Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

synthesize a minidump from a full memory dump

James_HarperJames_Harper Member Posts: 1,615
I made a little program that takes a xen core dump of a VM and synthesizes a Windows memory dump (full or kernel) from it. The VM doesn't even have to be crashed if my PV drivers are loaded as they store the dump header so I will always have at least one dump header available.

Can anyone guestimate the amount of effort involved in creating a minidump from that data? I've had a quick look around at the various header definitions, and it looks like it would involve some deep scanning of the xen core dump for (possibly) undocumented windows structures, as opposed to the fairly simple pagetable walk that I do to create the full/kernel dump, so I'm thinking that the amount of effort involved is going to exceed its usefulness... but maybe I'm wrong?

Thanks

James

Comments

  • Steve_Prochniak-2Steve_Prochniak-2 Member Posts: 26
    Hi James - I don't know the answer to this, but I'd probably go about it the same way that I initially did the xen->windbg crash debug systhesis...

    1) Cause the system to BSOD, generating a windows minidump
    2) do a xen core-dump and then create a full windows dump from that.
    3) put them in a binary editor (like in visual studio) and compare and contrast by hand. I'd probably use the minidump and search for like pages in the full dump. If you're lucky, the minidump will be some subset of the pages in the full dump, as opposed to some special formatted pages.

    It shouldn't take a lot of time to do the initial analysis. Though if you find that the pages in the minidump aren't wholesale pages that come from the full dump - it probably becomes a massive time sink to figure out.
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,135
    If you want to cheat, the .dump command in WinDBG can create a minidump
    while debugging a full or summary dump. It should be fairly straightforward
    to write a DbgEng application that opens your full/summary dump and then
    executes this command to generate the minidump.

    As an even lazier alternative, you can use kd and an initial command:

    kd.exe -z e:\Dumps\memory.dmp -c ".dump e:\dumps\mini.dmp ; q"
    ...
    Probably caused by : kbdhid.sys ( kbdhid!KbdHid_ReadComplete+d2 )

    Followup: MachineOwner
    ---------

    0: kd> kd: Reading initial command '.dump e:\mini.dmp ; q'
    Creating e:\mini.dmp - mini kernel dump
    Dump successfully written
    quit:

    -scott
    OSR

    "James Harper" wrote in message news:xxxxx@ntdev...

    I made a little program that takes a xen core dump of a VM and synthesizes a
    Windows memory dump (full or kernel) from it. The VM doesn't even have to be
    crashed if my PV drivers are loaded as they store the dump header so I will
    always have at least one dump header available.

    Can anyone guestimate the amount of effort involved in creating a minidump
    from that data? I've had a quick look around at the various header
    definitions, and it looks like it would involve some deep scanning of the
    xen core dump for (possibly) undocumented windows structures, as opposed to
    the fairly simple pagetable walk that I do to create the full/kernel dump,
    so I'm thinking that the amount of effort involved is going to exceed its
    usefulness... but maybe I'm wrong?

    Thanks

    James

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA