Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugins: Initial prototype crashdump writer #472

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Plugins: Initial prototype crashdump writer #472

wants to merge 1 commit into from

Conversation

ikelos
Copy link
Member

@ikelos ikelos commented Mar 7, 2021

This is just a placeholder but has most of the code for creating a valid crashdump file. The things it's currently missing are:

  • Proper version numbers as extracted from the structure preceding the KD_DEBUGGER_DATA structure and also anything to do with the KPCR (setting dummy values, decoding it, etc).

@iMHLv2 This isn't done yet, but I figure this gives us visibility of the branch. I know that writing seems less simple than in volatility 2 (.write() rather than =) but it turns out there's time want to change the programmatic structure without writing it back to the file (for example, some tricks we play generating structures in pdbconv). It's also not clear whether assignment should fail if the file is unwritable for some reason (whereas write failed is to be expected). I think that's ok, but if you can think of something simpler that still allows us to differentiate between in-memory assignment and physical rewriting then I'm all for it... 5:)

@ikelos ikelos self-assigned this Mar 7, 2021
@ikelos ikelos changed the title Plugins: Initial protype crashdump writer Plugins: Initial prototype crashdump writer Mar 15, 2021
@ikelos ikelos requested review from iMHLv2 and awalters August 30, 2021 11:46
@ikelos
Copy link
Member Author

ikelos commented Aug 30, 2021

I think this is very rudimentary/may not do everything it needs to, but it feels like it's starting to get stale. @iMHLv2 or @awalters could either of you take a look and make sure that it's doing what it's supposed? If it is I'll get it merged so it gets updated if/when anything else does...

@paulkermann paulkermann mentioned this pull request Mar 30, 2022
Closed
ikelos
ikelos commented May 3, 2022
View reviewed changes
volatility3/framework/plugins/windows/writecrashdump.py
dump_header_name = '_DUMP_HEADER'
valid_dump_suffix = [ord('M'), ord('P')]

config_path = 'whatever'
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bad past @ikelos , very, very bad. This sets a really bad example, and this needs changing before this gets committed.

@ikelos ikelos mentioned this pull request May 3, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iMHLv2 iMHLv2 Awaiting requested review from iMHLv2

@awalters awalters Awaiting requested review from awalters

Assignees

@ikelos ikelos

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ikelos