0vercl0k / kdmp-parser Goto Github PK

A Windows kernel dump C++ parser library with Python 3 bindings.

License: MIT License

C++ 82.85% Python 10.95% CMake 5.10% C 1.10%

kernel-dump dmp bitmap-dump full-dump python3 dumps windbg

kdmp-parser's Introduction

Hello, world 👋

If you made it all the way here, you might as well check out some of my projects and where I blog 😊. Oh, and if you want to say hi, come hangout on the Diary of a reverse-engineer's discord: invite!

Windows related

wtf: A distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows,
windbg-scripts: A collection of JavaScript debugger extensions for WinDbg,
kdmp-parser / udmp-parser: C++ libraries to parse Windows kernel and usermode dumps (udmp-parser-rs / kdmp-parser-rs for Rust crates),
🔮 clairvoyance: Visualize the virtual address space of a Windows process on a Hilbert curve,
symbolizer-rs: A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries,
SiC: Enumerate user mode shared memory mappings on Windows,
KEPaboo: Neutralize KEPServerEX anti-debugging techniques,
rp-bf.rs: A library to bruteforce ROP gadgets by emulating a Windows user-mode crash-dump,
Various CVE PoCs for tcpip.sys (CVE-2021-24086), http.sys (CVE-2021-31166), Hyper-V (CVE-2021-28476), Realtek's RTKVHD64.sys driver (CVE-2021-32537) and the Mozilla browser (CVE-2022-28281),
Modern Debugging with WinDbg Preview: Workshop that @hugsy and I ran during Defcon 27.

Exploitation

Paracosme: Zero-click remote memory corruption exploit that compromises ICONICS Genesis64 (Pwn2Own Miami 2022),
Longue vue: Over-the-web remote compromise exploit chain for NETGEAR DGND3700v2 devices,
Zenith: Remote kernel exploit for the TP-Link AC1750 Smart Wi-Fi Router (Pwn2Own Austin 2021),
Pwn2Own Miami 2023: Writeups/PoCs for bugs I found while preparing for Pwn2Own Miami 2023 targeting UaGateway in the OPC UA Server category,
CVE-2019-11708: Full chain for CVE-2019-11708 & CVE-2019-9810,
CVE-2019-9810: RCE exploit for Firefox on Windows.

Misc

rp: A fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM binaries,
z3-playground: A bunch of Z3-python scripts that can be used as examples, reminders, etc.
Theorem prover, symbolic execution and practical reverse-engineering: Presentation I gave in Lille, France in 2015,
teesee-calc: A simple web application that allows you to visualize and compare total compensation packages.

kdmp-parser's People

Contributors

Stargazers

Watchers

kdmp-parser's Issues

pip / setup.py

Explore the possibility to use a setup.py and to have kdmp available on pip

I crashed Windows via notmyfault.exe with debugging file option [Automatic memory dump].
The generated dump file is passed through the
. \parser.exe -c -e -p 0x1000 D:\vmware_share\MEMORY.DMP
Execution, hint:
Unknown Type 0x6. The header looks wrong. ParseDmpHeader failed. Parsing of the dump failed, exiting.
So this dump format itself won't be supported? How is it different from other types?

DumpTypeToString duplicated symbol if multiple includes

While updating kdmp-parser for wtf, I ran into the DumpTypeToString symbol being duplicated:

1>whv_backend.obj : error LNK2005: "class std::basic_string_view<char,struct std::char_traits<char> > const __cdecl kdmpparser::DumpTypeToString(enum kdmpparser::DumpType_t)" (?DumpTypeToString@kdmpparser@@YA?BV?$basic_string_view@DU?$char_traits@D@std@@@std@@W4DumpType_t@1@@Z) already defined in bochscpu_backend.obj
1>cmake_pch.cxx.obj : error LNK2005: "class std::basic_string_view<char,struct std::char_traits<char> > const __cdecl kdmpparser::DumpTypeToString(enum kdmpparser::DumpType_t)" (?DumpTypeToString@kdmpparser@@YA?BV?$basic_string_view@DU?$char_traits@D@std@@@std@@W4DumpType_t@1@@Z) already defined in bochscpu_backend.obj

Build abstraction to allow users to parse dumps directly from the file

Build an abstraction that let the user be able to read the dump file the way they want:

one reads from a memory mapped file (easier, maybe better perf?),
one reads from the file on disk (better handling of very large file, lower memory footprint)

cc @neitsa for testing it once it's ready for a test-drive

Fix a bunch of nits

Image link in the README.md for Python is busted
Global README needs a refresh to point at pip, new build instructions, etc

Turn kdmp-parser header-only

Use Python's stable ABI

See PEP 384, type-objects.

Some examples:

_bz2,
select

cast that performs the conversions of a reinterpret_cast is not allowed in a constant expression

I've come across this error on clang-11:

../libs/kdmp-parser/src/lib/kdmp-parser-structs.h:39:20: error: constexpr function never produces a constant expression [-Winvalid-constexpr]
constexpr uint64_t OffsetFromThis(const void *This, const void *Field) {
                   ^
../libs/kdmp-parser/src/lib/kdmp-parser-structs.h:40:10: note: cast that performs the conversions of a reinterpret_cast is not allowed in a constant expression
  return uint64_t(Field) - uint64_t(This);
         ^
1 error generated.

Bug when building physmap for `CompleteMemoryDump` dump

Hmm something wrong is going on:

0:000> lsa .
   639:       }
   640: 
   641:       for (uint64_t PageIdx = 0; PageIdx < Entry.NumberOfPages; PageIdx++) {
   642:         if (!IsPageInBounds(Page)) {
>  643:           return false;
   644:         }
   645: 
   646:         const uint64_t Pa = (Pfn * Page::Size) + (PageIdx * Page::Size);
   647:         Physmem_.try_emplace(Pa, Page);
   648:         Page += Page::Size;

0:000> ?? Entry
struct kdmpparser::KernelDumpParser::BuildPhysicalMemoryFromDump::__l2::PfnRange * 0x0000028f`bba72090
   +0x000 PageFileNumber   : 0x00000001`00064de9
   +0x008 NumberOfPages    : 0x1018003f`00000000

Entry: 1 / 9f
Entry: 100 / 91e
Entry: ae3 / 940d
Entry: a001 / 1ff
Entry: a20d / ad0ed
Entry: bcffe / 1002
Entry: 100064de9 / 1018003f00000000

MetadataSize is 0x70 so this is the last entry 🤔

@hugsy do you still have your reverse-engineering notes 😅?

DumpType = 9

In 0vercl0k/wtf#101, there is a dump file with a DumpType = 9 which isn't supported by kdmp-parser. Based on the investigation, this seems to be newish and only available in latest (?) WinDbgX.

DumpType = 0xA, Kernel range dump

Based on 0vercl0k/wtf#139 this looks like yet another new dump format:

kd> dx @$cursession
@$cursession                 : 64-bit Kernel range dump: testapps\state\mem.dmp

It doesn't seem to be supported by the dbgeng.dll shipped w/ the regular windbg that I got in the SDK:

0:000> lmvm dbgeng
Browse full module list
start             end                 module name
00000001`80000000 00000001`8087a000   dbgeng     (pdb symbols)          c:\work\dbg\sym\dbgeng.pdb\DA8D57515A772495F39B6FECD19C2C8D1\dbgeng.pdb
    Loaded symbol image file: dbgeng.dll
    Mapped memory image file: c:\program Files (x86)\windows kits\10\debuggers\x64\dbgeng.dll
    Image path: c:\program Files (x86)\windows kits\10\debuggers\x64\dbgeng.dll
    Image name: dbgeng.dll
    Browse all global symbols  functions  data
    Image was built with /Brepro flag.
    Timestamp:        2249EE61 (This is a reproducible build file hash, not a timestamp)
    CheckSum:         0084EADC
    ImageSize:        0087A000
    File version:     10.0.22621.1
    Product version:  10.0.22621.1
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    Information from resource tables:
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     DbgEng.Dll
        OriginalFilename: DbgEng.Dll
        ProductVersion:   10.0.22621.1
        FileVersion:      10.0.22621.1 (WinBuild.160101.0800)
        FileDescription:  Windows Symbolic Debugger Engine
        LegalCopyright:   © Microsoft Corporation. All rights reserved.