{"id":17263388,"url":"https://github.com/0vercl0k/kdmp-parser","last_synced_at":"2025-04-05T06:08:46.408Z","repository":{"id":44457658,"uuid":"240737075","full_name":"0vercl0k/kdmp-parser","owner":"0vercl0k","description":"A Windows kernel dump C++ parser library with Python 3 bindings.","archived":false,"fork":false,"pushed_at":"2024-07-14T02:26:53.000Z","size":623,"stargazers_count":199,"open_issues_count":2,"forks_count":29,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-03-29T05:06:54.905Z","etag":null,"topics":["bitmap-dump","dmp","dumps","full-dump","kernel-dump","python3","windbg"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0vercl0k.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-02-15T15:27:14.000Z","updated_at":"2025-03-22T00:57:32.000Z","dependencies_parsed_at":"2023-12-25T21:01:54.357Z","dependency_job_id":"cc0d4c27-9f5a-4ab5-8c9d-dd7e22891889","html_url":"https://github.com/0vercl0k/kdmp-parser","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0vercl0k%2Fkdmp-parser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0vercl0k%2Fkdmp-parser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0vercl0k%2Fkdmp-parser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0vercl0k%2Fkdmp-parser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0vercl0k","download_url":"https://codeload.github.com/0vercl0k/kdmp-parser/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247294539,"owners_count":20915340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bitmap-dump","dmp","dumps","full-dump","kernel-dump","python3","windbg"],"created_at":"2024-10-15T07:56:23.779Z","updated_at":"2025-04-05T06:08:46.389Z","avatar_url":"https://github.com/0vercl0k.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kdmp-parser\n\n![Build status](https://github.com/0vercl0k/kdmp-parser/workflows/Builds/badge.svg)\n[![Downloads](https://static.pepy.tech/badge/kdmp-parser/month)](https://pepy.tech/project/kdmp-parser)\n\nThis C++ library parses Windows kernel [full](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/complete-memory-dump) dumps (`.dump /f` in WinDbg), [BMP](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/active-memory-dump) dumps (`.dump /ka` in WinDbg) as well as more recent dump types that were introduced in ~2022.\n\n![parser](pics/parser.jpg)\n\nThe library supports loading 64-bit dumps and provides read access to things like:\n\n- The context record,\n- The exception record,\n- The bugcheck parameters,\n- The physical memory.\n\nCompiled binaries are available in the [releases](https://github.com/0vercl0k/kdmp-parser/releases) section.\n\nSpecial thanks to:\n- [hugsy](https://github.com/hugsy) for numerous contributions: the new Python bindings, CI improvements, new dump types, etc.,\n- [masthoon](https://github.com/masthoon) for the initial version of the Python bindings,\n- [yrp604](https://github.com/yrp604) for being knowledgeable about the format,\n- the [rekall](https://github.com/google/rekall) project and their [Python implementation](https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/overlays/windows/crashdump.py) (most of the structures in [kdmp-parser-structs.h](https://github.com/0vercl0k/kdmp-parser/blob/master/src/kdmp-parser/kdmp-parser-structs.h) have been adapted from it).\n\n## Parser\n\nThe `parser.exe` application is able to dump various information about the dump file: exception record, context record, etc.\n\n```text\n\u003eparser.exe -c -e -p 0x1000 full.dmp\n--------------------------------------------------------------------------------\nContext Record:\n  rax=0000000000000003 rbx=fffff8050f4e9f70 rcx=0000000000000001\n  rdx=fffff805135684d0 rsi=0000000000000100 rdi=fffff8050f4e9f80\n  rip=fffff805108776a0 rsp=fffff805135684f8 rbp=fffff80513568600\n   r8=0000000000000003  r9=fffff805135684b8 r10=0000000000000000\n  r11=ffffa8848825e000 r12=fffff8050f4e9f80 r13=fffff80510c3c958\n  r14=0000000000000000 r15=0000000000000052\n  cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b                 efl=00040202\n  fpcw=0000    fpsw=0000    fptw=0001\n    st0=fffff80510bbf000fffff80510c3c9c0       st1=0005e5a800ab2000fffff805106b3000\n    st2=4000000000200000fffff80510beaea8       st3=000000000a0d656c69666f7250206465\n    st4=0000000a0d656c69666f725000000010       st5=0000000000000000fffff80510b16900\n    st6=0000000000000000fffff805133e9000       st7=fffff47c02899f480000000000000000\n   xmm0=000000000a0d656c69666f7250206465      xmm1=0000000a0d656c69666f725000000010\n   xmm2=0000000000000000fffff80510b16900      xmm3=0000000000000000fffff805133e9000\n   xmm4=fffff47c02899f480000000000000000      xmm5=00000000000000000000000000000000\n   xmm6=00000000000000000000000000000000      xmm7=00000000000000000000000000000000\n   xmm8=00000000000000000000000000000000      xmm9=00000000000000000000000000000000\n  xmm10=00000000000000000000000000000000     xmm11=00000000000000000000000000000000\n  xmm12=00000000000000000000000000000000     xmm13=00000000000000000000000000000000\n  xmm14=00000000000000000000000000000000     xmm15=00000000000000000000000000000000\n--------------------------------------------------------------------------------\nException Record:\n  KDMP_PARSER_EXCEPTION_RECORD64\n    +0x0000: ExceptionCode            : 0x80000003.\n    +0x0004: ExceptionFlags           : 0x00000000.\n    +0x0008: ExceptionRecord          : 0x0000000000000000.\n    +0x0010: ExceptionAddress         : 0xfffff805108776a0.\n    +0x0018: NumberParameters         : 0x00000001.\n    +0x0020: ExceptionInformation[0]  : 0x0000000000000000.\n    +0x0028: ExceptionInformation[1]  : 0x0000000000000000.\n    +0x0030: ExceptionInformation[2]  : 0xffffa8848825e000.\n    +0x0038: ExceptionInformation[3]  : 0x00000000000002c0.\n    +0x0040: ExceptionInformation[4]  : 0xfffff80511022203.\n    +0x0048: ExceptionInformation[5]  : 0x0000000000004280.\n    +0x0050: ExceptionInformation[6]  : 0xfffff80510880524.\n    +0x0058: ExceptionInformation[7]  : 0xffffa88488282360.\n    +0x0060: ExceptionInformation[8]  : 0x0000000000000280.\n    +0x0068: ExceptionInformation[9]  : 0xfffff805135683d8.\n    +0x0070: ExceptionInformation[10] : 0xffffa8848d9d6fb0.\n    +0x0078: ExceptionInformation[11] : 0x0000000000004280.\n    +0x0080: ExceptionInformation[12] : 0x00001f8001004280.\n    +0x0088: ExceptionInformation[13] : 0x0000000000000003.\n    +0x0090: ExceptionInformation[14] : 0xfffff80513568578.\n--------------------------------------------------------------------------------\nPhysical memory:\n00001000: 00 00 00 00 00 00 00 00 00 00 f9 ff 00 00 00 00  |................|\n00001010: 00 06 01 01 00 00 00 00 00 00 00 00 00 00 00 00  |................|\n00001020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|\n00001030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|\n00001040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|\n00001050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|\n00001060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|\n00001070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|\n00001080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|\n00001090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|\n000010a0: 00 00 00 00 00 00 00 00 00 a0 87 00 00 00 00 00  |................|\n000010b0: ff ff ff ff ff ff ff ff 00 00 60 11 05 f8 ff ff  |..........`.....|\n000010c0: 00 90 2f 00 00 00 00 00 ff ff ff ff 03 80 ff ff  |../.............|\n000010d0: f8 00 00 c0 c1 f7 ff ff 00 00 00 00 03 00 00 00  |................|\n000010e0: f8 00 00 c0 c1 f7 ff ff 00 00 00 00 03 00 00 00  |................|\n000010f0: 00 00 00 00 00 00 00 00 70 37 01 c0 c1 f7 ff ff  |........p7......|\n...\n```\n\n## Building\n\nYou can build it yourself using CMake and it builds on Linux, Windows, OSX with the Microsoft, the LLVM Clang and GNU compilers.\n\nHere is an example on Windows:\n```\n\u003e mkdir build\n\u003e cd build\n\u003e cmake ..\n-- Building for: Visual Studio 17 2022\n...\n\n\u003e cmake --build . --config RelWithDebInfo\nMSBuild version 17.8.3+195e7f5a3 for .NET Framework\n...\n\n\u003e src\\parser\\RelWithDebInfo\\parser.exe\nYou didn't provide the path to the dump file.\n\nparser.exe [-p [\u003cphysical address\u003e]] [-c] [-e] [-h] \u003ckdump path\u003e\n\nExamples:\n  Show every structures of the dump:\n    parser.exe -a full.dmp\n\n  Show the context record:\n    parser.exe -c full.dmp\n\n  Show the exception record:\n    parser.exe -e full.dmp\n\n  Show all the physical memory (first 16 bytes of every pages):\n    parser.exe -p full.dmp\n\n  Show the context record as well as the page at physical address 0x1000:\n    parser.exe -c -p 0x1000 full.dmp\n```\n\nHere is another example on Linux (with the Python bindings):\n```\n$ mkdir build\n$ cd build\n$ cmake .. -DBUILD_PYTHON_BINDING=ON\n...\n\n$ cmake --build . --config RelWithDebInfo\n...\n\n$ ./src/parser/parser\nYou didn't provide the path to the dump file.\n\nparser.exe [-p [\u003cphysical address\u003e]] [-c] [-e] [-h] \u003ckdump path\u003e\n\nExamples:\n  Show every structures of the dump:\n    parser.exe -a full.dmp\n\n  Show the context record:\n    parser.exe -c full.dmp\n\n  Show the exception record:\n    parser.exe -e full.dmp\n\n  Show all the physical memory (first 16 bytes of every pages):\n    parser.exe -p full.dmp\n\n  Show the context record as well as the page at physical address 0x1000:\n    parser.exe -c -p 0x1000 full.dmp\n```\n\n## Python bindings\n\n### From PyPI\n\nThe easiest way is simply to:\n```\npip install kdmp_parser\n```\n\n### Using PIP\n\nRun the following after installing [CMake](https://cmake.org/) and [Python](https://python.org/) 3.8+ / `pip`:\n```\ncd src/python\npip install requirements.txt\npip install .\n```\n\nTo create a wheel pacakge:\n```\ncd src/python\npip wheel .\n```\n\n### Usage\n\n#### Get context, print the program counter\n\n```python\nimport kdmp_parser\ndmp = kdmp_parser.KernelDumpParser(\"full.dmp\")\nassert dmp.type == kdmp_parser.DumpType.FullDump\nprint(f\"Dump RIP={dmp.context.Rip:#x}\")\n```\n\n#### Read a virtual memory page at address pointed by RIP\n\n```python\nimport kdmp_parser\ndmp = kdmp_parser.KernelDumpParser(\"full.dmp\")\ndmp.read_virtual_page(dmp.context.Rip)\n```\n\n#### Explore the physical memory\n\n```python\nimport kdmp_parser\ndmp = kdmp_parser.KernelDumpParser(\"full.dmp\")\npml4 = dmp.directory_table_base\nprint(f\"{pml4=:#x}\")\ndmp.read_physical_page(pml4)\n```\n\n#### Translate a virtual address into a physical address\n\n```python\nimport kdmp_parser\ndmp = kdmp_parser.KernelDumpParser(\"full.dmp\")\nVA = dmp.context.Rip\nPA = dmp.translate_virtual(VA)\nprint(f\"{VA=:#x} -\u003e {PA=:#x}\")\n```\n\n# Authors\n\n* Axel '[@0vercl0k](https://twitter.com/0vercl0k)' Souchet\n\n# Contributors\n\n[ ![contributors-img](https://contrib.rocks/image?repo=0vercl0k/kdmp-parser) ](https://github.com/0vercl0k/kdmp-parser/graphs/contributors)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0vercl0k%2Fkdmp-parser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0vercl0k%2Fkdmp-parser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0vercl0k%2Fkdmp-parser/lists"}