1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24 """An Address Space for processing crash dump files."""
25
26 from rekall import addrspace
27 from rekall.plugins.overlays.windows import crashdump
28
29
30
31
33 """ This Address Space supports windows Crash Dump format """
34 order = 30
35
36 PAGE_SIZE = 0x1000
37
38
39 __image = True
40
63
65 """Checks the base file handle for sanity."""
66
67 self.as_assert(self.base,
68 "Must stack on another address space")
69
70
71 self.as_assert((self.base.read(0, 8) == 'PAGEDUMP'),
72 "Header signature invalid")
73
74 self.profile = crashdump.CrashDump32Profile(
75 session=self.session)
76
77 self.header = self.profile.Object(
78 "_DMP_HEADER", offset=self.offset, vm=self.base)
79
80 if self.header.DumpType != "Full Dump":
81
82
83 raise IOError("This is not a full memory crash dump. "
84 "Kernel crash dumps are not supported.")
85
86
88 """This AS supports windows Crash Dump format."""
89 order = 30
90
91
92 __image = True
93
95 """Check specifically for 64 bit crash dumps."""
96
97
98 self.as_assert((self.base.read(0, 8) == 'PAGEDU64'),
99 "Header signature invalid")
100
101 self.profile = crashdump.CrashDump64Profile(
102 session=self.session)
103
104 self.as_assert(self.profile.has_type("_DMP_HEADER64"),
105 "_DMP_HEADER64 not available in profile")
106 self.header = self.profile.Object("_DMP_HEADER64",
107 offset=self.offset, vm=self.base)
108
109
110
111
112
113
114
115 if self.header.DumpType != "Full Dump":
116 self.session.logging.warning(
117 "This is not a full memory crash dump. Kernel crash dumps are "
118 "not supported.")
119
120
121
122
123 if self.header.PhysicalMemoryBlockBuffer.NumberOfRuns > 100:
124 raise RuntimeError(
125 "This crashdump file format is not supported. Rekall does not "
126 "currently support crashdumps using the Win8 format.")
127
128
130 """This Address Space supports the new windows Crash Dump format.
131
132 This format first appeared in Windows 8 x64 versions. We reversed this
133 format by examining the Crash dump file from a Windows 8 system.
134
135 Alternative implementations:
136 Volatility 2.4: crashbmp.py (not working at time of writing.).
137 """
138
139 order = 25
140
141 PAGE_SIZE = 0x1000
142
143
144 __image = True
145
147 super(WindowsCrashBMP, self).__init__(**kwargs)
148
149 self.as_assert(self.base, "Must stack on another address space")
150
151
152 self.as_assert((self.base.read(0, 8) == 'PAGEDU64'),
153 "Header signature invalid")
154
155 self.profile = crashdump.CrashDump64Profile(
156 session=self.session)
157
158 self.header = self.profile.Object("_DMP_HEADER64", vm=self.base)
159 self.as_assert(
160 self.header.DumpType == "BMP Dump", "Only BMP dumps supported.")
161
162 self.bmp_header = self.header.BMPHeader
163 PAGE_SIZE = 0x1000
164
165
166 first_page = self.bmp_header.FirstPage.v()
167 last_run = [0, first_page, 0]
168
169 for pfn, present in enumerate(self._generate_bitmap()):
170 if present:
171 if pfn * PAGE_SIZE == last_run[0] + last_run[2]:
172 last_run[2] += PAGE_SIZE
173
174 else:
175
176 if last_run[2] > 0:
177 self.add_run(*last_run)
178
179
180 last_run = [
181 pfn * PAGE_SIZE, last_run[1] + last_run[2], PAGE_SIZE]
182
183
184 if last_run[2] > 0:
185 self.add_run(*last_run)
186
187
188 self.session.SetCache("dtb", self.header.DirectoryTableBase.v(),
189 volatile=False)
190
191
193 """Generate Present/Not Present for each page in the dump."""
194
195
196 for value in self.bmp_header.Bitmap:
197
198
199 for bit in reversed("{0:032b}".format((value.v()))):
200 yield bit == "1"
201