Codebase list python-minidump / 4e518b6
New upstream version 0.0.21 Sophie Brun 2 years ago
12 changed file(s) with 549 addition(s) and 10 deletion(s). Raw diff Collapse all Expand all
+1
-1
PKG-INFO less more
00 Metadata-Version: 1.2
11 Name: minidump
2 Version: 0.0.17
2 Version: 0.0.21
33 Summary: Python library to parse Windows minidump file format
44 Home-page: https://github.com/skelsec/minidump
55 Author: Tamas Jos
+1
-1
minidump/_version.py less more
00
1 __version__ = "0.0.17"
1 __version__ = "0.0.21"
22 __banner__ = \
33 """
44 # minidump %s
+1
-1
minidump/aminidumpreader.py less more
307307
308308 def get_module_by_name(self, module_name):
309309 for mod in self.modules:
310 if ntpath.basename(mod.name).find(module_name) != -1:
310 if ntpath.basename(mod.name).lower().find(module_name.lower()) != -1:
311311 return mod
312312 return None
313313
+2
-2
minidump/common_structs.py less more
189189 return fl
190190 fl.append(marker + offset + self.start_virtual_address)
191191 data = data[marker+1:]
192 offset = marker + 1
192 offset += marker + 1
193193 if find_first is True:
194194 return fl
195195
231231 return fl
232232 fl.append(marker + offset + self.start_virtual_address)
233233 data = data[marker+1:]
234 offset = marker + 1
234 offset += marker + 1
235235 if find_first is True:
236236 return fl
237237
+17
-0
minidump/minidumpfile.py less more
1515 from minidump.common_structs import *
1616 from minidump.constants import MINIDUMP_STREAM_TYPE
1717 from minidump.directory import MINIDUMP_DIRECTORY
18 from minidump.streams.SystemInfoStream import PROCESSOR_ARCHITECTURE
1819
1920
2021 class MinidumpFile:
202203 elif dir.StreamType == MINIDUMP_STREAM_TYPE.LastReservedStream:
203204
204205 """
206 try:
207 self.__parse_thread_context()
208 except Exception as e:
209 logging.exception('Thread context parsing error!')
210
211 def __parse_thread_context(self):
212 if not self.sysinfo or not self.threads:
213 return
214 for thread in self.threads.threads:
215 rva = thread.ThreadContext.Rva
216 self.file_handle.seek(rva)
217 if self.sysinfo.ProcessorArchitecture == PROCESSOR_ARCHITECTURE.AMD64:
218 thread.ContextObject = CONTEXT.parse(self.file_handle)
219 elif self.sysinfo.ProcessorArchitecture == PROCESSOR_ARCHITECTURE.INTEL:
220 thread.ContextObject = WOW64_CONTEXT.parse(self.file_handle)
221
205222
206223 def __str__(self):
207224 t = '== Minidump File ==\n'
+10
-1
minidump/minidumpreader.py less more
101101 return
102102
103103 raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
104
105 def get_reader(self):
106 return self.reader
104107
105108 def seek(self, offset, whence = 0):
106109 """
304307 else:
305308 raise Exception('Unknown processor architecture %s! Please fix and submit PR!' % self.sysinfo.ProcessorArchitecture)
306309
310 def get_handler(self):
311 return self.file_handle
312
313 def get_memory(self):
314 return self.memory_segments
315
307316 def get_buffered_reader(self, segment_chunk_size = 10*1024):
308317 return MinidumpBufferedReader(self, segment_chunk_size = segment_chunk_size)
309318
310319 def get_module_by_name(self, module_name):
311320 for mod in self.modules:
312 if ntpath.basename(mod.name).find(module_name) != -1:
321 if ntpath.basename(mod.name).lower().find(module_name.lower()) != -1:
313322 return mod
314323 return None
315324
+508
-0
minidump/streams/ContextStream.py less more
0 #!/usr/bin/env python3
1
2 # https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1507%20Threshold%201/_M128A
3 class M128A:
4 def __init__(self):
5 self.Low = 0 # 0x0 ULONGLONG
6 self.High = 0 # 0x8 LONGLONG
7
8 @classmethod
9 def parse(cls, buff):
10 m128a = cls()
11
12 m128a.Low = int.from_bytes(buff.read(8), byteorder = 'little', signed = False)
13 m128a.High = int.from_bytes(buff.read(8), byteorder = 'little', signed = True)
14
15 return m128a
16
17 @classmethod
18 def parse_array(cls, buff, length):
19 arr = []
20 for i in range(length):
21 arr.append(cls.parse(buff))
22 return arr
23
24 def __str__(self):
25 s = ""
26 s += "Low: %x (%d)" % (self.Low, self.Low)
27 s += "High: %x (%d)\n" % (self.High, self.High)
28 return s
29
30
31 # https://doxygen.reactos.org/df/d06/sdk_2include_2xdk_2arm_2ke_8h_source.html#l00229
32 class NEON128(M128A):
33 # looks to be the same as M128A
34 pass
35
36
37 # https://www.vergiliusproject.com/kernels/x64/Windows%20Vista%20%7C%202008/SP2/_XMM_SAVE_AREA32
38 class XMM_SAVE_AREA32:
39 def __init__(self):
40 self.ControlWord = 0 # 0x0 USHORT
41 self.StatusWord = 0 # 0x2 USHORT
42 self.TagWord = 0 # 0x4 UCHAR
43 self.Reserved1 = 0 # 0x5 UCHAR
44 self.ErrorOpcode = 0 # 0x6 USHORT
45 self.ErrorOffset = 0 # 0x8 ULONG
46 self.ErrorSelector = 0 # 0xc USHORT
47 self.Reserved2 = 0 # 0xe USHORT
48 self.DataOffset = 0 # 0x10 ULONG
49 self.DataSelector = 0 # 0x14 USHORT
50 self.Reserved3 = 0 # 0x16 USHORT
51 self.MxCsr = 0 # 0x18 ULONG
52 self.MxCsr_Mask = 0 # 0x1c ULONG
53 self.FloatRegisters = [] # 0x20 struct M128A[8]
54 self.XmmRegisters = [] # 0xa0 struct M128A[16]
55 self.Reserved4 = [] # 0x1a0 UCHAR[96]
56
57 @classmethod
58 def parse(cls, buff):
59 xmm = cls()
60
61 xmm.ControlWord = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
62 xmm.StatusWord = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
63 xmm.TagWord = chr(int.from_bytes(buff.read(1), byteorder = 'little', signed = False))
64 xmm.Reserved1 = chr(int.from_bytes(buff.read(1), byteorder = 'little', signed = False))
65 xmm.ErrorOpcode = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
66 xmm.ErrorOffset = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
67 xmm.ErrorSelector = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
68 xmm.Reserved2 = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
69 xmm.DataOffset = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
70 xmm.DataSelector = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
71 xmm.Reserved3 = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
72 xmm.MxCsr = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
73 xmm.MxCsr_Mask = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
74 xmm.FloatRegisters = M128A.parse_array(buff, 8)
75 xmm.XmmRegisters = M128A.parse_array(buff, 16)
76 xmm.Reserved4 = [
77 chr(int.from_bytes(buff.read(1), byteorder = 'little', signed = False))
78 for i in range(96)
79 ]
80
81 return xmm
82
83 def __str__(self):
84 s = ""
85 s += "%s: %x (%d)\n" % ("ControlWord", self.ControlWord, self.ControlWord)
86 s += "%s: %x (%d)\n" % ("StatusWord", self.StatusWord, self.StatusWord)
87 s += "%s: %s\n" % ("TagWord", self.TagWord)
88 s += "%s: %s\n" % ("Reserved1", self.Reserved1)
89 s += "%s: %x (%d)\n" % ("ErrorOpcode", self.ErrorOpcode, self.ErrorOpcode)
90 s += "%s: %x (%d)\n" % ("ErrorOffset", self.ErrorOffset, self.ErrorOffset)
91 s += "%s: %x (%d)\n" % ("ErrorSelector", self.ErrorSelector, self.ErrorSelector)
92 s += "%s: %x (%d)\n" % ("Reserved2", self.Reserved2, self.Reserved2)
93 s += "%s: %x (%d)\n" % ("DataOffset", self.DataOffset, self.DataOffset)
94 s += "%s: %x (%d)\n" % ("DataSelector", self.DataSelector, self.DataSelector)
95 s += "%s: %x (%d)\n" % ("Reserved3", self.Reserved3, self.Reserved3)
96 s += "%s: %x (%d)\n" % ("MxCsr", self.MxCsr, self.MxCsr)
97 s += "%s: %x (%d)\n" % ("MxCsr_Mask", self.MxCsr_Mask, self.MxCsr_Mask)
98 s += "%s:\n" % ("FloatRegisters:")
99 for freg in self.FloatRegisters:
100 s += "\t%s" % (freg)
101 s += "%s:\n" % ("XmmRegisters")
102 for xreg in self.XmmRegisters:
103 s += "\t%s" % (xreg)
104 s += "%s: %s\n" % ("Reserved4", "".join(self.Reserved4))
105
106 return s
107
108
109 class CTX_DUMMYSTRUCTNAME:
110 def __init__(self):
111 # all are M128A
112 self.Header = [] # [2]
113 self.Legacy = [] # [8]
114 self.Xmm0 = 0
115 self.Xmm1 = 0
116 self.Xmm2 = 0
117 self.Xmm3 = 0
118 self.Xmm4 = 0
119 self.Xmm5 = 0
120 self.Xmm6 = 0
121 self.Xmm7 = 0
122 self.Xmm8 = 0
123 self.Xmm9 = 0
124 self.Xmm10 = 0
125 self.Xmm11 = 0
126 self.Xmm12 = 0
127 self.Xmm13 = 0
128 self.Xmm14 = 0
129 self.Xmm15 = 0
130
131 @classmethod
132 def parse(cls, buff):
133 dsn = cls()
134
135 dsn.Header = M128A.parse_array(buff, 2)
136 dsn.Legacy = M128A.parse_array(buff, 8)
137 dsn.Xmm0 = M128A.parse(buff)
138 dsn.Xmm1 = M128A.parse(buff)
139 dsn.Xmm2 = M128A.parse(buff)
140 dsn.Xmm3 = M128A.parse(buff)
141 dsn.Xmm4 = M128A.parse(buff)
142 dsn.Xmm5 = M128A.parse(buff)
143 dsn.Xmm6 = M128A.parse(buff)
144 dsn.Xmm7 = M128A.parse(buff)
145 dsn.Xmm8 = M128A.parse(buff)
146 dsn.Xmm9 = M128A.parse(buff)
147 dsn.Xmm10 = M128A.parse(buff)
148 dsn.Xmm11 = M128A.parse(buff)
149 dsn.Xmm12 = M128A.parse(buff)
150 dsn.Xmm13 = M128A.parse(buff)
151 dsn.Xmm14 = M128A.parse(buff)
152 dsn.Xmm15 = M128A.parse(buff)
153
154 return dsn
155
156 def __str__(self):
157 s = ""
158 s += "%s:\n" % ("Header")
159 for head in self.Header:
160 s += "\t%s" % (head)
161 s += "%s:\n" % ("Legacy")
162 for leg in self.Legacy:
163 s += "\t%s" % (leg)
164 s += "%s: %s" % ("Xmm0", self.Xmm0)
165 s += "%s: %s" % ("Xmm1", self.Xmm1)
166 s += "%s: %s" % ("Xmm2", self.Xmm2)
167 s += "%s: %s" % ("Xmm3", self.Xmm3)
168 s += "%s: %s" % ("Xmm4", self.Xmm4)
169 s += "%s: %s" % ("Xmm5", self.Xmm5)
170 s += "%s: %s" % ("Xmm6", self.Xmm6)
171 s += "%s: %s" % ("Xmm7", self.Xmm7)
172 s += "%s: %s" % ("Xmm8", self.Xmm8)
173 s += "%s: %s" % ("Xmm9", self.Xmm9)
174 s += "%s: %s" % ("Xmm10", self.Xmm10)
175 s += "%s: %s" % ("Xmm11", self.Xmm11)
176 s += "%s: %s" % ("Xmm12", self.Xmm12)
177 s += "%s: %s" % ("Xmm13", self.Xmm13)
178 s += "%s: %s" % ("Xmm14", self.Xmm14)
179 s += "%s: %s" % ("Xmm15", self.Xmm15)
180
181 return s
182
183
184 class CTX_DUMMYUNIONNAME:
185 def __init__(self):
186 self.FltSave = [] # XMM_SAVE_AREA32
187 self.Q = [] # NEON128 [16]
188 self.D = [] # ULONGLONG [32]
189 self.DUMMYSTRUCTNAME = []
190 self.S = [] # DWORD [32]
191
192 @classmethod
193 def parse(cls, buff):
194 dun = cls()
195
196 dun.FltSave = XMM_SAVE_AREA32.parse(buff)
197 dun.Q = NEON128.parse_array(buff, 16)
198 dun.D = [
199 int.from_bytes(buff.read(8), byteorder = 'little', signed = False)
200 for i in range(32)
201 ]
202 dun.DUMMYSTRUCTNAME = CTX_DUMMYSTRUCTNAME.parse(buff)
203 dun.S = [
204 int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
205 for i in range(32)
206 ]
207 return dun
208
209 def __str__(self):
210 s = ""
211 s += "%s: %s\n" % ("FltSave", self.FltSave)
212 s += "%s:\n" % ("Q")
213 for q in self.Q:
214 s += "\t%s" % (q.__str__())
215 for d in self.D:
216 s += "\t%d" % (d)
217 s += "%s: %s" % ("DUMMYSTRUCTNAME", self.DUMMYSTRUCTNAME)
218 s += "%s:\n" %("S")
219 for e in self.S:
220 s += "\t%d" % (e)
221
222 return s
223
224
225 # https:# docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-context
226 class CONTEXT:
227 def __init__(self):
228 self.P1Home = 0 # DWORD64
229 self.P2Home = 0 # DWORD64
230 self.P3Home = 0 # DWORD64
231 self.P4Home = 0 # DWORD64
232 self.P5Home = 0 # DWORD64
233 self.P6Home = 0 # DWORD64
234 self.ContextFlags = 0 # DWORD
235 self.MxCsr = 0 # DWORD
236 self.SegCs = 0 # WORD
237 self.SegDs = 0 # WORD
238 self.SegEs = 0 # WORD
239 self.SegFs = 0 # WORD
240 self.SegGs = 0 # WORD
241 self.SegSs = 0 # WORD
242 self.EFlags = 0 # DWORD
243 self.Dr0 = 0 # DWORD64
244 self.Dr1 = 0 # DWORD64
245 self.Dr2 = 0 # DWORD64
246 self.Dr3 = 0 # DWORD64
247 self.Dr6 = 0 # DWORD64
248 self.Dr7 = 0 # DWORD64
249 self.Rax = 0 # DWORD64
250 self.Rcx = 0 # DWORD64
251 self.Rdx = 0 # DWORD64
252 self.Rbx = 0 # DWORD64
253 self.Rsp = 0 # DWORD64
254 self.Rbp = 0 # DWORD64
255 self.Rsi = 0 # DWORD64
256 self.Rdi = 0 # DWORD64
257 self.R8 = 0 # DWORD64
258 self.R9 = 0 # DWORD64
259 self.R10 = 0 # DWORD64
260 self.R11 = 0 # DWORD64
261 self.R12 = 0 # DWORD64
262 self.R13 = 0 # DWORD64
263 self.R14 = 0 # DWORD64
264 self.R15 = 0 # DWORD64
265 self.Rip = 0 # DWORD64
266 self.DUMMYUNIONNAME = None
267
268 self.VectorRegister = [] # M128A [26]
269 self.VectorControl = 0 # DWORD64
270 self.DebugControl = 0 # DWORD64
271 self.LastBranchToRip = 0 # DWORD64
272 self.LastBranchFromRip = 0 # DWORD64
273 self.LastExceptionToRip = 0 # DWORD64
274 self.LastExceptionFromRip = 0 # DWORD64
275
276 @classmethod
277 def parse(cls, buff):
278 ctx = cls()
279
280 ctx.P1Home = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
281 ctx.P2Home = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
282 ctx.P3Home = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
283 ctx.P4Home = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
284 ctx.P5Home = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
285 ctx.P6Home = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
286 ctx.ContextFlags = int.from_bytes(buff.read(4), byteorder = 'little', signed = False) # DWORD
287 ctx.MxCsr = int.from_bytes(buff.read(4), byteorder = 'little', signed = False) # DWORD
288 ctx.SegCs = int.from_bytes(buff.read(2), byteorder = 'little', signed = False) # WORD
289 ctx.SegDs = int.from_bytes(buff.read(2), byteorder = 'little', signed = False) # WORD
290 ctx.SegEs = int.from_bytes(buff.read(2), byteorder = 'little', signed = False) # WORD
291 ctx.SegFs = int.from_bytes(buff.read(2), byteorder = 'little', signed = False) # WORD
292 ctx.SegGs = int.from_bytes(buff.read(2), byteorder = 'little', signed = False) # WORD
293 ctx.SegSs = int.from_bytes(buff.read(2), byteorder = 'little', signed = False) # WORD
294 ctx.EFlags = int.from_bytes(buff.read(4), byteorder = 'little', signed = False) # DWORD
295 ctx.Dr0 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
296 ctx.Dr1 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
297 ctx.Dr2 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
298 ctx.Dr3 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
299 ctx.Dr6 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
300 ctx.Dr7 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
301 ctx.Rax = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
302 ctx.Rcx = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
303 ctx.Rdx = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
304 ctx.Rbx = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
305 ctx.Rsp = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
306 ctx.Rbp = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
307 ctx.Rsi = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
308 ctx.Rdi = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
309 ctx.R8 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
310 ctx.R9 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
311 ctx.R10 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
312 ctx.R11 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
313 ctx.R12 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
314 ctx.R13 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
315 ctx.R14 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
316 ctx.R15 = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
317 ctx.Rip = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
318 ctx.DUMMYUNIONNAME = CTX_DUMMYUNIONNAME.parse(buff)
319
320 ctx.VectorRegister = M128A.parse_array(buff, 26) # M128A [26]
321 ctx.VectorControl = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
322 ctx.DebugControl = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
323 ctx.LastBranchToRip = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
324 ctx.LastBranchFromRip = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
325 ctx.LastExceptionToRip = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
326 ctx.LastExceptionFromRip = int.from_bytes(buff.read(8), byteorder = 'little', signed = False) # DWORD64
327
328 return ctx
329
330 def __str__(self):
331 s = ""
332 s += "%s: 0x%x (%d)\n" % ("P1Home",self.P1Home,self.P1Home)
333 s += "%s: 0x%x (%d)\n" % ("P2Home",self.P2Home,self.P2Home)
334 s += "%s: 0x%x (%d)\n" % ("P3Home",self.P3Home,self.P3Home)
335 s += "%s: 0x%x (%d)\n" % ("P4Home",self.P4Home,self.P4Home)
336 s += "%s: 0x%x (%d)\n" % ("P5Home",self.P5Home,self.P5Home)
337 s += "%s: 0x%x (%d)\n" % ("P6Home",self.P6Home,self.P6Home)
338 s += "%s: 0x%x (%d)\n" % ("ContextFlags",self.ContextFlags,self.ContextFlags)
339 s += "%s: 0x%x (%d)\n" % ("MxCsr",self.MxCsr,self.MxCsr)
340 s += "%s: 0x%x (%d)\n" % ("SegCs",self.SegCs,self.SegCs)
341 s += "%s: 0x%x (%d)\n" % ("SegDs",self.SegDs,self.SegDs)
342 s += "%s: 0x%x (%d)\n" % ("SegEs",self.SegEs,self.SegEs)
343 s += "%s: 0x%x (%d)\n" % ("SegFs",self.SegFs,self.SegFs)
344 s += "%s: 0x%x (%d)\n" % ("SegGs",self.SegGs,self.SegGs)
345 s += "%s: 0x%x (%d)\n" % ("SegSs",self.SegSs,self.SegSs)
346 s += "%s: 0x%x (%d)\n" % ("EFlags",self.EFlags,self.EFlags)
347 s += "%s: 0x%x (%d)\n" % ("Dr0",self.Dr0,self.Dr0)
348 s += "%s: 0x%x (%d)\n" % ("Dr1",self.Dr1,self.Dr1)
349 s += "%s: 0x%x (%d)\n" % ("Dr2",self.Dr2,self.Dr2)
350 s += "%s: 0x%x (%d)\n" % ("Dr3",self.Dr3,self.Dr3)
351 s += "%s: 0x%x (%d)\n" % ("Dr6",self.Dr6,self.Dr6)
352 s += "%s: 0x%x (%d)\n" % ("Dr7",self.Dr7,self.Dr7)
353 s += "%s: 0x%x (%d)\n" % ("Rax",self.Rax,self.Rax)
354 s += "%s: 0x%x (%d)\n" % ("Rcx",self.Rcx,self.Rcx)
355 s += "%s: 0x%x (%d)\n" % ("Rdx",self.Rdx,self.Rdx)
356 s += "%s: 0x%x (%d)\n" % ("Rbx",self.Rbx,self.Rbx)
357 s += "%s: 0x%x (%d)\n" % ("Rsp",self.Rsp,self.Rsp)
358 s += "%s: 0x%x (%d)\n" % ("Rbp",self.Rbp,self.Rbp)
359 s += "%s: 0x%x (%d)\n" % ("Rsi",self.Rsi,self.Rsi)
360 s += "%s: 0x%x (%d)\n" % ("Rdi",self.Rdi,self.Rdi)
361 s += "%s: 0x%x (%d)\n" % ("R8",self.R8,self.R8)
362 s += "%s: 0x%x (%d)\n" % ("R9",self.R9,self.R9)
363 s += "%s: 0x%x (%d)\n" % ("R10",self.R10,self.R10)
364 s += "%s: 0x%x (%d)\n" % ("R11",self.R11,self.R11)
365 s += "%s: 0x%x (%d)\n" % ("R12",self.R12,self.R12)
366 s += "%s: 0x%x (%d)\n" % ("R13",self.R13,self.R13)
367 s += "%s: 0x%x (%d)\n" % ("R14",self.R14,self.R14)
368 s += "%s: 0x%x (%d)\n" % ("R15",self.R15,self.R15)
369 s += "%s: 0x%x (%d)\n" % ("Rip",self.Rip,self.Rip)
370 s += "%s:" % ("DUMMYUNIONNAME")
371 s += self.DUMMYUNIONNAME.__str__()
372
373 return s
374
375
376 # https:# docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-wow64_floating_save_area
377 class WOW64_FLOATING_SAVE_AREA:
378 def __init__(self):
379 self.ControlWord = 0 # DWORD
380 self.StatusWord = 0 # DWORD
381 self.TagWord = 0 # DWORD
382 self.ErrorOffset = 0 # DWORD
383 self.ErrorSelector = 0 # DWORD
384 self.DataOffset = 0 # DWORD
385 self.DataSelector = 0 # DWORD
386 self.RegisterArea = [] # BYTE
387 self.Cr0NpxState = 0 # DWORD
388
389 @classmethod
390 def parse(cls, buff):
391 ctx = cls()
392 ctx.ControlWord = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
393 ctx.StatusWord = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
394 ctx.TagWord = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
395 ctx.ErrorOffset = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
396 ctx.ErrorSelector = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
397 ctx.DataOffset = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
398 ctx.DataSelector = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
399 ctx.RegisterArea = int.from_bytes(buff.read(80), byteorder = 'little', signed = False)
400 ctx.Cr0NpxState = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
401 return ctx
402
403 def __str__(self):
404 s = ''
405 s += "ControlWord: %x (%d)\n" % (self.ControlWord, self.ControlWord)
406 s += "StatusWord: %x (%d)\n" % (self.StatusWord, self.StatusWord)
407 s += "TagWord: %x (%d)\n" % (self.TagWord, self.TagWord)
408 s += "ErrorOffset: %x (%d)\n" % (self.ErrorOffset, self.ErrorOffset)
409 s += "ErrorSelector: %x (%d)\n" % (self.ErrorSelector, self.ErrorSelector)
410 s += "DataOffset: %x (%d)\n" % (self.DataOffset, self.DataOffset)
411 s += "DataSelector: %x (%d)\n" % (self.DataSelector, self.DataSelector)
412 s += "RegisterArea: %s\n" % str(self.RegisterArea)
413 s += "Cr0NpxState: %x (%d)" % (self.Cr0NpxState, self.Cr0NpxState)
414 return s
415
416 # https:# docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-wow64_context
417 class WOW64_CONTEXT:
418 def __init__(self):
419 self.ContextFlags = 0 # DWORD
420 self.Dr0 = 0 # DWORD
421 self.Dr1 = 0 # DWORD
422 self.Dr2 = 0 # DWORD
423 self.Dr3 = 0 # DWORD
424 self.Dr6 = 0 # DWORD
425 self.Dr7 = 0 # DWORD
426 self.FloatSave = 0 # WOW64_FLOATING_SAVE_AREA
427 self.SegGs = 0 # DWORD
428 self.SegFs = 0 # DWORD
429 self.SegEs = 0 # DWORD
430 self.SegDs = 0 # DWORD
431 self.Edi = 0 # DWORD
432 self.Esi = 0 # DWORD
433 self.Ebx = 0 # DWORD
434 self.Edx = 0 # DWORD
435 self.Ecx = 0 # DWORD
436 self.Eax = 0 # DWORD
437 self.Ebp = 0 # DWORD
438 self.Eip = 0 # DWORD
439 self.SegCs = 0 # DWORD
440 self.EFlags = 0 # DWORD
441 self.Esp = 0 # DWORD
442 self.SegSs = 0 # DWORD
443 self.ExtendedRegisters = [] # BYTE
444
445 @classmethod
446 def parse(cls, buff):
447 ctx = cls()
448
449 ctx.ContextFlags = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
450 ctx.Dr0 = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
451 ctx.Dr1 = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
452 ctx.Dr2 = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
453 ctx.Dr3 = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
454 ctx.Dr6 = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
455 ctx.Dr7 = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
456 ctx.FloatSave = WOW64_FLOATING_SAVE_AREA.parse(buff)
457 ctx.SegGs = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
458 ctx.SegFs = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
459 ctx.SegEs = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
460 ctx.SegDs = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
461 ctx.Edi = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
462 ctx.Esi = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
463 ctx.Ebx = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
464 ctx.Edx = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
465 ctx.Ecx = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
466 ctx.Eax = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
467 ctx.Ebp = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
468 ctx.Eip = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
469 ctx.SegCs = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
470 ctx.EFlags = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
471 ctx.Esp = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
472 ctx.SegSs = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
473 ctx.ExtendedRegisters = [
474 int.from_bytes(buff.read(1), byteorder = 'little', signed = False)
475 for i in range(512)
476 ]
477 return ctx
478
479 def __str__(self):
480 s = ''
481 s += "%s: %x (%d)\n" % ("ContextFlags", self.ContextFlags, self.ContextFlags)
482 s += "%s: %x (%d)\n" % ("Dr0", self.Dr0, self.Dr0)
483 s += "%s: %x (%d)\n" % ("Dr1", self.Dr1, self.Dr1)
484 s += "%s: %x (%d)\n" % ("Dr2", self.Dr2, self.Dr2)
485 s += "%s: %x (%d)\n" % ("Dr3", self.Dr3, self.Dr3)
486 s += "%s: %x (%d)\n" % ("Dr6", self.Dr6, self.Dr6)
487 s += "%s: %x (%d)\n" % ("Dr7", self.Dr7, self.Dr7)
488 s += "%s: %s\n" % ("FloatSave", self.FloatSave.__str__())
489 s += "%s: %x (%d)\n" % ("SegGs", self.SegGs, self.SegGs)
490 s += "%s: %x (%d)\n" % ("SegFs", self.SegFs, self.SegFs)
491 s += "%s: %x (%d)\n" % ("SegEs", self.SegEs, self.SegEs)
492 s += "%s: %x (%d)\n" % ("SegDs", self.SegDs, self.SegDs)
493 s += "%s: %x (%d)\n" % ("Edi", self.Edi, self.Edi)
494 s += "%s: %x (%d)\n" % ("Esi", self.Esi, self.Esi)
495 s += "%s: %x (%d)\n" % ("Ebx", self.Ebx, self.Ebx)
496 s += "%s: %x (%d)\n" % ("Edx", self.Edx, self.Edx)
497 s += "%s: %x (%d)\n" % ("Ecx", self.Ecx, self.Ecx)
498 s += "%s: %x (%d)\n" % ("Eax", self.Eax, self.Eax)
499 s += "%s: %x (%d)\n" % ("Ebp", self.Ebp, self.Ebp)
500 s += "%s: %x (%d)\n" % ("Eip", self.Eip, self.Eip)
501 s += "%s: %x (%d)\n" % ("SegCs", self.SegCs, self.SegCs)
502 s += "%s: %x (%d)\n" % ("EFlags", self.EFlags, self.EFlags)
503 s += "%s: %x (%d)\n" % ("Esp", self.Esp, self.Esp)
504 s += "%s: %x (%d)\n" % ("SegSs", self.SegSs, self.SegSs)
505 s += "%s: %s\n" % ("ExtendedRegisters", str(self.ExtendedRegisters))
506
507 return s
+2
-0
minidump/streams/ModuleListStream.py less more
5858 'BaseAddress',
5959 'Size',
6060 'Endaddress',
61 'Timestamp',
6162 ]
6263
6364 def to_row(self):
6667 '0x%08x' % self.baseaddress,
6768 hex(self.size),
6869 '0x%08x' % self.endaddress,
70 '0x%08x' % self.timestamp,
6971 ]
7072
7173
+4
-2
minidump/streams/__init__.py less more
00 from .CommentStreamA import *
11 from .CommentStreamW import *
2 from .ContextStream import *
23 from .ExceptionStream import *
34 from .FunctionTableStream import *
45 from .HandleDataStream import *
2324
2425 __CommentStreamA__ = ['CommentStreamA']
2526 __CommentStreamW__ = ['CommentStreamW']
27 __ContextStream__ = ['CONTEXT', 'CTX_DUMMYSTRUCTNAME', 'CTX_DUMMYUNIONNAME', 'M128A', 'NEON128', 'WOW64_CONTEXT', 'WOW64_FLOATING_SAVE_AREA', 'XMM_SAVE_AREA32']
2628 __ExceptionStream__ = ['ExceptionList']
2729 __FunctionTableStream__ = ['MINIDUMP_FUNCTION_TABLE_STREAM']
2830 __HandleDataStream__ = ['MinidumpHandleDataStream','MINIDUMP_HANDLE_DATA_STREAM']
3739 __ProcessVmCountersStream__ = []
3840 __SystemInfoStream__ = ['MinidumpSystemInfo','PROCESSOR_ARCHITECTURE','PROCESSOR_LEVEL', 'PRODUCT_TYPE', 'PLATFORM_ID','SUITE_MASK','MINIDUMP_SYSTEM_INFO']
3941 __SystemMemoryInfoStream__ = []
40 __ThreadExListStream__ = ['MINIDUMP_THREAD_EX', 'MINIDUMP_THREAD_EX_LIST']
42 __ThreadExListStream__ = ['MinidumpThreadExList', 'MINIDUMP_THREAD_EX', 'MINIDUMP_THREAD_EX_LIST']
4143 __ThreadInfoListStream__ = ['MinidumpThreadInfoList','MINIDUMP_THREAD_INFO_LIST', 'MINIDUMP_THREAD_INFO', 'DumpFlags']
4244 __ThreadListStream__ = ['MinidumpThreadList','MINIDUMP_THREAD', 'MINIDUMP_THREAD_LIST']
4345 __TokenStream__ = []
4446 __UnloadedModuleListStream__ = ['MinidumpUnloadedModuleList', 'MINIDUMP_UNLOADED_MODULE', 'MINIDUMP_UNLOADED_MODULE_LIST']
4547
46 __all__ = __CommentStreamA__ + __CommentStreamW__ + __ExceptionStream__ + __FunctionTableStream__ + __HandleDataStream__ + __HandleOperationListStream__ + __JavaScriptDataStream__ + __LastReservedStream__ + __Memory64ListStream__ + __MemoryInfoListStream__ + __MemoryListStream__ + __MiscInfoStream__ + __ModuleListStream__ + __ProcessVmCountersStream__ + __SystemInfoStream__ + __SystemMemoryInfoStream__ + __ThreadExListStream__ + __ThreadInfoListStream__ + __ThreadListStream__ + __TokenStream__ + __UnloadedModuleListStream__
48 __all__ = __CommentStreamA__ + __CommentStreamW__ + __ContextStream__ + __ExceptionStream__ + __FunctionTableStream__ + __HandleDataStream__ + __HandleOperationListStream__ + __JavaScriptDataStream__ + __LastReservedStream__ + __Memory64ListStream__ + __MemoryInfoListStream__ + __MemoryListStream__ + __MiscInfoStream__ + __ModuleListStream__ + __ProcessVmCountersStream__ + __SystemInfoStream__ + __SystemMemoryInfoStream__ + __ThreadExListStream__ + __ThreadInfoListStream__ + __ThreadListStream__ + __TokenStream__ + __UnloadedModuleListStream__
+1
-1
minidump/utils/createminidump.py less more
88 from ctypes.wintypes import HANDLE, BOOL, DWORD, HWND, HINSTANCE, HKEY, LPVOID, LPWSTR, PBOOL
99 from ctypes import c_ulong, c_char_p, c_int, c_void_p, WinError, get_last_error, windll
1010
11 from privileges import enable_debug_privilege
11 from minidump.utils.privileges import enable_debug_privilege
1212
1313 if platform.system() != 'Windows':
1414 raise Exception('This script will ovbiously only work on Windows')
+1
-1
minidump.egg-info/PKG-INFO less more
00 Metadata-Version: 1.2
11 Name: minidump
2 Version: 0.0.17
2 Version: 0.0.21
33 Summary: Python library to parse Windows minidump file format
44 Home-page: https://github.com/skelsec/minidump
55 Author: Tamas Jos
+1
-0
minidump.egg-info/SOURCES.txt less more
2525 minidump.egg-info/top_level.txt
2626 minidump/streams/CommentStreamA.py
2727 minidump/streams/CommentStreamW.py
28 minidump/streams/ContextStream.py
2829 minidump/streams/ExceptionStream.py
2930 minidump/streams/FunctionTableStream.py
3031 minidump/streams/HandleDataStream.py