Read an embedded resource

I have seen many dumps where the output of lm is like so:

0: kd> lmDvmMyDrv
Browse full module list
start end module name
fffff802f67e00000 fffff802f67fc000 MyDrv T (private pdb symbols) C:\ProgramData\Dbg\sym\MyDrv.pdb\1E8296A5E1ABCD66E9DC9C86CACDFE1\MyDrv.pdb
Loaded symbol image file: MyDrv.sys
Image path: ??\C:\TestBin\MyDrv.sys
Image name: MyDrv.sys
Browse all global symbols functions data
Timestamp: ***** Invalid (F7D8FE12)
CheckSum: 0001B845
ImageSize: 0001C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.

Is it possible to parse the embedded resource inside the binary of the crash dump to dig out the version_info?

Yes, possible and has been discussed in this list long ago. Stamped as “undocumented hack” and rejected :wink:

Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.
A good question. This part of the PE header should stay and remain untouched.

– pa

@Pavel_A said:
Yes, possible and has been discussed in this list long ago. Stamped as “undocumented hack” and rejected :wink:

If you still find that link, please share, desperate times need desperate measures

Albert,

I don’t remember that a ready code or recipe was posted.
You’ll need to find the PE header of the (driver) module and parse the resource directory.
Low level equivalent of https://docs.microsoft.com/en-us/windows/win32/menurc/enumerating-resources
Something like this …
https://doxygen.reactos.org/dd/df8/dll_2ntdll_2rtl_2libsupp_8c.html#acf86b1403421d035fc01e3dab69cee84

– pa

@Albert said:
I have seen many dumps where the output of lm is like so:

0: kd> lmDvmMyDrv
Browse full module list
start end module name
fffff802f67e00000 fffff802f67fc000 MyDrv T (private pdb symbols) C:\ProgramData\Dbg\sym\MyDrv.pdb\1E8296A5E1ABCD66E9DC9C86CACDFE1\MyDrv.pdb
Loaded symbol image file: MyDrv.sys
Image path: ??\C:\TestBin\MyDrv.sys
Image name: MyDrv.sys
Browse all global symbols functions data
Timestamp: ***** Invalid (F7D8FE12)
CheckSum: 0001B845
ImageSize: 0001C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.

Is it possible to parse the embedded resource inside the binary of the crash dump to dig out the version_info?

Is this a minidump? If yes you need to provide your own copy of the executable as it’s not stored in the dump. See Setting Executable Image Path:

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-symbol-and-source-paths-in-windbg#executable-image-path

@“Scott_Noone_(OSR)” said:

@Albert said:
I have seen many dumps where the output of lm is like so:

0: kd> lmDvmMyDrv
Browse full module list
start end module name
fffff802f67e00000 fffff802f67fc000 MyDrv T (private pdb symbols) C:\ProgramData\Dbg\sym\MyDrv.pdb\1E8296A5E1ABCD66E9DC9C86CACDFE1\MyDrv.pdb
Loaded symbol image file: MyDrv.sys
Image path: ??\C:\TestBin\MyDrv.sys
Image name: MyDrv.sys
Browse all global symbols functions data
Timestamp: ***** Invalid (F7D8FE12)
CheckSum: 0001B845
ImageSize: 0001C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

Why is the timestamp info incorrect? It makes it hard to figure out which version of the driver crashed.

Is it possible to parse the embedded resource inside the binary of the crash dump to dig out the version_info?

Is this a minidump? If yes you need to provide your own copy of the executable as it’s not stored in the dump. See Setting Executable Image Path:

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-symbol-and-source-paths-in-windbg#executable-image-path

Yes this is a minidump. @“Scott_Noone_(OSR)” if this is a frequently changing driver image, how do i determine the correct symbol and exe version?

Even in a minidump, why windbg shows some content from the PC header (partial pdb path, checksum) but the timestamp is invalid?
If it were valid, this would be almost perfect for the goal.

– pa

from the PC header
Correction: from PE header.

The obvious answer is that some of the header information is copied into system tables, and some is not.

Yes this is a minidump. @“Scott_Noone_(OSR)” if this is a frequently changing driver image, how do i determine the correct symbol and exe version?

You can index executable files along with PDBs using SymStore.