
|
BOOL
|
|
DoConversion(
|
|
LPSTR szInputDumpFile, // full or kernel dump
|
|
HANDLE OutputDumpFile // triage dump file
|
|
)
|
|
{
|
|
PDUMP_HEADER pNewHeader;
|
|
ULONG64 addr;
|
|
ULONG i;
|
|
|
|
//
|
|
// Open the full dump files
|
|
// crash dump wrapper has extraction functions for full dump
|
|
//
|
|
|
|
if (!DmpInitialize(szInputDumpFile, (PCONTEXT *)&m_pcontext, &m_pexception, (PVOID *)&m_pHeader))
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
//
|
|
// Lets determine what version of the dump file we are looking at.
|
|
// Read the appropriate data block based on that.
|
|
//
|
|
|
|
if (!m_pHeader) {
|
|
return FALSE;
|
|
}
|
|
|
|
if ((m_pHeader->KdDebuggerDataBlock) &&
|
|
(m_pHeader->KdDebuggerDataBlock != 'EGAP'))
|
|
{
|
|
DmpReadMemory((ULONG64)(m_pHeader->KdDebuggerDataBlock),
|
|
&g_DebuggerData,
|
|
sizeof(g_DebuggerData));
|
|
} else {
|
|
|
|
for (i=0; i<32; i++)
|
|
{
|
|
if (blocks[i]->PsLoadedModuleList == m_pHeader->PsLoadedModuleList)
|
|
{
|
|
g_DebuggerData = *(blocks[i]);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (i == 32) {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
CCrashDumpWrapper wrapper;
|
|
|
|
if (addr = g_DebuggerData.KiProcessorBlock)
|
|
{
|
|
DmpReadMemory(addr, KiProcessors, sizeof(PVOID) * MAXIMUM_PROCESSORS);
|
|
|
|
// validate dump file and throw if invalid
|
|
DmpValidateDumpFile(1);
|
|
|
|
// allocate block to hold triage dump
|
|
pNewHeader = (PDUMP_HEADER) malloc(TRIAGE_DUMP_SIZE);
|
|
|
|
if (pNewHeader) {
|
|
|
|
// copy in first page (common between all dumps)
|
|
memcpy(pNewHeader, m_pHeader, PAGE_SIZE);
|
|
|
|
// set dump type to triage dump
|
|
pNewHeader->DumpType = DUMP_TYPE_TRIAGE;
|
|
|
|
// triage dump header begins on second page
|
|
TRIAGE_DUMP *ptdh = (TRIAGE_DUMP *) ((BYTE *) pNewHeader + PAGE_SIZE);
|
|
|
|
// setup triage dump header
|
|
InitTriageDumpHeader(ptdh, wrapper);
|
|
|
|
// write unloaded drivers
|
|
wrapper.WriteUnloadedDrivers((PBYTE)pNewHeader, ptdh->UnloadedDriversOffset);
|
|
|
|
// write mm information
|
|
wrapper.WriteMmTriageInformation((PBYTE)pNewHeader, ptdh->MmOffset);
|
|
|
|
// write stack
|
|
if (ptdh->SizeOfCallStack > 0)
|
|
DmpReadMemory(ptdh->TopOfStack,
|
|
((PBYTE)pNewHeader) + ptdh->CallStackOffset,
|
|
ptdh->SizeOfCallStack);
|
|
|
|
// write thread
|
|
GetCurrentThread((PBYTE)pNewHeader + ptdh->ThreadOffset);
|
|
|
|
// write process
|
|
wrapper.WriteCurrentProcess((PBYTE)pNewHeader, ptdh->ProcessOffset);
|
|
|
|
// write processor control block (KPRCB)
|
|
DmpReadMemory((ULONG64) KiProcessors[DmpGetCurrentProcessor()],
|
|
((PBYTE)pNewHeader) + ptdh->PrcbOffset,
|
|
X86_NT5_KPRCB_SIZE);
|
|
|
|
// write loaded driver list
|
|
wrapper.WriteDriverList((PBYTE)pNewHeader, ptdh->DriverListOffset, ptdh->StringPoolOffset);
|
|
|
|
// end of triage dump validated
|
|
((ULONG *) pNewHeader)[TRIAGE_DUMP_SIZE/sizeof(ULONG) - 1] = TRIAGE_DUMP_VALID;
|
|
ULONG cbWritten;
|
|
|
|
if (!WriteFile(OutputDumpFile,
|
|
pNewHeader,
|
|
TRIAGE_DUMP_SIZE,
|
|
&cbWritten,
|
|
NULL
|
|
))
|
|
{
|
|
printf("Write to minidump file failed for reason %08x.\n",
|
|
GetLastError());
|
|
return 0;
|
|
}
|
|
|
|
if (cbWritten != TRIAGE_DUMP_SIZE)
|
|
{
|
|
printf("Write to minidump failed because disk is full.\n");
|
|
return 0;
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// not much we can do without the processor block
|
|
printf("Cannot load KiProcessorBlock");
|
|
}
|
|
|
|
DmpUnInitialize();
|
|
|
|
return 1;
|
|
}
|