https://github.com/0vercl0k/kdmp-parser-rs

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
https://github.com/0vercl0k/kdmp-parser-rs

bitmap-dump crash-dump crate dmp dumps full-dump kernel-dump rust windbg

Last synced: 1 day ago
JSON representation

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.

• Host: GitHub
• URL: https://github.com/0vercl0k/kdmp-parser-rs
• Owner: 0vercl0k
• License: mit
• Created: 2024-03-21T03:24:36.000Z (10 months ago)
• Default Branch: main
• Last Pushed: 2024-08-13T03:41:52.000Z (5 months ago)
• Last Synced: 2024-12-25T03:06:47.885Z (9 days ago)
• Topics: bitmap-dump, crash-dump, crate, dmp, dumps, full-dump, kernel-dump, rust, windbg
• Language: Rust
• Homepage:
• Size: 897 KB
• Stars: 31
• Watchers: 3
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

README

        


  
kdmp-parser

  


    A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.

  

  


    

    

    

  

  


    

  



This is a cross-platform crate that parses Windows **kernel** crash-dumps that Windows / WinDbg generates. It exposes read-only access to the physical memory pages as well as the register / exception context. It can also read virtual memory addresses by walking the [page tables](https://en.wikipedia.org/wiki/Page_table).

Compiled binaries are available in the [releases](https://github.com/0vercl0k/kdmp-parser-rs/releases) section.

## Parser

The [parser](src/examples/parser.rs) application is a small utility to show-case how to use the library and demonstrate its features. You can use it to dump memory, etc.

![parser-usage](https://github.com/0vercl0k/kdmp-parser-rs/raw/main/pics/parser.gif)

Here are the options supported:

```text

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.

Usage: parser.exe [OPTIONS] 

Arguments:

  

          The dump path

Options:

      --dump-headers

          Dump the dump headers

  -c, --context-record

          Dump the context record

  -e, --exception-record

          Dump the exception record

  -m, --mem[=]

          Dump the first `len` bytes of every physical pages, unless an address is specified

      --virt

          The address specified is interpreted as a virtual address, not a physical address

      --len 

          The number of bytes to dump out

          [default: 16]

  -r, --reader 

          Reader mode

          [default: mmap]

          Possible values:

          - mmap: The crash-dump is memory-mapped

          - file: The crash-dump is read as a file on disk

      --modules

          Dump the list of kernel & user modules

  -h, --help

          Print help (see a summary with '-h')

  -V, --version

          Print version

```

# Authors

* Axel '[@0vercl0k](https://twitter.com/0vercl0k)' Souchet

# Contributors

[ ![contributors-img](https://contrib.rocks/image?repo=0vercl0k/kdmp-parser-rs) ](https://github.com/0vercl0k/kdmp-parser-rs/graphs/contributors)