Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crashdump writer plugin #718

Open
wants to merge 17 commits into
base: develop
Choose a base branch
from
Open

Crashdump writer plugin #718

wants to merge 17 commits into from

Conversation

paulkermann
Copy link
Contributor

This is a PR is instead of #694 because the rebase on that PR was a bit weird.
This was tested against 32-bit and 64-bit memory dumps.

@paulkermann paulkermann mentioned this pull request Apr 27, 2022
Closed
digitalisx
digitalisx reviewed Apr 27, 2022
View reviewed changes
Copy link
Contributor

@digitalisx digitalisx left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks to the clean up of the PR, it's very easy to see the code! 🙂
I left a little comment.
I hope this plugin can be usefully.

volatility3/framework/plugins/windows/info.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/writecrashdump.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/info.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/info.py Show resolved Hide resolved
volatility3/framework/plugins/windows/writecrashdump.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/writecrashdump.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/writecrashdump.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/writecrashdump.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/writecrashdump.py Outdated Show resolved Hide resolved
@digitalisx
Copy link
Contributor

@paulkermann LGTM, some of the things you explained were understood. Thank you for checking my reviews. 🙂

@ikelos ikelos requested review from awalters and iMHLv2 April 27, 2022 21:54
@paulkermann paulkermann requested a review from ikelos May 2, 2022 14:20
ikelos
ikelos reviewed May 2, 2022
View reviewed changes
Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly awesome, a couple of bits and pieces around hardcoded values but otherwise really good! Nice use of comments and sticking to the existing coding style, thanks! 5:)

volatility3/framework/plugins/windows/info.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/info.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/info.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/info.py Outdated Show resolved Hide resolved
volatility3/framework/symbols/windows/extensions/kdbg.py Show resolved Hide resolved
volatility3/framework/plugins/windows/writecrashdump.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/info.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/writecrashdump.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/writecrashdump.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/writecrashdump.py Outdated Show resolved Hide resolved
@paulkermann paulkermann requested a review from ikelos May 3, 2022 08:01
digitalisx
digitalisx reviewed May 3, 2022
View reviewed changes
Copy link
Contributor

@digitalisx digitalisx left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, @paulkermann
I'm happy to see that the plugin is getting better through feedback, and I respect your work.
It's cool enough now, but I leave a NIT comment. 🙂

volatility3/framework/plugins/windows/info.py Outdated Show resolved Hide resolved
volatility3/framework/plugins/windows/info.py Outdated Show resolved Hide resolved
ikelos
ikelos reviewed May 3, 2022
View reviewed changes
Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, rol looks good, but bswap seems to have taken a step backwards, I doesn't feel like it needs two separate methods, and it's not clear why it went from using struct to doing the maths manually, but I think that's the last bit to fix up (still pending a review from someone else from core, but otherwise looking good). 5:)

volatility3/framework/plugins/windows/info.py Outdated Show resolved Hide resolved
digitalisx
digitalisx approved these changes May 3, 2022
View reviewed changes
Copy link
Contributor

@digitalisx digitalisx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@paulkermann Thank you, I think the review I can advise is over.. 🙂
I hope the other things will be revised well and the maintainers will like it!

@paulkermann paulkermann requested a review from ikelos May 3, 2022 15:01
@paulkermann paulkermann mentioned this pull request Nov 13, 2022
Closed
@paulkermann
Merge remote-tracking branch 'origin/develop' into feature/crashdump-…
87926e6 
…writer

Conflicts:
	volatility3/framework/layers/physical.py
	volatility3/framework/plugins/windows/info.py
	volatility3/framework/symbols/windows/extensions/kdbg.py
@ikelos
Copy link
Member

ikelos commented Mar 27, 2023

@iMHLv2 could you please take a look over the KDBG decoding bits of this? I haven't done a full review yet, but the more eyes we can get on it the better please. 5:)

@ikelos
Copy link
Member

ikelos commented Jul 10, 2023

Any word on this one guys?

@ikelos
Copy link
Member

ikelos commented Apr 8, 2024

This is still waiting on review by @awalters I'm afraid.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 21, 2024
View reviewed changes
volatility3/framework/plugins/windows/info.py
from volatility3.framework.renderers import TreeGrid
from volatility3.framework.symbols import intermed
from volatility3.framework.symbols.windows.extensions import kdbg, pe
from volatility3.framework.symbols.windows import extensions

Check notice

Code scanning / CodeQL

Unused import Note

Import of 'extensions' is not used.
@paulkermann
Copy link
Contributor Author

hey @ikelos, can you merge this plugin?

@ikelos
Copy link
Member

ikelos commented Jul 28, 2024

The need for review hasn't changed I'm afraid. I don't know the crashdump format well enough to agree to bring this into core and support it long term.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@digitalisx digitalisx digitalisx approved these changes

@awalters awalters Awaiting requested review from awalters

@iMHLv2 iMHLv2 Awaiting requested review from iMHLv2

@ikelos ikelos Awaiting requested review from ikelos

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@paulkermann @digitalisx @ikelos