rekall.plugins.overlays.windows.crashdump

Source Code for Module rekall.plugins.overlays.windows.crashdump

1 # Rekall Memory Forensics 2 # Copyright 2014 Google Inc. All Rights Reserved. 3 # 4 # This program is free software; you can redistribute it and/or modify 5 # it under the terms of the GNU General Public License as published by 6 # the Free Software Foundation; either version 2 of the License, or (at 7 # your option) any later version. 8 # 9 # This program is distributed in the hope that it will be useful, but 10 # WITHOUT ANY WARRANTY; without even the implied warranty of 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 # General Public License for more details. 13 # 14 # You should have received a copy of the GNU General Public License 15 # along with this program; if not, write to the Free Software 16 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 17 # 18 19 """This file adds support for windows debugging related data. 20 21 1) Support for Crash Dump files. 22 2) Support for Kernel Debugger Data Block and related structures. 23 """ 24 25 import copy 26 27 from rekall import obj 28 from rekall.plugins.overlays import basic 29 from rekall_lib import utils 30 31 32 vtypes = { 33 ## These types are for crash dumps 34 '_DMP_HEADER' : [0x1000, { 35 'Signature' : [0x0, ['array', 4, ['unsigned char']]], 36 'ValidDump' : [0x4, ['array', 4, ['unsigned char']]], 37 'MajorVersion' : [0x8, ['unsigned long']], 38 'MinorVersion' : [0xc, ['unsigned long']], 39 'DirectoryTableBase' : [0x10, ['unsigned long']], 40 'PfnDataBase' : [0x14, ['unsigned long']], 41 'PsLoadedModuleList' : [0x18, ['unsigned long']], 42 'PsActiveProcessHead' : [0x1c, ['unsigned long']], 43 'MachineImageType' : [0x20, ['unsigned long']], 44 'NumberProcessors' : [0x24, ['unsigned long']], 45 'BugCheckCode' : [0x28, ['unsigned long']], 46 'BugCheckCodeParameter' : [0x2c, ['array', 4, ['unsigned long']]], 47 'VersionUser' : [0x3c, ['array', 32, ['unsigned char']]], 48 'PaeEnabled' : [0x5c, ['unsigned char']], 49 'KdSecondaryVersion' : [0x5d, ['unsigned char']], 50 'VersionUser2' : [0x5e, ['array', 2, ['unsigned char']]], 51 'KdDebuggerDataBlock' : [0x60, ['unsigned long']], 52 'PhysicalMemoryBlockBuffer' : [0x64, ['_PHYSICAL_MEMORY_DESCRIPTOR']], 53 'ContextRecord' : [0x320, ['array', 1200, ['unsigned char']]], 54 'Exception' : [0x7d0, ['_EXCEPTION_RECORD32']], 55 'Comment' : [0x820, ['array', 128, ['unsigned char']]], 56 'DumpType' : [0xf88, ['unsigned long']], 57 'MiniDumpFields' : [0xf8c, ['unsigned long']], 58 'SecondaryDataState' : [0xf90, ['unsigned long']], 59 'ProductType' : [0xf94, ['unsigned long']], 60 'SuiteMask' : [0xf98, ['unsigned long']], 61 'WriterStatus' : [0xf9c, ['unsigned long']], 62 'RequiredDumpSpace' : [0xfa0, ['unsigned long long']], 63 'SystemUpTime' : [0xfb8, ['unsigned long long']], 64 'SystemTime' : [0xfc0, ['unsigned long long']], 65 'reserved3' : [0xfc8, ['array', 56, ['unsigned char']]], 66 }], 67 68 '_PHYSICAL_MEMORY_DESCRIPTOR' : [0x10, { 69 'NumberOfRuns' : [0x0, ['unsigned long']], 70 'NumberOfPages' : [0x4, ['unsigned long']], 71 'Run' : [0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], 72 }], 73 '_PHYSICAL_MEMORY_RUN' : [0x8, { 74 'BasePage' : [0x0, ['unsigned long']], 75 'PageCount' : [0x4, ['unsigned long']], 76 }], 77 78 '_EXCEPTION_RECORD32' : [0x50, { 79 'ExceptionCode' : [0x0, ['long']], 80 'ExceptionFlags' : [0x4, ['unsigned long']], 81 'ExceptionRecord' : [0x8, ['unsigned long']], 82 'ExceptionAddress' : [0xc, ['unsigned long']], 83 'NumberParameters' : [0x10, ['unsigned long']], 84 'ExceptionInformation' : [0x14, ['array', 15, ['unsigned long']]], 85 }], 86 87 '_DBGKD_DEBUG_DATA_HEADER64' : [0x18, { 88 'List' : [0x0, ['LIST_ENTRY64']], 89 'OwnerTag' : [0x10, ['String', dict(length=4)]], 90 'Size' : [0x14, ['unsigned long']], 91 }], 92 93 '_KDDEBUGGER_DATA64' : [0x340, { 94 'Header' : [0x0, ['_DBGKD_DEBUG_DATA_HEADER64']], 95 'KernBase' : [0x18, ['unsigned long long']], 96 'BreakpointWithStatus' : [0x20, ['unsigned long long']], 97 'SavedContext' : [0x28, ['unsigned long long']], 98 'ThCallbackStack' : [0x30, ['unsigned short']], 99 'NextCallback' : [0x32, ['unsigned short']], 100 'FramePointer' : [0x34, ['unsigned short']], 101 'KiCallUserMode' : [0x38, ['unsigned long long']], 102 'KeUserCallbackDispatcher' : [0x40, ['unsigned long long']], 103 'PsLoadedModuleList' : [0x48, ['unsigned long long']], 104 'PsActiveProcessHead' : [0x50, ['unsigned long long']], 105 'PspCidTable' : [0x58, ['unsigned long long']], 106 'ExpSystemResourcesList' : [0x60, ['unsigned long long']], 107 'ExpPagedPoolDescriptor' : [0x68, ['unsigned long long']], 108 'ExpNumberOfPagedPools' : [0x70, ['unsigned long long']], 109 'KeTimeIncrement' : [0x78, ['unsigned long long']], 110 'KeBugCheckCallbackListHead' : [0x80, ['unsigned long long']], 111 'KiBugCheckData' : [0x88, ['unsigned long long']], 112 'IopErrorLogListHead' : [0x90, ['unsigned long long']], 113 'ObpRootDirectoryObject' : [0x98, ['unsigned long long']], 114 'ObpTypeObjectType' : [0xa0, ['unsigned long long']], 115 'MmSystemCacheStart' : [0xa8, ['unsigned long long']], 116 'MmSystemCacheEnd' : [0xb0, ['unsigned long long']], 117 'MmSystemCacheWs' : [0xb8, ['unsigned long long']], 118 'MmPfnDatabase' : [0xc0, ['unsigned long long']], 119 'MmSystemPtesStart' : [0xc8, ['unsigned long long']], 120 'MmSystemPtesEnd' : [0xd0, ['unsigned long long']], 121 'MmSubsectionBase' : [0xd8, ['unsigned long long']], 122 'MmNumberOfPagingFiles' : [0xe0, ['unsigned long long']], 123 'MmLowestPhysicalPage' : [0xe8, ['unsigned long long']], 124 'MmHighestPhysicalPage' : [0xf0, ['unsigned long long']], 125 'MmNumberOfPhysicalPages' : [0xf8, ['unsigned long long']], 126 'MmMaximumNonPagedPoolInBytes' : [0x100, ['unsigned long long']], 127 'MmNonPagedSystemStart' : [0x108, ['unsigned long long']], 128 'MmNonPagedPoolStart' : [0x110, ['unsigned long long']], 129 'MmNonPagedPoolEnd' : [0x118, ['unsigned long long']], 130 'MmPagedPoolStart' : [0x120, ['unsigned long long']], 131 'MmPagedPoolEnd' : [0x128, ['unsigned long long']], 132 'MmPagedPoolInformation' : [0x130, ['unsigned long long']], 133 'MmPageSize' : [0x138, ['unsigned long long']], 134 'MmSizeOfPagedPoolInBytes' : [0x140, ['unsigned long long']], 135 'MmTotalCommitLimit' : [0x148, ['unsigned long long']], 136 'MmTotalCommittedPages' : [0x150, ['unsigned long long']], 137 'MmSharedCommit' : [0x158, ['unsigned long long']], 138 'MmDriverCommit' : [0x160, ['unsigned long long']], 139 'MmProcessCommit' : [0x168, ['unsigned long long']], 140 'MmPagedPoolCommit' : [0x170, ['unsigned long long']], 141 'MmExtendedCommit' : [0x178, ['unsigned long long']], 142 'MmZeroedPageListHead' : [0x180, ['unsigned long long']], 143 'MmFreePageListHead' : [0x188, ['unsigned long long']], 144 'MmStandbyPageListHead' : [0x190, ['unsigned long long']], 145 'MmModifiedPageListHead' : [0x198, ['unsigned long long']], 146 'MmModifiedNoWritePageListHead' : [0x1a0, ['unsigned long long']], 147 'MmAvailablePages' : [0x1a8, ['unsigned long long']], 148 'MmResidentAvailablePages' : [0x1b0, ['unsigned long long']], 149 'PoolTrackTable' : [0x1b8, ['unsigned long long']], 150 'NonPagedPoolDescriptor' : [0x1c0, ['unsigned long long']], 151 'MmHighestUserAddress' : [0x1c8, ['unsigned long long']], 152 'MmSystemRangeStart' : [0x1d0, ['unsigned long long']], 153 'MmUserProbeAddress' : [0x1d8, ['unsigned long long']], 154 'KdPrintCircularBuffer' : [0x1e0, ['unsigned long long']], 155 'KdPrintCircularBufferEnd' : [0x1e8, ['unsigned long long']], 156 'KdPrintWritePointer' : [0x1f0, ['unsigned long long']], 157 'KdPrintRolloverCount' : [0x1f8, ['unsigned long long']], 158 'MmLoadedUserImageList' : [0x200, ['unsigned long long']], 159 'NtBuildLab' : [0x208, ['unsigned long long']], 160 'KiNormalSystemCall' : [0x210, ['unsigned long long']], 161 'KiProcessorBlock' : [0x218, ['unsigned long long']], 162 'MmUnloadedDrivers' : [0x220, ['unsigned long long']], 163 'MmLastUnloadedDriver' : [0x228, ['unsigned long long']], 164 'MmTriageActionTaken' : [0x230, ['unsigned long long']], 165 'MmSpecialPoolTag' : [0x238, ['unsigned long long']], 166 'KernelVerifier' : [0x240, ['unsigned long long']], 167 'MmVerifierData' : [0x248, ['unsigned long long']], 168 'MmAllocatedNonPagedPool' : [0x250, ['unsigned long long']], 169 'MmPeakCommitment' : [0x258, ['unsigned long long']], 170 'MmTotalCommitLimitMaximum' : [0x260, ['unsigned long long']], 171 'CmNtCSDVersion' : [0x268, ['unsigned long long']], 172 'MmPhysicalMemoryBlock' : [0x270, ['unsigned long long']], 173 'MmSessionBase' : [0x278, ['unsigned long long']], 174 'MmSessionSize' : [0x280, ['unsigned long long']], 175 'MmSystemParentTablePage' : [0x288, ['unsigned long long']], 176 'MmVirtualTranslationBase' : [0x290, ['unsigned long long']], 177 'OffsetKThreadNextProcessor' : [0x298, ['unsigned short']], 178 'OffsetKThreadTeb' : [0x29a, ['unsigned short']], 179 'OffsetKThreadKernelStack' : [0x29c, ['unsigned short']], 180 'OffsetKThreadInitialStack' : [0x29e, ['unsigned short']], 181 'OffsetKThreadApcProcess' : [0x2a0, ['unsigned short']], 182 'OffsetKThreadState' : [0x2a2, ['unsigned short']], 183 'OffsetKThreadBStore' : [0x2a4, ['unsigned short']], 184 'OffsetKThreadBStoreLimit' : [0x2a6, ['unsigned short']], 185 'SizeEProcess' : [0x2a8, ['unsigned short']], 186 'OffsetEprocessPeb' : [0x2aa, ['unsigned short']], 187 'OffsetEprocessParentCID' : [0x2ac, ['unsigned short']], 188 'OffsetEprocessDirectoryTableBase' : [0x2ae, ['unsigned short']], 189 'SizePrcb' : [0x2b0, ['unsigned short']], 190 'OffsetPrcbDpcRoutine' : [0x2b2, ['unsigned short']], 191 'OffsetPrcbCurrentThread' : [0x2b4, ['unsigned short']], 192 'OffsetPrcbMhz' : [0x2b6, ['unsigned short']], 193 'OffsetPrcbCpuType' : [0x2b8, ['unsigned short']], 194 'OffsetPrcbVendorString' : [0x2ba, ['unsigned short']], 195 'OffsetPrcbProcStateContext' : [0x2bc, ['unsigned short']], 196 'OffsetPrcbNumber' : [0x2be, ['unsigned short']], 197 'SizeEThread' : [0x2c0, ['unsigned short']], 198 'KdPrintCircularBufferPtr' : [0x2c8, ['unsigned long long']], 199 'KdPrintBufferSize' : [0x2d0, ['unsigned long long']], 200 'KeLoaderBlock' : [0x2d8, ['unsigned long long']], 201 'SizePcr' : [0x2e0, ['unsigned short']], 202 'OffsetPcrSelfPcr' : [0x2e2, ['unsigned short']], 203 'OffsetPcrCurrentPrcb' : [0x2e4, ['unsigned short']], 204 'OffsetPcrContainedPrcb' : [0x2e6, ['unsigned short']], 205 'OffsetPcrInitialBStore' : [0x2e8, ['unsigned short']], 206 'OffsetPcrBStoreLimit' : [0x2ea, ['unsigned short']], 207 'OffsetPcrInitialStack' : [0x2ec, ['unsigned short']], 208 'OffsetPcrStackLimit' : [0x2ee, ['unsigned short']], 209 'OffsetPrcbPcrPage' : [0x2f0, ['unsigned short']], 210 'OffsetPrcbProcStateSpecialReg' : [0x2f2, ['unsigned short']], 211 'GdtR0Code' : [0x2f4, ['unsigned short']], 212 'GdtR0Data' : [0x2f6, ['unsigned short']], 213 'GdtR0Pcr' : [0x2f8, ['unsigned short']], 214 'GdtR3Code' : [0x2fa, ['unsigned short']], 215 'GdtR3Data' : [0x2fc, ['unsigned short']], 216 'GdtR3Teb' : [0x2fe, ['unsigned short']], 217 'GdtLdt' : [0x300, ['unsigned short']], 218 'GdtTss' : [0x302, ['unsigned short']], 219 'Gdt64R3CmCode' : [0x304, ['unsigned short']], 220 'Gdt64R3CmTeb' : [0x306, ['unsigned short']], 221 'IopNumTriageDumpDataBlocks' : [0x308, ['unsigned long long']], 222 'IopTriageDumpDataBlocks' : [0x310, ['unsigned long long']], 223 'VfCrashDataBlock' : [0x318, ['unsigned long long']], 224 'MmBadPagesDetected' : [0x320, ['unsigned long long']], 225 'MmZeroedPageSingleBitErrorsDetected' : [0x328, ['unsigned long long']], 226 'EtwpDebuggerData' : [0x330, ['unsigned long long']], 227 'OffsetPrcbContext' : [0x338, ['unsigned short']], 228 }], 229 } 230 231 232 vtypes64 = { 233 '_DMP_HEADER64' : [0x2000, { 234 'Signature' : [0x0, ['array', 4, ['unsigned char']]], 235 'ValidDump' : [0x4, ['array', 4, ['unsigned char']]], 236 'MajorVersion' : [0x8, ['unsigned long']], 237 'MinorVersion' : [0xc, ['unsigned long']], 238 'DirectoryTableBase' : [0x10, ['unsigned long long']], 239 'PfnDataBase' : [0x18, ['unsigned long long']], 240 'PsLoadedModuleList' : [0x20, ['unsigned long long']], 241 'PsActiveProcessHead' : [0x28, ['unsigned long long']], 242 'MachineImageType' : [0x30, ['unsigned long']], 243 'NumberProcessors' : [0x34, ['unsigned long']], 244 'BugCheckCode' : [0x38, ['unsigned long']], 245 'BugCheckCodeParameter' : [0x40, ['array', 4, ['unsigned long long']]], 246 'KdDebuggerDataBlock' : [0x80, ['unsigned long long']], 247 'PhysicalMemoryBlockBuffer' : [0x88, ['_PHYSICAL_MEMORY_DESCRIPTOR']], 248 'ContextRecord' : [0x348, ['array', 3000, ['unsigned char']]], 249 'Exception' : [0xf00, ['_EXCEPTION_RECORD64']], 250 'DumpType' : [0xf98, ['unsigned long']], 251 'RequiredDumpSpace' : [0xfa0, ['unsigned long long']], 252 'SystemTime' : [0xfa8, ['unsigned long long']], 253 'Comment' : [0xfb0, ['array', 128, ['unsigned char']]], 254 'SystemUpTime' : [0x1030, ['unsigned long long']], 255 'MiniDumpFields' : [0x1038, ['unsigned long']], 256 'SecondaryDataState' : [0x103c, ['unsigned long']], 257 'ProductType' : [0x1040, ['unsigned long']], 258 'SuiteMask' : [0x1044, ['unsigned long']], 259 'WriterStatus' : [0x1048, ['unsigned long']], 260 'Unused1' : [0x104c, ['unsigned char']], 261 'KdSecondaryVersion' : [0x104d, ['unsigned char']], 262 'Unused' : [0x104e, ['array', 2, ['unsigned char']]], 263 '_reserved0' : [0x1050, ['array', 4016, ['unsigned char']]], 264 265 # If the dump is a BMP dump, this is the location of the 266 # _BMP_DUMP_HEADER. 267 'BMPHeader': [0x2000, ["_BMP_DUMP_HEADER"]], 268 }], 269 270 '_PHYSICAL_MEMORY_DESCRIPTOR' : [0x20, { 271 'NumberOfRuns' : [0x0, ['unsigned long']], 272 'NumberOfPages' : [0x8, ['unsigned long long']], 273 'Run' : [0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], 274 }], 275 276 '_PHYSICAL_MEMORY_RUN' : [0x10, { 277 'BasePage' : [0x0, ['unsigned long long']], 278 'PageCount' : [0x8, ['unsigned long long']], 279 }], 280 281 '_EXCEPTION_RECORD64' : [0x98, { 282 'ExceptionCode' : [0x0, ['long']], 283 'ExceptionFlags' : [0x4, ['unsigned long']], 284 'ExceptionRecord' : [0x8, ['unsigned long long']], 285 'ExceptionAddress' : [0x10, ['unsigned long long']], 286 'NumberParameters' : [0x18, ['unsigned long']], 287 '__unusedAlignment' : [0x1c, ['unsigned long']], 288 'ExceptionInformation' : [0x20, ['array', 15, ['unsigned long long']]], 289 }], 290 291 # NOTE: The following struct is reversed by looking the a crash dump 292 # file. Therefore the names are probably not consistent with the windows 293 # source code. 294 '_BMP_DUMP_HEADER': [0x38, { 295 # Should be FDMP 296 'Signature': [0x0, ['String', dict( 297 length=4, 298 term=None, 299 )]], 300 301 # Should be DUMP 302 'ValidDump': [0x4, ['String', dict( 303 length=4, 304 term=None, 305 )]], 306 307 # The offset of the first page in the file. 308 'FirstPage': [0x20, ['unsigned long long']], 309 310 # Total number of pages present in the bitmap. 311 'TotalPresentPages': [0x28, ['unsigned long long']], 312 313 # Total number of pages in image. This dictates the total size of the 314 # bitmap. This is not the same as the TotalPresentPages which is only 315 # the sum of the bits set to 1. 316 'Pages': [0x30, ['unsigned long long']], 317 318 'Bitmap': [0x38, ['Array', dict( 319 count=lambda x: x.Pages/32 + 1, 320 target="unsigned int", 321 )]], 322 }], 323 } 324 325 326 # Reference: 327 # http://computer.forensikblog.de/en/2006/03/dmp-file-structure.html 328 overlays = { 329 "_DMP_HEADER": [None, { 330 'Signature': [None, ['String', dict(length=4)]], 331 'ValidDump': [None, ['String', dict(length=4)]], 332 'SystemTime': [None, ['WinFileTime']], 333 'DumpType': [None, ['Enumeration', { 334 'choices': { 335 1: "Full Dump", 336 2: "Kernel Dump", 337 5: "BMP Dump", 338 }, 339 'target': 'unsigned int'}]], 340 }], 341 342 '_PHYSICAL_MEMORY_DESCRIPTOR' : [None, { 343 'Run' : [None, ['Array', dict( 344 count=lambda x: x.NumberOfRuns, 345 target='_PHYSICAL_MEMORY_RUN')]], 346 }], 347 348 '_KDDEBUGGER_DATA64': [None, { 349 'NtBuildLab': [None, ['pointer', ['String', dict( 350 length=32 351 )]]], 352 353 'KiProcessorBlock': [None, [ 354 'Pointer', { 355 'target': 'Array', 356 'target_args': { 357 'count': lambda x: 64 if ( 358 x.obj_profile.metadata("arch") == "AMD64") else 32, 359 360 "target": "Pointer", 361 "target_args": dict(target="_KPRCB"), 362 } 363 }]], 364 365 'MmPhysicalMemoryBlock': [None, [ 366 'Pointer', dict( 367 target='Pointer', 368 target_args=dict( 369 target='_PHYSICAL_MEMORY_DESCRIPTOR' 370 ) 371 ) 372 ]], 373 'PsActiveProcessHead': [None, [ 374 'Pointer', dict(target='LIST_ENTRY64'), 375 ]], 376 }], 377 } 378 379 overlays['_DMP_HEADER64'] = copy.deepcopy(overlays['_DMP_HEADER'])

380 381 382 -class _KDDEBUGGER_DATA64(obj.Struct):

383 """A class for KDBG""" 384

385 - def is_valid(self):

386 """Returns true if the kdbg_object appears valid""" 387 # Check the OwnerTag is in fact the string KDBG 388 return (super(_KDDEBUGGER_DATA64, self).is_valid() and 389 self.Header.OwnerTag == 0x4742444B)

390 391 @utils.safe_property

392 - def ServicePack(self):

393 """Get the service pack number. This is something 394 like 0x100 for SP1, 0x200 for SP2 etc. 395 """ 396 csdresult = self.obj_profile.Object( 397 "unsigned long", offset=self.CmNtCSDVersion, vm=self.obj_vm) 398 return (csdresult >> 8) & 0xffffffff

399

400 - def dbgkd_version64(self):

401 """Scan backwards from the base of KDBG to find the 402 _DBGKD_GET_VERSION64. We have a winner when kernel 403 base addresses and process list head match.""" 404 405 # Account for address masking differences in x86 and x64 406 architecture = self.obj_profile.metadata('arch', 'I386') 407 408 dbgkd_off = self.obj_offset & 0xFFFFFFFFFFFFF000 409 dbgkd_end = dbgkd_off + 0x1000 410 dbgkd_size = self.obj_profile.get_obj_size("_DBGKD_GET_VERSION64") 411 412 while dbgkd_off <= (dbgkd_end - dbgkd_size): 413 414 dbgkd = self.obj_profile.Object( 415 "_DBGKD_GET_VERSION64", offset=dbgkd_off, vm=self.obj_vm) 416 417 if architecture == "I386": 418 KernBase = dbgkd.KernBase & 0xFFFFFFFF 419 PsLoadedModuleList = dbgkd.PsLoadedModuleList & 0xFFFFFFFF 420 else: 421 KernBase = dbgkd.KernBase 422 PsLoadedModuleList = dbgkd.PsLoadedModuleList 423 424 if (KernBase == self.KernBase and 425 PsLoadedModuleList == self.PsLoadedModuleList): 426 return dbgkd 427 428 dbgkd_off += 1 429 430 return obj.NoneObject("Cannot find _DBGKD_GET_VERSION64")

431

432 - def kpcrs(self):

433 """Generator for KPCRs referenced by this KDBG. 434 435 These are returned in the order in which the 436 processors were registered. 437 """ 438 439 if self.obj_profile.metadata('arch') == 'I386': 440 prcb_member = "PrcbData" 441 else: 442 prcb_member = "Prcb" 443 444 cpu_array = self.KiProcessorBlock.dereference() 445 446 for p in cpu_array: 447 448 # A null pointer indicates the end of the CPU list. Since 449 # the 0 page is not valid in kernel AS, this single check 450 # should match both NoneObject and null pointers. 451 if not p: 452 break 453 454 kpcrb = p.dereference_as("_KPRCB") 455 456 yield self.obj_profile.Object( 457 "_KPCR", 458 offset=(kpcrb.obj_offset - 459 self.obj_profile.get_obj_offset( 460 "_KPCR", prcb_member)), 461 vm=self.obj_vm)

462

463 464 -class CrashDump32Profile(basic.Profile32Bits, basic.BasicClasses):

465 """A profile for crash dumps.""" 466 467 @classmethod

468 - def Initialize(cls, profile):

469 super(CrashDump32Profile, cls).Initialize(profile) 470 InstallKDDebuggerProfile(profile) 471 472 return profile

473

474 475 -class CrashDump64Profile(basic.ProfileLLP64, basic.BasicClasses):

476 """A profile for crash dumps.""" 477 478 @classmethod

479 - def Initialize(cls, profile):

480 super(CrashDump64Profile, cls).Initialize(profile) 481 InstallKDDebuggerProfile(profile) 482 483 return profile

484

485 486 -def InstallKDDebuggerProfile(profile):

487 """Define the kernel debugger structures. 488 489 The kernel debugger strucutures do not vary with windows operating system 490 version very much. This is probably done to make it easier for Windbg to 491 support all the different windows versions. 492 """ 493 profile.add_types(vtypes) 494 495 # For 64 bit architectures we need to replace some structures. 496 if profile.metadata("arch") == "AMD64": 497 profile.add_types(vtypes64) 498 499 profile.add_overlay(overlays) 500 profile.add_classes({ 501 "_KDDEBUGGER_DATA64": _KDDEBUGGER_DATA64 502 })

503