How does the data show up in the dump?
Assuming I have two structs I dump one after the other S1 and S2, will I be able to distinguish between then in debugger with dt!Module!S1 and dt!Module!S2, will symbols be generated for these memory locations? As far as I can tell, it is dumped into a large void pointer buffer pointing to a page of memory, is type info preserved? Else how do I know where in the page to look for S1 and S2, do I need to do the math in the debugger myself and then typecast the pointer?
The OS at runtime has no idea about type information, just buffers and lengths. Your callback writes the raw data and your debugger extension knows how to find it via the GUID you used when writing it out. From the docs https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/writing-a-bug-check-callback-routine Each block of data to be written to the crash dump file is tagged with the value of the Guid member of the KBUGCHECK_SECONDARY_DUMP_DATA structure. The GUID used must be unique to the driver. To display the secondary dump data corresponding to this GUID, you can use the .enumtag command or the IDebugDataSpaces3::ReadTagged method in a debugger extension. For information about debuggers and debugger extensions, see Windows Debugging. A driver can write multiple blocks with the same GUID to the crash dump file, but this is very poor practice, because only the first block will be accessible to the debugger. Drivers that register multiple KbCallbackSecondaryDumpData routines should allocate a unique GUID for each callback.
Thanks Doron! If I am interested in only in KbCallbackTriageDumpData, then the example in MSDN doesn’t mention anything about the adding of pages. How does this work in that scenario? I should have mentioned this before, but the current goal is to enhance the minidump because that is where we lack any context at all.
It appears that one cannot just register for triage dump callbacks, one has to register for all type of dumps, in order to avail the facility to get their data carved into the minidumps, this is kind of a bummer, the entire reason one wants to enroll in dumps is because minidumps are devoid of data, full dumps are in general capable of much more context.
If anyone has successfully been able to have a dump callback working just for minidumps without having to register for other dump types, please do let me know.