Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve memory streams parsing #16

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

improve memory streams parsing #16

wants to merge 1 commit into from

Conversation

1ndahous3
Copy link

  1. Add support of MemoryList stream type.
  2. Add limited support of dumps without MemoryInfoList.

This implements parsing of some incomplete/synthetic dumps.

DRAKVUF minidump to check (added extra .zip extension to satisfy dumb github):

@0vercl0k
Copy link
Owner

0vercl0k commented Feb 26, 2024 via email

@0vercl0k
Copy link
Owner

0vercl0k commented Mar 9, 2024

All right sorry for the lag on this - looking now.

@0vercl0k
Copy link
Owner

0vercl0k commented Mar 9, 2024

Ok so does this add support for the MemoryList stream but those dumps don't have a MemoryInfo? I am a bit confused about this code added?:

      //
      // If we don't find an existing entry, we can save the memory region here,
      // but the meta information will be invalid
      //

      auto It = Mem_.find(StartOfMemoryRange);
      if (It == Mem_.end()) {
        DbgPrintf("The memory region starting at %" PRIx64
                  " does not exist in the map, the meta information will be "
                  "invalid.\n",
                  StartOfMemoryRange);

        dmp::MemoryInfo_t MemInfo;
        MemInfo.BaseAddress = StartOfMemoryRange;
        MemInfo.RegionSize = DataSize;

        auto Emplace = Mem_.try_emplace(StartOfMemoryRange, MemInfo);
        if (!Emplace.second) {
          DbgPrintf("The region %" PRIx64 " is already in the memory map.\n",
                    CurrentData);
          return false;
        }

        It = Emplace.first;
      }

The issue with this, is that the end user has no way programmatically to know what is 'valid' or 'invalid' which isn't great. Also, it seems like 'regular' (created by Windows tools) wouldn't create a dump with memory list entries and no matching info list?

Cheers

@1ndahous3
Copy link
Author

1ndahous3 commented Mar 9, 2024
edited
Loading

Ok so does this add support for the MemoryList stream but those dumps don't have a MemoryInfo?

Yes exactly. Technically, the streams containing the memory layer (raw data) are "MemoryList" and "Memory64List", so minidumps without the "MemoryInfoList" stream still contain all the necessary information to access the memory blocks.

I don't really know the correct set of streams in the "correct" minidumps, but I see projects that use the minimum set of streams to store data, and this patch adds the ability to work with such dumps.

I tried parsing minidumps of the DRAKVUF project (which I mentioned in the first post, see linked code + minidump) and realized that this parser can parse data, but with this small patch.

The issue with this, is that the end user has no way programmatically to know what is 'valid' or 'invalid' which isn't great

I'm sure that DRAKVUF is not the only project with a non-standard minidump, so I think it's better to support it (and print warnings) than not to support it. Also truly bad/broken minidumps will be filtered by other checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@1ndahous3 @0vercl0k