https://github.com/0vercl0k/snapshot

WinDbg extension written in Rust to dump the CPU / memory state of a running VM
https://github.com/0vercl0k/snapshot

rust rust-lang snapshot-fuzzer windbg

Last synced: about 2 months ago
JSON representation

WinDbg extension written in Rust to dump the CPU / memory state of a running VM

• Host: GitHub
• URL: https://github.com/0vercl0k/snapshot
• Owner: 0vercl0k
• License: mit
• Created: 2024-02-05T04:45:06.000Z (8 months ago)
• Default Branch: main
• Last Pushed: 2024-07-26T15:07:25.000Z (about 2 months ago)
• Last Synced: 2024-07-27T16:42:28.761Z (about 2 months ago)
• Topics: rust, rust-lang, snapshot-fuzzer, windbg
• Language: Rust
• Homepage:
• Size: 124 KB
• Stars: 104
• Watchers: 4
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        


  
snapshot

  


    A Rust WinDbg extension that takes a snapshot of a running VM.

  

  


    

  

  


    

  



`snapshot` is a WinDbg extension written in Rust that dumps both the state of a CPU (GPRs, relevant MSRs, FPU state, segments, etc.) and the physical memory of a running VM (via a crash-dump). This snapshot is meant to be used by snapshot-based fuzzers and more particularly by [wtf](https://github.com/0vercl0k/wtf).

This code base is also meant to show case how to write a WinDbg extension in Rust 🦀.

## Building

You can build the extension with the below:

```text

c:\>git clone https://github.com/0vercl0k/snapshot.git

c:\>cd snapshot

c:\snapshot>cargo build --release

```

If you would rather grab a pre-built extension, grab one on the [releases](https://github.com/0vercl0k/snapshot/releases) page.

## Grabbing a snapshot

Once you have the extension downloaded / compiled, you can load it in WinDbg with the below:

```text

kd> .load \path\to\snapshot\target\release\snapshot.dll

kd> !snapshot -h

[snapshot] Usage: snapshot [OPTIONS] [STATE_PATH]

Arguments:

  [STATE_PATH]  The path to save the snapshot to

Options:

  -k, --kind   The kind of snapshot to take [default: full] [possible values: active-kernel, full]

  -h, --help         Print help

```

Generate a full-kernel snapshot in the `c:\foo` directory with the below:

```text

kd> !snapshot c:\foo

[snapshot] Dumping the CPU state into c:\foo\state.19041.1.amd64fre.vb_release.191206-1406.20240205_173527\regs.json..

[snapshot] Dumping the memory state into c:\foo\state.19041.1.amd64fre.vb_release.191206-1406.20240205_173527\mem.dmp..

Creating c:\\foo\\state.19041.1.amd64fre.vb_release.191206-1406.20240205_173527\\mem.dmp - Full memory range dump

0% written.

5% written. 1 min 12 sec remaining.

10% written. 1 min 4 sec remaining.

[...]

90% written. 6 sec remaining.

95% written. 3 sec remaining.

Wrote 4.0 GB in 1 min 11 sec.

The average transfer rate was 57.7 MB/s.

Dump successfully written

[snapshot] Done!

```

There is also `!snapshot_active_kernel` if you would prefer to grab an active kernel crash-dump.