Error when reading user stream from dump file

raj_r wrote:

so i still have to copy paste and hand modify the entries inside
MAKE_LOOKUP(x) ok i will grep sed script it so that if there is a
mistake there will be a pattern atleast

Yep, I use vim for that. Yes, it should have been “char *” instead of
“unsigned char *”.

now with /w4 wx i get 4510 and 4512 (def constructor & assignemnt
opertor cannot be generated)
with /W3 /WX i get 4715 not all control paths return a value
if compiled without wx it gets compiled and seems to work ok
so are these warnings ignorable or is there an alternative ?

You should really be able to figure this out. Add
return “Not found”;
as the very last line of the function, to handle the case of a value not
in the list. The default constructor warning is silly. /W4, in my
experience, generates a lot of silly warnings. The WDK uses /W3.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

ok i added a pstr and return a string when there are no known
STREAMTYPE in the enum this takes care of not all control paths are
returning a value warning

the below code compiles and runs with /W4 /WX

Thanks Once Again Tim ill remove the ugly copy paste double quoted
array and add this to the project

also i sedded the enum with this one liner

C:\preproc>sed -e 1,/^_MINIDUMP_STREAM_TYPE/d -e
/^MINIDUMP_STREAM_TYPE/,$d dbghelp.h | sed /./!d | sed s/=.*/\x20),/g
| sed s/^^/MAKE_LOOKUP(\x20/g >result.txt
&type result.txt
MAKE_LOOKUP( UnusedStream ),
MAKE_LOOKUP( ReservedStream0 ),
MAKE_LOOKUP( ReservedStream1 ),
MAKE_LOOKUP( ThreadListStream ),
MAKE_LOOKUP( ModuleListStream ),
MAKE_LOOKUP( MemoryListStream ),
MAKE_LOOKUP( ExceptionStream ),
MAKE_LOOKUP( SystemInfoStream ),
MAKE_LOOKUP( ThreadExListStream ),
MAKE_LOOKUP( Memory64ListStream ),
MAKE_LOOKUP( CommentStreamA ),
MAKE_LOOKUP( CommentStreamW ),
MAKE_LOOKUP( HandleDataStream ),
MAKE_LOOKUP( FunctionTableStream ),
MAKE_LOOKUP( UnloadedModuleListStream ),
MAKE_LOOKUP( MiscInfoStream ),
MAKE_LOOKUP( MemoryInfoListStream ),
MAKE_LOOKUP( ThreadInfoListStream ),
MAKE_LOOKUP( HandleOperationListStream ),
MAKE_LOOKUP( TokenStream ),
MAKE_LOOKUP( ceStreamNull ),
MAKE_LOOKUP( ceStreamSystemInfo ),
MAKE_LOOKUP( ceStreamException ),
MAKE_LOOKUP( ceStreamModuleList ),
MAKE_LOOKUP( ceStreamProcessList ),
MAKE_LOOKUP( ceStreamThreadList ),
MAKE_LOOKUP( ceStreamThreadContextList ),
MAKE_LOOKUP( ceStreamThreadCallStackList ),
MAKE_LOOKUP( ceStreamMemoryVirtualList ),
MAKE_LOOKUP( ceStreamMemoryPhysicalList ),
MAKE_LOOKUP( ceStreamBucketParameters ),
MAKE_LOOKUP( ceStreamProcessModuleMap ),
MAKE_LOOKUP( ceStreamDiagnosisList ),
MAKE_LOOKUP( LastReservedStream ),

C:\preproc>cl /W4 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.

/out:preproc.exe
preproc.obj

C:\preproc>cl /W4 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.

/out:preproc.exe
preproc.obj

C:\preproc>preproc.exe
enum #define macro test
UnusedStream
ReservedStream0
ReservedStream1
ThreadListStream
UNKNOWN_STREM_TYPE
ceStreamProcessList
UNKNOWN_STREM_TYPE
LastReservedStream

C:\preproc>type preproc.cpp
#include <stdio.h>

#include <windows.h>

#include “dbghelp.h”

#define MAKE_LOOKUP(x) { x, #x }

struct Lookup {

int Value;

PSTR Str;

} MyLookupTable = {
MAKE_LOOKUP( UnusedStream ),
MAKE_LOOKUP( ReservedStream0 ),
MAKE_LOOKUP( ReservedStream1 ),
MAKE_LOOKUP( ThreadListStream ),
MAKE_LOOKUP( ModuleListStream ),
MAKE_LOOKUP( MemoryListStream ),
MAKE_LOOKUP( ExceptionStream ),
MAKE_LOOKUP( SystemInfoStream ),
MAKE_LOOKUP( ThreadExListStream ),
MAKE_LOOKUP( Memory64ListStream ),
MAKE_LOOKUP( CommentStreamA ),
MAKE_LOOKUP( CommentStreamW ),
MAKE_LOOKUP( HandleDataStream ),
MAKE_LOOKUP( FunctionTableStream ),
MAKE_LOOKUP( UnloadedModuleListStream ),
MAKE_LOOKUP( MiscInfoStream ),
MAKE_LOOKUP( MemoryInfoListStream ),
MAKE_LOOKUP( ThreadInfoListStream ),
MAKE_LOOKUP( HandleOperationListStream ),
MAKE_LOOKUP( TokenStream ),
MAKE_LOOKUP( ceStreamNull ),
MAKE_LOOKUP( ceStreamSystemInfo ),
MAKE_LOOKUP( ceStreamException ),
MAKE_LOOKUP( ceStreamModuleList ),
MAKE_LOOKUP( ceStreamProcessList ),
MAKE_LOOKUP( ceStreamThreadList ),
MAKE_LOOKUP( ceStreamThreadContextList ),
MAKE_LOOKUP( ceStreamThreadCallStackList ),
MAKE_LOOKUP( ceStreamMemoryVirtualList ),
MAKE_LOOKUP( ceStreamMemoryPhysicalList ),
MAKE_LOOKUP( ceStreamBucketParameters ),
MAKE_LOOKUP( ceStreamProcessModuleMap ),
MAKE_LOOKUP( ceStreamDiagnosisList ),
MAKE_LOOKUP( LastReservedStream ),

{ 0, NULL }

};

PSTR MiniStreamTypeName( int StreamType )

{
PSTR Unknown = “UNKNOWN_STREM_TYPE”;

for( struct Lookup * lk = MyLookupTable; lk->Str; lk++ )

{

if( lk->Value == StreamType )

return lk->Str;

}

return Unknown;

}

int main (void)

{

printf(“enum #define macro test\n”);

printf(“%s\n”,MiniStreamTypeName(0));
printf(“%s\n”,MiniStreamTypeName(1));
printf(“%s\n”,MiniStreamTypeName(2));
printf(“%s\n”,MiniStreamTypeName(3));
printf(“%s\n”,MiniStreamTypeName(0xff));
printf(“%s\n”,MiniStreamTypeName(0x8004));
printf(“%s\n”,MiniStreamTypeName(0xffe));
printf(“%s\n”,MiniStreamTypeName(0xffff));

return 1;

}
C:\preproc>

On 5/4/12, Phil Barila wrote:
> Change the Str member from const unsigned char * to const char *.
> Explicitly test (0 != lk->Value), rather than treating lk->Str as a
> boolean.
>
> That will cover most of it.
>
> Phil
> Not speaking for LogRhythm (but here’s the obligatory .sig, anyway)
> Philip D Barila | Senior Software Engineer
> 720.881.5364 (w)
> WINNER of SC Magazine’s Readers Trust Award Best SIEM Solution
> Innovator of the Year & 2012 SIEM Best Buy
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Thursday, May 03, 2012 4:27 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] Error when reading user stream from dump file
>
> Thanks Tim
>
> so i still have to copy paste and hand modify the entries inside
> MAKE_LOOKUP(x) ok i will grep sed script it so that if there is a
> mistake there will be a pattern atleast
>
> i removed the comma wrapped your #define into main and compiled with /W4
> /WX
>
> i got a few warnings
>
> for 2440 i changed the unsigned char * to PSTR
>
> for 4389 i changed the unsigned int to int
>
> now with /w4 wx i get 4510 and 4512 (def constructor & assignemnt
> opertor cannot be generated)
> with /W3 /WX i get 4715 not all control paths return a value
>
> if compiled without wx it gets compiled and seems to work ok
> so are these warnings ignorable or is there an alternative ?
>
>
>
> paste of compiling follows
>
>
> C:\preproc>dir /b
> dbghelp.h
> preproc.cpp
>
> C:\preproc>type preproc.cpp
> #include <stdio.h>
>
> #include <windows.h>
>
> #include “dbghelp.h”
>
> #define MAKE_LOOKUP(x) { x, #x }
>
> struct Lookup {
>
> unsigned int Value;
>
> const unsigned char * Str;
>
> } MyLookupTable = {
>
> MAKE_LOOKUP(UnusedStream),
>
> MAKE_LOOKUP(ReservedStream0),
>
> MAKE_LOOKUP(ReservedStream1),
>
> { 0, NULL }
>
> };
>
> PSTR MiniStreamTypeName( int StreamType )
>
> {
>
> for( struct Lookup * lk = MyLookupTable; lk->Str; lk++ )
>
> {
>
> if( lk->Value == StreamType )
>
> return lk->Str;
>
> }
>
> }
>
> int main (void)
>
> {
>
> printf(“enum #define macro test\n”);
>
> printf(“%s\n”,MiniStreamTypeName(2));
>
> return 1;
>
> }
> C:\preproc>cl /W4 /WX preproc.cpp
> Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for
> 80x86
> Copyright (C) Microsoft Corporation. All rights reserved.
>
> preproc.cpp
> preproc.cpp(17) : error C2440: ‘initializing’ : cannot convert from ‘const
> char
> [13]’ to ‘const unsigned char *’
> Types pointed to are unrelated; conversion requires
> reinterpret_cast, C-
> style cast or function-style cast
> preproc.cpp(19) : error C2440: ‘initializing’ : cannot convert from ‘const
> char
> [16]’ to ‘const unsigned char *’
> Types pointed to are unrelated; conversion requires
> reinterpret_cast, C-
> style cast or function-style cast
> preproc.cpp(21) : error C2440: ‘initializing’ : cannot convert from ‘const
> char
> [16]’ to ‘const unsigned char *’
> Types pointed to are unrelated; conversion requires
> reinterpret_cast, C-
> style cast or function-style cast
> preproc.cpp(35) : warning C4389: ‘==’ : signed/unsigned mismatch
> preproc.cpp(37) : error C2440: ‘return’ : cannot convert from ‘const
> unsigned ch
> ar *’ to ‘PSTR’
> Types pointed to are unrelated; conversion requires
> reinterpret_cast, C-
> style cast or function-style cast
>
> C:\preproc>
>
> change the struct as follows
>
> struct Lookup {
>
> int Value;
>
> const PSTR Str;
>
> } MyLookupTable = {
>
> now the warnings as follows
>
>
> C:\preproc>cl /W4 /WX preproc.cpp
> Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for
> 80x86
> Copyright (C) Microsoft Corporation. All rights reserved.
>
> preproc.cpp
> preproc.cpp(15) : error C2220: warning treated as error - no ‘object’ file
> gener
> ated
> preproc.cpp(15) : warning C4510: ‘Lookup’ : default constructor could not be
> gen
> erated
> preproc.cpp(9) : see declaration of ‘Lookup’
> preproc.cpp(15) : warning C4512: ‘Lookup’ : assignment operator could not be
> gen
> erated
> preproc.cpp(9) : see declaration of ‘Lookup’
> preproc.cpp(15) : warning C4610: struct ‘Lookup’ can never be instantiated -
> use
> r defined constructor required
>
> C:\preproc>cl /W3 /WX preproc.cpp
> Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for
> 80x86
> Copyright (C) Microsoft Corporation. All rights reserved.
>
> preproc.cpp
> c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no
> ‘object’
> file generated
> c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all
> contr
> ol paths return a value
>
> C:\preproc>cl /W2 /WX preproc.cpp
> Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for
> 80x86
> Copyright (C) Microsoft Corporation. All rights reserved.
>
> preproc.cpp
> c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no
> ‘object’
> file generated
> c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all
> contr
> ol paths return a value
>
> C:\preproc>cl /W1 /WX preproc.cpp
> Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for
> 80x86
> Copyright (C) Microsoft Corporation. All rights reserved.
>
> preproc.cpp
> c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no
> ‘object’
> file generated
> c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all
> contr
> ol paths return a value
>
> C:\preproc>cl /WX preproc.cpp
> Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for
> 80x86
> Copyright (C) Microsoft Corporation. All rights reserved.
>
> preproc.cpp
> c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no
> ‘object’
> file generated
> c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all
> contr
> ol paths return a value
>
> C:\preproc>cl preproc.cpp
> Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for
> 80x86
> Copyright (C) Microsoft Corporation. All rights reserved.
>
> preproc.cpp
> c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all
> contr
> ol paths return a value
> Microsoft (R) Incremental Linker Version 9.00.30729.01
> Copyright (C) Microsoft Corporation. All rights reserved.
>
> /out:preproc.exe
> preproc.obj
>
> C:\preproc>preproc.exe
> enum #define macro test
> ReservedStream1
>
> C:\preproc>
>
>
> On 5/3/12, Tim Roberts wrote:
>> Tim Roberts wrote:
>>>
>>> Here’s how I would do it, if I wanted it to be robust.
>>>
>>> #define MAKE_LOOKUP(x) { x, #x },
>>
>> I should not have added that final comma. That’s what I get for sending
>> sample code without compiling first.
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></windows.h></stdio.h></windows.h></stdio.h>

raj_r wrote:

ok i added a pstr and return a string when there are no known
STREAMTYPE in the enum this takes care of not all control paths are
returning a value warning

Actually, you changed what I wrote in a subtle way:

PSTR MiniStreamTypeName( int StreamType )
{
PSTR Unknown = “UNKNOWN_STREM_TYPE”;
for( struct Lookup * lk = MyLookupTable; lk->Str; lk++ )
{
if( lk->Value == StreamType )
return lk->Str;
}
return Unknown;
}

“Unknown” is a stack variable. When the function ends, that variable
goes away. Now, the VALUE of Unknown should be the address of a string
constant, and that value should survive the end of the function, but I
don’t really see the point in changing it from

return “UNKNOWN_STREAM_TYPE”;

which makes the constancy more explicit.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

i didn’t read your post when i answered i posted the results of my
tweaking i read your answer later
ill change the
return unknown; to
return “UNKNOWN_STREAM_TYPE”;

Thanks again

On 5/4/12, Tim Roberts wrote:
> raj_r wrote:
>> ok i added a pstr and return a string when there are no known
>> STREAMTYPE in the enum this takes care of not all control paths are
>> returning a value warning
>
> Actually, you changed what I wrote in a subtle way:
>
>> PSTR MiniStreamTypeName( int StreamType )
>> {
>> PSTR Unknown = “UNKNOWN_STREM_TYPE”;
>> for( struct Lookup * lk = MyLookupTable; lk->Str; lk++ )
>> {
>> if( lk->Value == StreamType )
>> return lk->Str;
>> }
>> return Unknown;
>> }
>
> “Unknown” is a stack variable. When the function ends, that variable
> goes away. Now, the VALUE of Unknown should be the address of a string
> constant, and that value should survive the end of the function, but I
> don’t really see the point in changing it from
>
> return “UNKNOWN_STREAM_TYPE”;
>
> which makes the constancy more explicit.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

No, the question isn’t stupid, it just reflects one of the major defects
of the C language: the lack of reflection.

The corect way to handle this is definitely NOT

if(something == 3) printf(“ThreadListStream”);

it would be correct, but tedious, to handle every case correctly, by typing

if(something == ThreadListStream) printf(“ThreadListStream”)

I fail to see any purpose in using the constant “3” when there is a
perfectly good name!

However, I have used a couple techniques

#define PMDST(something, x) if((something) == (x)) printf(#x)

then you can write

PMDST(something, UnusedStream);
else
PMDST(something, ThreadListStream);
else
…
else
printf(“Unknown stream type %d”, something);

or, I’ll sometimes do

switch(something)
{
#define MDSTcase(x) case x: printf(#x); break
MDSTcase(UnusedStream);
MDSTcase(ThreadlistStream);
…
default:
printf(“Unknown stream type %d”, something);
break;
#undef MDSTcase
}

It depends on my mood which one I might use.
joe

THIS must be a STUPID c 101 QUESTION
still i will ask it

dbghelp.h has this declared

typedef enum _MINIDUMP_STREAM_TYPE {

UnusedStream = 0,
ReservedStream0 = 1,
ReservedStream1 = 2,
ThreadListStream = 3,
ModuleListStream = 4, … s ON }

now if i want to printf

MiniDir = (PMINIDUMP_DIRECTORY) Buff; MiniDir->StreamType,

say if 3 printf (“ThreadListStream”);

should i be doing it like this ?? error prone copy paste modify by
hand of the enum from dbghelp.h ?? like below

PSTR

__cdecl

MiniStreamTypeName (
int StreamType
)
{
PSTR Ministr = {

“UnusedStream”,
“ReservedStream0”,
“ReservedStream1”,
“ThreadListStream”,
“ModuleListStream”,
…
…
…

};
return Ministr[StreamType];
}

and call it with say

printf(
“%7d %08x\x20\x20\x20\x20 %-30s %08x %08x\n”,
i,
MiniDir->StreamType,
MiniStreamTypeName(MiniDir->StreamType),
MiniDir->Location.DataSize,
MiniDir->Location.Rva
);

this seems to work though i feel this must really not be the way to go
about

-====Dumping DumpHeader From Memory Dump====-

Minidump Header Signature = 504d444d
MINIDUMP_VERSION = 0000a793
MINIDUMP_VERSION(Internal) = 00006003
MINIDUMP_HEADER NumberofStreams = 00000008
MINIDUMP_HEADER StreamDirectoryRVA = 00000020
MINIDUMP_HEADER CheckSum = 00000000
MINIDUMP_HEADER reserved = 4f70c8f0
MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
MINIDUMP_HEADER Flags = 00000021
Stream# StreamType StreamName Size RVA
0 00000003 ThreadListStream 000000c4 00000160
1 00000004 ModuleListStream 00001a2c 00000224
2 0000000e UnloadedModuleListStream 00000114 00001c50
3 00000005 MemoryListStream 00000094 000048c4
4 00000006 ExceptionStream 000000a8 000000b8
5 00000007 SystemInfoStream 00000038 00000080
6 00000000 UnusedStream 00000000 00000000
7 00000000 UnusedStream 00000000 00000000
Dump Header Dumped

On 5/3/12, raj_r wrote:
>> thanks jen for answering fast
>> it seems i am able to get the directories and rvas with code below
>>
>> ftell(fp);
>>
>> ULONG NumberOfStreams = MiniHeader->NumberOfStreams;
>>
>> for (ULONG i = 0; i>> {
>> fread(
>> Buff,
>> 1,
>> sizeof(MINIDUMP_DIRECTORY),
>> fp
>> );
>> MiniDir = (PMINIDUMP_DIRECTORY) Buff;
>> printf(
>> “StreamType\t%08x\tSize\t%08x\tRva\t%08x\n”,
>> MiniDir->StreamType,
>> MiniDir->Location.DataSize,
>> MiniDir->Location.Rva
>> );
>> ftell(fp);
>> }
>>
>> StreamType 00000003 Size 000000c4 Rva 00000160
>> StreamType 00000004 Size 00001a2c Rva 00000224
>> StreamType 0000000e Size 00000114 Rva 00001c50
>> StreamType 00000005 Size 00000094 Rva 000048c4
>> StreamType 00000006 Size 000000a8 Rva 000000b8
>> StreamType 00000007 Size 00000038 Rva 00000080
>> StreamType 00000000 Size 00000000 Rva 00000000
>> StreamType 00000000 Size 00000000 Rva 00000000
>> Dump Header Dumped
>>
>>
>> t>Dumpchk test.dmp | grep -i stream
>> Loading dump file test.dmp
>> NumberOfStreams 8
>> Streams:
>> Stream 0: type ThreadListStream (3), size 000000C4, RVA 00000160
>> Stream 1: type ModuleListStream (4), size 00001A2C, RVA 00000224
>> Stream 2: type UnloadedModuleListStream (14), size 00000114, RVA
>> 00001C50
>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>> Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000B8
>> Stream 5: type SystemInfoStream (7), size 00000038, RVA 00000080
>> Stream 6: type UnusedStream (0), size 00000000, RVA 00000000
>> Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
>>
>>
>> so all left is to parse and the remaining bytes
>>
>>
>> On 5/3/12, Jen-Lung Chiu wrote:
>>> Yes no API support to get those data from dump headers.
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>> Sent: Wednesday, May 2, 2012 01:37 PM
>>> To: Kernel Debugging Interest List
>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>
>>> Thanks jen
>>>
>>> So I Need To do Something Like below Myself no request or interface
>>> exist
>>> ??
>>>
>>>
>>> int __cdecl DumpDumpHeader(void) {
>>>
>>> HRESULT status = S_OK;
>>>
>>> PMINIDUMP_HEADER MiniHeader;
>>>
>>> FILE * fp;
>>>
>>> size_t result;
>>>
>>> if (( fp = fopen(
>>>
>>> “test.dmp”,
>>>
>>> “rb”
>>>
>>> ) ) == 0 ) {
>>>
>>> Exit (
>>>
>>> FALSE,
>>>
>>> “fopen ( %s ) Failed”,
>>>
>>> “test.dmp”
>>>
>>> );
>>>
>>> }
>>>
>>> if (( result = fread(
>>>
>>> Buff,
>>>
>>> 1,
>>>
>>> sizeof(MINIDUMP_HEADER),
>>>
>>> fp
>>>
>>> ) ) != sizeof(MINIDUMP_HEADER)) {
>>>
>>> Exit(
>>>
>>> FALSE,
>>>
>>> “fread(fp) failed\n”
>>>
>>> );
>>>
>>> }
>>>
>>> MiniHeader = (PMINIDUMP_HEADER)Buff;
>>>
>>> printf(
>>>
>>> “Minidump Header Signature = %08x\n”
>>>
>>> “MINIDUMP_VERSION = %08x\n”
>>>
>>> “MINIDUMP_VERSION(Internal) = %08x\n”
>>>
>>> “MINIDUMP_HEADER NumberofStreams = %08x\n”
>>>
>>> “MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”
>>>
>>> “MINIDUMP_HEADER CheckSum = %08x\n”
>>>
>>> “MINIDUMP_HEADER reserved = %08x\n”
>>>
>>> “MINIDUMP_HEADER TimeDateStamp = %08x\n”
>>>
>>> “MINIDUMP_HEADER Flags = %08x\n”,
>>>
>>> MiniHeader->Signature,
>>>
>>> LOWORD(MiniHeader->Version),
>>>
>>> HIWORD(MiniHeader->Version),
>>>
>>> MiniHeader->NumberOfStreams,
>>>
>>> MiniHeader->StreamDirectoryRva,
>>>
>>> MiniHeader->CheckSum,
>>>
>>> MiniHeader->Reserved,
>>>
>>> MiniHeader->TimeDateStamp,
>>>
>>> MiniHeader->Flags
>>>
>>> );
>>>
>>> fclose(fp);
>>>
>>> return status;
>>>
>>> }
>>>
>>> -====Dumping DumpHeader From Memory Dump====-
>>>
>>> Minidump Header Signature = 504d444d
>>> MINIDUMP_VERSION = 0000a793
>>> MINIDUMP_VERSION(Internal) = 00006003
>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>> MINIDUMP_HEADER CheckSum = 00000000
>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>> MINIDUMP_HEADER Flags = 00000021
>>> Dump Header Dumped
>>>
>>>
>>> ----- User Mini Dump Analysis
>>>
>>> MINIDUMP_HEADER:
>>> Version A793 (6003)
>>> NumberOfStreams 8
>>> Flags 21
>>> 0001 MiniDumpWithDataSegs
>>> 0020 MiniDumpWithUnloadedModules
>>>
>>>
>>>
>>>
>>> On 5/2/12, Jen-Lung Chiu wrote:
>>>> You could check MSDN or dbghelp.h for user-mode minidump format, then
>>>> use binary editor to browse the dump file.
>>>>
>>>> The user-mode minidump starts with a MINIDUMP_HEADER structure, then
>>>> follows a list of MINIDUMP_DIRECTORY structure (the number of
>>>> MINIDUMP_DIRECTORY structures is MINIDUMP_HEADER::NumberOfStreams).
>>>> The MINIDUMP_DIRECTORY block defines the type of the stream (in your
>>>> case, MemoryListStream) as well as the RVA/size of the stream.
>>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com
>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>> Sent: Wednesday, May 2, 2012 02:42 AM
>>>> To: Kernel Debugging Interest List
>>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>>
>>>> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h it
>>>> seems now i can dump the MemoryListStream below is code and output
>>>> Dissections are Welcome
>>>>
>>>> #include <stdio.h>
>>>>
>>>> #include <engextcpp.hpp>
>>>>
>>>> #include <dbghelp.h>
>>>>
>>>> const ULONG MBUFFSIZE = 0x1000;
>>>>
>>>> IDebugClient* g_Client;
>>>>
>>>> IDebugControl* g_Control;
>>>>
>>>> IDebugAdvanced2* g_Advanced2;
>>>>
>>>> PVOID Buff;
>>>>
>>>> void
>>>>
>>>> Exit(__in int Code,
>>>>
>>>> __in PCSTR Format,
>>>>
>>>> …)
>>>>
>>>> {
>>>>
>>>> if (g_Client != NULL) {
>>>>
>>>> g_Client->EndSession(DEBUG_END_DISCONNECT);
>>>>
>>>> g_Client->Release();
>>>>
>>>> g_Client = NULL;
>>>>
>>>> }
>>>>
>>>> if (g_Control != NULL) {
>>>>
>>>> g_Control->Release();
>>>>
>>>> g_Control = NULL;
>>>>
>>>> }
>>>>
>>>> if (g_Advanced2 !=NULL) {
>>>>
>>>> g_Advanced2->Release();
>>>>
>>>> g_Advanced2 = NULL;
>>>>
>>>> }
>>>>
>>>> if( Buff != NULL) {
>>>>
>>>> free(Buff);
>>>>
>>>> }
>>>>
>>>> if (Format != NULL) {
>>>>
>>>> va_list Args;
>>>>
>>>> va_start(Args, Format);
>>>>
>>>> vfprintf(stderr, Format, Args);
>>>>
>>>> va_end(Args);
>>>>
>>>> }
>>>>
>>>> exit(Code);
>>>>
>>>> }
>>>>
>>>> int__cdecl DumpMemoryListStream(void){
>>>>
>>>> HRESULT status;
>>>>
>>>> if ( ( status = DebugCreate(
>>>>
>>>> __uuidof(IDebugClient),
>>>>
>>>> (void**)&g_Client
>>>>
>>>> ) ) !=S_OK) {
>>>>
>>>> Exit(
>>>>
>>>> FALSE,
>>>>
>>>> “%s ( %s ) Failed %08x\n”,
>>>>
>>>> “DebugCreate”,
>>>>
>>>> “IDebugClient”,
>>>>
>>>> status);
>>>>
>>>> }
>>>>
>>>> if ( ( status = g_Client->QueryInterface(
>>>>
>>>>__uuidof(IDebugControl),
>>>>
>>>> (void**)&g_Control
>>>>
>>>> ) ) != S_OK ) {
>>>>
>>>> Exit(
>>>>
>>>> FALSE,
>>>>
>>>> “%s ( %s ) Failed %08x\n”,
>>>>
>>>> “QueryInterface”,
>>>>
>>>> “IDebugControl”,
>>>>
>>>> status);
>>>>
>>>> }
>>>>
>>>> if ( ( status = g_Client->QueryInterface(
>>>>
>>>> __uuidof(IDebugAdvanced2),
>>>>
>>>> (void**)&g_Advanced2
>>>>
>>>> )) != S_OK ) {
>>>>
>>>> Exit(
>>>>
>>>> FALSE,
>>>>
>>>> “%s ( %s ) Failed %08x\n”,
>>>>
>>>> “QueryInterface”,
>>>>
>>>> “IDebugAdvanced2”,
>>>>
>>>> status);
>>>>
>>>> }
>>>>
>>>> if (( status = g_Client->OpenDumpFile(
>>>>
>>>> “test.dmp”
>>>>
>>>> )) != S_OK ) {
>>>>
>>>> Exit(
>>>>
>>>> FALSE,
>>>>
>>>> “%s ( %s ) Failed %08x\n”,
>>>>
>>>> “g_Client”,
>>>>
>>>> “OpenDumpFile”,
>>>>
>>>> status);
>>>>
>>>> }
>>>>
>>>> if (( status = g_Control->WaitForEvent(
>>>>
>>>> 0,
>>>>
>>>> INFINITE
>>>>
>>>> ) ) != S_OK ) {
>>>>
>>>> Exit(
>>>>
>>>> FALSE,
>>>>
>>>> “%s ( %s ) Failed %08x\n”,
>>>>
>>>> “g_Control”,
>>>>
>>>> “WaitForEvent”,
>>>>
>>>> status);
>>>>
>>>> }
>>>>
>>>> PVOID OutBuffer;
>>>>
>>>> ULONG OutBufferSize;
>>>>
>>>> ULONG OutSize;
>>>>
>>>> PMINIDUMP_MEMORY_LIST mml;
>>>>
>>>> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>>>>
>>>> InBuffer.StreamType = MemoryListStream;
>>>>
>>>> InBuffer.Flags = 0;
>>>>
>>>> InBuffer.Offset = 0;
>>>>
>>>> InBuffer.Buffer = Buff;
>>>>
>>>> InBuffer.BufferSize = MBUFFSIZE;
>>>>
>>>> InBuffer.BufferUsed = 0;
>>>>
>>>> OutBuffer = NULL;
>>>>
>>>> OutBufferSize = NULL;
>>>>
>>>> if (( status = g_Advanced2->Request(
>>>>
>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>
>>>> &InBuffer,
>>>>
>>>> sizeof(InBuffer),
>>>>
>>>> OutBuffer,
>>>>
>>>> OutBufferSize,
>>>>
>>>> &OutSize
>>>>
>>>> ) ) != S_OK ) {
>>>>
>>>> Exit(
>>>>
>>>> FALSE,
>>>>
>>>> “%s (\n”
>>>>
>>>> “\t%s,\n”
>>>>
>>>> “\t%s\n\t) Failed %08x\n”,
>>>>
>>>> “g_Advanced2->Request”,
>>>>
>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>
>>>> “MemoryListStream”,
>>>>
>>>> status);
>>>>
>>>> }
>>>>
>>>> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>>>>
>>>> printf (
>>>>
>>>> " Number Of Memory ranges = %x\n\n"
>>>>
>>>> " range# RVA Address Size\n",
>>>>
>>>> mml->NumberOfMemoryRanges
>>>>
>>>> );
>>>>
>>>> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>>>>
>>>> printf(
>>>>
>>>> " %d %08x %08I64x %08x\n",
>>>>
>>>> i,
>>>>
>>>> mml->MemoryRanges[i].Memory.Rva,
>>>>
>>>> mml->MemoryRanges[i].StartOfMemoryRange,
>>>>
>>>> mml->MemoryRanges[i].Memory.DataSize
>>>>
>>>> );
>>>>
>>>> }
>>>>
>>>> Exit(
>>>>
>>>> TRUE,
>>>>
>>>> “%s (\n”
>>>>
>>>> “\t%s,\n”
>>>>
>>>> “\t%s\n\t) Succeeded %08x\n”,
>>>>
>>>> “g_Advanced2->Request”,
>>>>
>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>
>>>> “MemoryListStream”,
>>>>
>>>> status);
>>>>
>>>> }
>>>>
>>>> int__cdecl main (void){
>>>>
>>>> Buff = (PVOID) malloc( MBUFFSIZE );
>>>>
>>>> if(Buff == 0) {
>>>>
>>>> printf(
>>>>
>>>> “malloc failed\n”
>>>>
>>>> );
>>>>
>>>> Exit ( FALSE,“malloc Failed \n”);
>>>>
>>>> }
>>>>
>>>> printf(“\n\n -====Dumping MemoryListStream From Memory
>>>> Dump====-\n\n”);
>>>>
>>>> DumpMemoryListStream();
>>>>
>>>> }
>>>>
>>>> t>OpenDumpStream.exe
>>>>
>>>>
>>>> -====Dumping MemoryListStream From Memory Dump====-
>>>>
>>>> Number Of Memory ranges = 9
>>>>
>>>> range# RVA Address Size
>>>> 0 00004958 0007df4c 000020b4
>>>> 1 00006a0c 7c90e494 00000100
>>>> 2 00006b0c 00ccff98 00000068
>>>> 3 00006b74 7c90e494 00000100
>>>> 4 00006c74 00f1bcac 00004354
>>>> 5 0000afc8 7c90e494 00000100
>>>> 6 0000b0c8 009cfe14 000001ec
>>>> 7 0000b2b4 7c90e494 00000100
>>>> 8 0000b3b4 00447000 000165a8
>>>> g_Advanced2->Request (
>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>> MemoryListStream
>>>> ) Succeeded 00000000
>>>>
>>>> same dmp checked via dumpchk util
>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>> 9 memory ranges
>>>> range# RVA Address Size
>>>> 0 00004958 0007df4c 000020b4
>>>> 1 00006A0C 7c90e494 00000100
>>>> 2 00006B0C 00ccff98 00000068
>>>> 3 00006B74 7c90e494 00000100
>>>> 4 00006C74 00f1bcac 00004354
>>>> 5 0000AFC8 7c90e494 00000100
>>>> 6 0000B0C8 009cfe14 000001ec
>>>> 7 0000B2B4 7c90e494 00000100
>>>> 8 0000B3B4 00447000 000165a8
>>>> Total memory: 1d004
>>>>
>>>> one question remains
>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i can
>>>> get the 94 from outsize 1d004 from adding up all sizes what should i
>>>> use to get the rva 48c4 ?
>>>>
>>>> On 5/2/12, raj_r wrote:
>>>>> note to self
>>>>> when in doubt refer header file do not refer chm or web or random
>>>>> tidbits in obscure corners of internet
>>>>>
>>>>> this seem to be a documentation glitch in debugger.chm
>>>>>
>>>>> in debughelp.h it is dword
>>>>>
>>>>> typedef DWORD RVA;
>>>>> typedef ULONG64 RVA64;
>>>>>
>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>>>>> ULONG32 DataSize;
>>>>> RVA Rva;
>>>>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>>>>
>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>>>>> ULONG64 DataSize;
>>>>> RVA64 Rva;
>>>>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>>>>
>>>>> On 5/2/12, raj_r wrote:
>>>>>> Thanks Tim
>>>>>>
>>>>>> you wrote
>>>>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>>>>>> 32-bit size and 32-bit RVA,
>>>>>>
>>>>>> the debughelp.chm has this
>>>>>>
>>>>>>
>>>>>>
>>>>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>>>>
>>>>>> Contains information describing the location of a data stream within
>>>>>> a minidump file.
>>>>>>
>>>>>>
>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize;
>>>>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The size
>>>>>> of the data stream, in bytes.
>>>>>>
>>>>>> Rva
>>>>>> The relative virtual address (RVA) of the data. This is the byte
>>>>>> offset of the data stream from the beginning of the minidump file.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 5/2/12, Tim Roberts wrote:
>>>>>>> raj_r wrote:
>>>>>>>> not exactly related to ops question but it is regarding request of
>>>>>>>> streamtype MemoryListStream …
>>>>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>>>>
>>>>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>>>>
>>>>>>>> does the second QWORD7df4c point to
>>>>>>>> MemoryRanges[0].StartofMemoryRange
>>>>>>>> ??
>>>>>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>>>>>
>>>>>>> They don’t POINT to those things. They CONTAIN those things. The
>>>>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges,
>>>>>>> followed by an array of MINIDUMP_MEMORY_DESCRIPTOR. The
>>>>>>> MINIDUMP_MEMORY_DESCRIPTOR has a 64-bit start of range, followed by
>>>>>>> a MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>> has 32-bit size and 32-bit RVA,
>>>>>>>
>>>>>>>> these seem to described as ULONG 64 in dbghelp.chm but windbg
>>>>>>>> doesnt seem to honor it
>>>>>>>>
>>>>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>> +0x000 DataSize : 0x20b4
>>>>>>>> +0x004 Rva : 0x4958
>>>>>>>>
>>>>>>>> see the +4
>>>>>>>
>>>>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>>>>> NumberOfMemoryRanges,
>>>>>>> DataSize, and Rva are all 32-bit.
>>>>>>>
>>>>>>>> if i print it to scree with
>>>>>>>>
>>>>>>>> printf(
>>>>>>>> “Number of memory range = %08x\t\n”
>>>>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>>>>> “Data Size is %I64x\t\n”
>>>>>>>> “Rva is %I64x\t\n”,
>>>>>>>> mml->NumberOfMemoryRanges,
>>>>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>>>>
>>>>>>>> );
>>>>>>>
>>>>>>> “Data Size” and “Rva” should both be %08x.
>>>>>>>
>>>>>>> –
>>>>>>> Tim Roberts, xxxxx@probo.com
>>>>>>> Providenza & Boekelheide, Inc.
>>>>>>>
>>>>>>>
>>>>>>> —
>>>>>>> WINDBG is sponsored by OSR
>>>>>>>
>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>> http://www.osr.com/seminars
>>>>>>>
>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></dbghelp.h></engextcpp.hpp></stdio.h>

Thanks Dr Newcomer,

for posting the #defines
PMDST(something, x) if((something) == (x)) printf(#x)

switch(something)
{
#define MDSTcase(x) case x: printf(#x); break
MDSTcase(UnusedStream);

#undef MDSTcase
}

i at the moment used what tim posted in one of the earlier posts

now on to next question

typedef enum _MINIDUMP_TYPE {
MiniDumpNormal = 0x00000000,
MiniDumpWithDataSegs = 0x00000001,

MiniDumpWithUnloadedModules = 0x00000020,

}MINIDUMP_TYPE;

now if i have a flag of 21

i should be printing all the three strings isnt it ??

int mask = 0
if ( (Flags & mask) == mask)
{

dont know why Dumpchk omits the flag 0 MiniDumpNormal i can start with

int mask = 1; to get the same behavior but i dont think that would
print the MiniDumpNormal String ever

here is a sample snippet i glued together to parse the Flags and print
out the MiniDumptypes

struct MiniDumpTypeLookup {

int Value;

PSTR Str;

} MiniDumpTypeLookupTable = {

MAKE_LOOKUP( MiniDumpNormal ),

MAKE_LOOKUP( MiniDumpWithDataSegs ),

MAKE_LOOKUP( MiniDumpValidTypeFlags ),

{ 0 , NULL }

};

char MiniDumpTypeNameBuff[0x1000] = {0};

PCHAR MiniDumpTypeName (ULONG64 Flags)

{

struct MiniDumpTypeLookup * mlk = MiniDumpTypeLookupTable;

int i = 0;

int mask = 0;

while ( mask < 0x7ffff )

{

if( (Flags & mask ) == mask )

{

if(mlk->Value == mask)

{

strncat_s(

MiniDumpTypeNameBuff,

sizeof(MiniDumpTypeNameBuff),

"\n ",

_TRUNCATE

);

strncat_s(

MiniDumpTypeNameBuff,

sizeof(MiniDumpTypeNameBuff),

mlk->Str,

_TRUNCATE

);

}

}

mask = 1<
_i++;

mlk++;

}

return MiniDumpTypeNameBuff;

}

i get an output like this

MINIDUMP_HEADER TimeDateStamp = Tue Mar 27 01:22:16 2012 (UTC + 5:30)
MINIDUMP_HEADER Flags = 21
MiniDumpNormal
MiniDumpWithDataSegs
MiniDumpWithUnloadedModules

whereas dumpchk prints out

Debug session time: Tue Mar 27 01:22:16.000 2012 (UTC + 5:30)
System Uptime: not available
Process Uptime: not available
…
Loading unloaded module list
…
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(f0f0f0f0.9e8): Access violation - code c0000005 (first/second chance not availa
ble)
----- User Mini Dump Analysis

MINIDUMP_HEADER:
Version A793 (6003)
NumberOfStreams 8
Flags 21
0001 MiniDumpWithDataSegs
0020 MiniDumpWithUnloadedModules

On 5/6/12, xxxxx@flounder.com wrote:
> No, the question isn’t stupid, it just reflects one of the major defects
> of the C language: the lack of reflection.
>
> The corect way to handle this is definitely NOT
>
> if(something == 3) printf(“ThreadListStream”);
>
> it would be correct, but tedious, to handle every case correctly, by typing
>
> if(something == ThreadListStream) printf(“ThreadListStream”)
>
> I fail to see any purpose in using the constant “3” when there is a
> perfectly good name!
>
> However, I have used a couple techniques
>
> #define PMDST(something, x) if((something) == (x)) printf(#x)
>
> then you can write
>
> PMDST(something, UnusedStream);
> else
> PMDST(something, ThreadListStream);
> else
> …
> else
> printf(“Unknown stream type %d”, something);
>
> or, I’ll sometimes do
>
> switch(something)
> {
> #define MDSTcase(x) case x: printf(#x); break
> MDSTcase(UnusedStream);
> MDSTcase(ThreadlistStream);
> …
> default:
> printf(“Unknown stream type %d”, something);
> break;
> #undef MDSTcase
> }
>
> It depends on my mood which one I might use.
> joe
>> THIS must be a STUPID c 101 QUESTION
>> still i will ask it
>>
>> dbghelp.h has this declared
>>
>> typedef enum _MINIDUMP_STREAM_TYPE {
>>
>> UnusedStream = 0,
>> ReservedStream0 = 1,
>> ReservedStream1 = 2,
>> ThreadListStream = 3,
>> ModuleListStream = 4, … s ON }
>>
>> now if i want to printf
>>
>> MiniDir = (PMINIDUMP_DIRECTORY) Buff; MiniDir->StreamType,
>>
>> say if 3 printf (“ThreadListStream”);
>>
>> should i be doing it like this ?? error prone copy paste modify by
>> hand of the enum from dbghelp.h ?? like below
>>
>>
>> PSTR
>>
>> __cdecl
>>
>> MiniStreamTypeName (
>> int StreamType
>> )
>> {
>> PSTR Ministr = {
>>
>> “UnusedStream”,
>> “ReservedStream0”,
>> “ReservedStream1”,
>> “ThreadListStream”,
>> “ModuleListStream”,
>> …
>> …
>> …
>>
>> };
>> return Ministr[StreamType];
>> }
>>
>>
>> and call it with say
>>
>> printf(
>> “%7d %08x\x20\x20\x20\x20 %-30s %08x %08x\n”,
>> i,
>> MiniDir->StreamType,
>> MiniStreamTypeName(MiniDir->StreamType),
>> MiniDir->Location.DataSize,
>> MiniDir->Location.Rva
>> );
>>
>> this seems to work though i feel this must really not be the way to go
>> about
>>
>> -====Dumping DumpHeader From Memory Dump====-
>>
>> Minidump Header Signature = 504d444d
>> MINIDUMP_VERSION = 0000a793
>> MINIDUMP_VERSION(Internal) = 00006003
>> MINIDUMP_HEADER NumberofStreams = 00000008
>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>> MINIDUMP_HEADER CheckSum = 00000000
>> MINIDUMP_HEADER reserved = 4f70c8f0
>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>> MINIDUMP_HEADER Flags = 00000021
>> Stream# StreamType StreamName Size RVA
>> 0 00000003 ThreadListStream 000000c4 00000160
>> 1 00000004 ModuleListStream 00001a2c 00000224
>> 2 0000000e UnloadedModuleListStream 00000114 00001c50
>> 3 00000005 MemoryListStream 00000094 000048c4
>> 4 00000006 ExceptionStream 000000a8 000000b8
>> 5 00000007 SystemInfoStream 00000038 00000080
>> 6 00000000 UnusedStream 00000000 00000000
>> 7 00000000 UnusedStream 00000000 00000000
>> Dump Header Dumped
>>
>>
>>
>>
>>
>>
>> On 5/3/12, raj_r wrote:
>>> thanks jen for answering fast
>>> it seems i am able to get the directories and rvas with code below
>>>
>>> ftell(fp);
>>>
>>> ULONG NumberOfStreams = MiniHeader->NumberOfStreams;
>>>
>>> for (ULONG i = 0; i>>> {
>>> fread(
>>> Buff,
>>> 1,
>>> sizeof(MINIDUMP_DIRECTORY),
>>> fp
>>> );
>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff;
>>> printf(
>>> “StreamType\t%08x\tSize\t%08x\tRva\t%08x\n”,
>>> MiniDir->StreamType,
>>> MiniDir->Location.DataSize,
>>> MiniDir->Location.Rva
>>> );
>>> ftell(fp);
>>> }
>>>
>>> StreamType 00000003 Size 000000c4 Rva 00000160
>>> StreamType 00000004 Size 00001a2c Rva 00000224
>>> StreamType 0000000e Size 00000114 Rva 00001c50
>>> StreamType 00000005 Size 00000094 Rva 000048c4
>>> StreamType 00000006 Size 000000a8 Rva 000000b8
>>> StreamType 00000007 Size 00000038 Rva 00000080
>>> StreamType 00000000 Size 00000000 Rva 00000000
>>> StreamType 00000000 Size 00000000 Rva 00000000
>>> Dump Header Dumped
>>>
>>>
>>> t>Dumpchk test.dmp | grep -i stream
>>> Loading dump file test.dmp
>>> NumberOfStreams 8
>>> Streams:
>>> Stream 0: type ThreadListStream (3), size 000000C4, RVA 00000160
>>> Stream 1: type ModuleListStream (4), size 00001A2C, RVA 00000224
>>> Stream 2: type UnloadedModuleListStream (14), size 00000114, RVA
>>> 00001C50
>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>> Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000B8
>>> Stream 5: type SystemInfoStream (7), size 00000038, RVA 00000080
>>> Stream 6: type UnusedStream (0), size 00000000, RVA 00000000
>>> Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
>>>
>>>
>>> so all left is to parse and the remaining bytes
>>>
>>>
>>> On 5/3/12, Jen-Lung Chiu wrote:
>>>> Yes no API support to get those data from dump headers.
>>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com
>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>> Sent: Wednesday, May 2, 2012 01:37 PM
>>>> To: Kernel Debugging Interest List
>>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>>
>>>> Thanks jen
>>>>
>>>> So I Need To do Something Like below Myself no request or interface
>>>> exist
>>>> ??
>>>>
>>>>
>>>> int__cdecl DumpDumpHeader(void) {
>>>>
>>>> HRESULT status = S_OK;
>>>>
>>>> PMINIDUMP_HEADER MiniHeader;
>>>>
>>>> FILE * fp;
>>>>
>>>> size_t result;
>>>>
>>>> if (( fp = fopen(
>>>>
>>>> “test.dmp”,
>>>>
>>>> “rb”
>>>>
>>>> ) ) == 0 ) {
>>>>
>>>> Exit (
>>>>
>>>> FALSE,
>>>>
>>>> “fopen ( %s ) Failed”,
>>>>
>>>> “test.dmp”
>>>>
>>>> );
>>>>
>>>> }
>>>>
>>>> if (( result = fread(
>>>>
>>>> Buff,
>>>>
>>>> 1,
>>>>
>>>> sizeof(MINIDUMP_HEADER),
>>>>
>>>> fp
>>>>
>>>> ) ) != sizeof(MINIDUMP_HEADER)) {
>>>>
>>>> Exit(
>>>>
>>>> FALSE,
>>>>
>>>> “fread(fp) failed\n”
>>>>
>>>> );
>>>>
>>>> }
>>>>
>>>> MiniHeader = (PMINIDUMP_HEADER)Buff;
>>>>
>>>> printf(
>>>>
>>>> “Minidump Header Signature = %08x\n”
>>>>
>>>> “MINIDUMP_VERSION = %08x\n”
>>>>
>>>> “MINIDUMP_VERSION(Internal) = %08x\n”
>>>>
>>>> “MINIDUMP_HEADER NumberofStreams = %08x\n”
>>>>
>>>> “MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”
>>>>
>>>> “MINIDUMP_HEADER CheckSum = %08x\n”
>>>>
>>>> “MINIDUMP_HEADER reserved = %08x\n”
>>>>
>>>> “MINIDUMP_HEADER TimeDateStamp = %08x\n”
>>>>
>>>> “MINIDUMP_HEADER Flags = %08x\n”,
>>>>
>>>> MiniHeader->Signature,
>>>>
>>>> LOWORD(MiniHeader->Version),
>>>>
>>>> HIWORD(MiniHeader->Version),
>>>>
>>>> MiniHeader->NumberOfStreams,
>>>>
>>>> MiniHeader->StreamDirectoryRva,
>>>>
>>>> MiniHeader->CheckSum,
>>>>
>>>> MiniHeader->Reserved,
>>>>
>>>> MiniHeader->TimeDateStamp,
>>>>
>>>> MiniHeader->Flags
>>>>
>>>> );
>>>>
>>>> fclose(fp);
>>>>
>>>> return status;
>>>>
>>>> }
>>>>
>>>> -====Dumping DumpHeader From Memory Dump====-
>>>>
>>>> Minidump Header Signature = 504d444d
>>>> MINIDUMP_VERSION = 0000a793
>>>> MINIDUMP_VERSION(Internal) = 00006003
>>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>>> MINIDUMP_HEADER CheckSum = 00000000
>>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>>> MINIDUMP_HEADER Flags = 00000021
>>>> Dump Header Dumped
>>>>
>>>>
>>>> ----- User Mini Dump Analysis
>>>>
>>>> MINIDUMP_HEADER:
>>>> Version A793 (6003)
>>>> NumberOfStreams 8
>>>> Flags 21
>>>> 0001 MiniDumpWithDataSegs
>>>> 0020 MiniDumpWithUnloadedModules
>>>>
>>>>
>>>>
>>>>
>>>> On 5/2/12, Jen-Lung Chiu wrote:
>>>>> You could check MSDN or dbghelp.h for user-mode minidump format, then
>>>>> use binary editor to browse the dump file.
>>>>>
>>>>> The user-mode minidump starts with a MINIDUMP_HEADER structure, then
>>>>> follows a list of MINIDUMP_DIRECTORY structure (the number of
>>>>> MINIDUMP_DIRECTORY structures is MINIDUMP_HEADER::NumberOfStreams).
>>>>> The MINIDUMP_DIRECTORY block defines the type of the stream (in your
>>>>> case, MemoryListStream) as well as the RVA/size of the stream.
>>>>>
>>>>> -----Original Message-----
>>>>> From: xxxxx@lists.osr.com
>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>> Sent: Wednesday, May 2, 2012 02:42 AM
>>>>> To: Kernel Debugging Interest List
>>>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>>>
>>>>> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h it
>>>>> seems now i can dump the MemoryListStream below is code and output
>>>>> Dissections are Welcome
>>>>>
>>>>> #include <stdio.h>
>>>>>
>>>>> #include <engextcpp.hpp>
>>>>>
>>>>> #include <dbghelp.h>
>>>>>
>>>>> const ULONG MBUFFSIZE = 0x1000;
>>>>>
>>>>> IDebugClient* g_Client;
>>>>>
>>>>> IDebugControl* g_Control;
>>>>>
>>>>> IDebugAdvanced2* g_Advanced2;
>>>>>
>>>>> PVOID Buff;
>>>>>
>>>>> void
>>>>>
>>>>> Exit( in int Code,
>>>>>
>>>>> in PCSTR Format,
>>>>>
>>>>> …)
>>>>>
>>>>> {
>>>>>
>>>>> if (g_Client != NULL) {
>>>>>
>>>>> g_Client->EndSession(DEBUG_END_DISCONNECT);
>>>>>
>>>>> g_Client->Release();
>>>>>
>>>>> g_Client = NULL;
>>>>>
>>>>> }
>>>>>
>>>>> if (g_Control != NULL) {
>>>>>
>>>>> g_Control->Release();
>>>>>
>>>>> g_Control = NULL;
>>>>>
>>>>> }
>>>>>
>>>>> if (g_Advanced2 !=NULL) {
>>>>>
>>>>> g_Advanced2->Release();
>>>>>
>>>>> g_Advanced2 = NULL;
>>>>>
>>>>> }
>>>>>
>>>>> if( Buff != NULL) {
>>>>>
>>>>> free(Buff);
>>>>>
>>>>> }
>>>>>
>>>>> if (Format != NULL) {
>>>>>
>>>>> va_list Args;
>>>>>
>>>>> va_start(Args, Format);
>>>>>
>>>>> vfprintf(stderr, Format, Args);
>>>>>
>>>>> va_end(Args);
>>>>>
>>>>> }
>>>>>
>>>>> exit(Code);
>>>>>
>>>>> }
>>>>>
>>>>> int __cdecl DumpMemoryListStream(void){
>>>>>
>>>>> HRESULT status;
>>>>>
>>>>> if ( ( status = DebugCreate(
>>>>>
>>>>>__uuidof(IDebugClient),
>>>>>
>>>>> (void**)&g_Client
>>>>>
>>>>> ) ) !=S_OK) {
>>>>>
>>>>> Exit(
>>>>>
>>>>> FALSE,
>>>>>
>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>
>>>>> “DebugCreate”,
>>>>>
>>>>> “IDebugClient”,
>>>>>
>>>>> status);
>>>>>
>>>>> }
>>>>>
>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>
>>>>> __uuidof(IDebugControl),
>>>>>
>>>>> (void**)&g_Control
>>>>>
>>>>> ) ) != S_OK ) {
>>>>>
>>>>> Exit(
>>>>>
>>>>> FALSE,
>>>>>
>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>
>>>>> “QueryInterface”,
>>>>>
>>>>> “IDebugControl”,
>>>>>
>>>>> status);
>>>>>
>>>>> }
>>>>>
>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>
>>>>>__uuidof(IDebugAdvanced2),
>>>>>
>>>>> (void**)&g_Advanced2
>>>>>
>>>>> )) != S_OK ) {
>>>>>
>>>>> Exit(
>>>>>
>>>>> FALSE,
>>>>>
>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>
>>>>> “QueryInterface”,
>>>>>
>>>>> “IDebugAdvanced2”,
>>>>>
>>>>> status);
>>>>>
>>>>> }
>>>>>
>>>>> if (( status = g_Client->OpenDumpFile(
>>>>>
>>>>> “test.dmp”
>>>>>
>>>>> )) != S_OK ) {
>>>>>
>>>>> Exit(
>>>>>
>>>>> FALSE,
>>>>>
>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>
>>>>> “g_Client”,
>>>>>
>>>>> “OpenDumpFile”,
>>>>>
>>>>> status);
>>>>>
>>>>> }
>>>>>
>>>>> if (( status = g_Control->WaitForEvent(
>>>>>
>>>>> 0,
>>>>>
>>>>> INFINITE
>>>>>
>>>>> ) ) != S_OK ) {
>>>>>
>>>>> Exit(
>>>>>
>>>>> FALSE,
>>>>>
>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>
>>>>> “g_Control”,
>>>>>
>>>>> “WaitForEvent”,
>>>>>
>>>>> status);
>>>>>
>>>>> }
>>>>>
>>>>> PVOID OutBuffer;
>>>>>
>>>>> ULONG OutBufferSize;
>>>>>
>>>>> ULONG OutSize;
>>>>>
>>>>> PMINIDUMP_MEMORY_LIST mml;
>>>>>
>>>>> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>>>>>
>>>>> InBuffer.StreamType = MemoryListStream;
>>>>>
>>>>> InBuffer.Flags = 0;
>>>>>
>>>>> InBuffer.Offset = 0;
>>>>>
>>>>> InBuffer.Buffer = Buff;
>>>>>
>>>>> InBuffer.BufferSize = MBUFFSIZE;
>>>>>
>>>>> InBuffer.BufferUsed = 0;
>>>>>
>>>>> OutBuffer = NULL;
>>>>>
>>>>> OutBufferSize = NULL;
>>>>>
>>>>> if (( status = g_Advanced2->Request(
>>>>>
>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>
>>>>> &InBuffer,
>>>>>
>>>>> sizeof(InBuffer),
>>>>>
>>>>> OutBuffer,
>>>>>
>>>>> OutBufferSize,
>>>>>
>>>>> &OutSize
>>>>>
>>>>> ) ) != S_OK ) {
>>>>>
>>>>> Exit(
>>>>>
>>>>> FALSE,
>>>>>
>>>>> “%s (\n”
>>>>>
>>>>> “\t%s,\n”
>>>>>
>>>>> “\t%s\n\t) Failed %08x\n”,
>>>>>
>>>>> “g_Advanced2->Request”,
>>>>>
>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>
>>>>> “MemoryListStream”,
>>>>>
>>>>> status);
>>>>>
>>>>> }
>>>>>
>>>>> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>>>>>
>>>>> printf (
>>>>>
>>>>> " Number Of Memory ranges = %x\n\n"
>>>>>
>>>>> " range# RVA Address Size\n",
>>>>>
>>>>> mml->NumberOfMemoryRanges
>>>>>
>>>>> );
>>>>>
>>>>> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>>>>>
>>>>> printf(
>>>>>
>>>>> " %d %08x %08I64x %08x\n",
>>>>>
>>>>> i,
>>>>>
>>>>> mml->MemoryRanges[i].Memory.Rva,
>>>>>
>>>>> mml->MemoryRanges[i].StartOfMemoryRange,
>>>>>
>>>>> mml->MemoryRanges[i].Memory.DataSize
>>>>>
>>>>> );
>>>>>
>>>>> }
>>>>>
>>>>> Exit(
>>>>>
>>>>> TRUE,
>>>>>
>>>>> “%s (\n”
>>>>>
>>>>> “\t%s,\n”
>>>>>
>>>>> “\t%s\n\t) Succeeded %08x\n”,
>>>>>
>>>>> “g_Advanced2->Request”,
>>>>>
>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>
>>>>> “MemoryListStream”,
>>>>>
>>>>> status);
>>>>>
>>>>> }
>>>>>
>>>>> int __cdecl main (void){
>>>>>
>>>>> Buff = (PVOID) malloc( MBUFFSIZE );
>>>>>
>>>>> if(Buff == 0) {
>>>>>
>>>>> printf(
>>>>>
>>>>> “malloc failed\n”
>>>>>
>>>>> );
>>>>>
>>>>> Exit ( FALSE,“malloc Failed \n”);
>>>>>
>>>>> }
>>>>>
>>>>> printf(“\n\n -====Dumping MemoryListStream From Memory
>>>>> Dump====-\n\n”);
>>>>>
>>>>> DumpMemoryListStream();
>>>>>
>>>>> }
>>>>>
>>>>> t>OpenDumpStream.exe
>>>>>
>>>>>
>>>>> -====Dumping MemoryListStream From Memory Dump====-
>>>>>
>>>>> Number Of Memory ranges = 9
>>>>>
>>>>> range# RVA Address Size
>>>>> 0 00004958 0007df4c 000020b4
>>>>> 1 00006a0c 7c90e494 00000100
>>>>> 2 00006b0c 00ccff98 00000068
>>>>> 3 00006b74 7c90e494 00000100
>>>>> 4 00006c74 00f1bcac 00004354
>>>>> 5 0000afc8 7c90e494 00000100
>>>>> 6 0000b0c8 009cfe14 000001ec
>>>>> 7 0000b2b4 7c90e494 00000100
>>>>> 8 0000b3b4 00447000 000165a8
>>>>> g_Advanced2->Request (
>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>> MemoryListStream
>>>>> ) Succeeded 00000000
>>>>>
>>>>> same dmp checked via dumpchk util
>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>> 9 memory ranges
>>>>> range# RVA Address Size
>>>>> 0 00004958 0007df4c 000020b4
>>>>> 1 00006A0C 7c90e494 00000100
>>>>> 2 00006B0C 00ccff98 00000068
>>>>> 3 00006B74 7c90e494 00000100
>>>>> 4 00006C74 00f1bcac 00004354
>>>>> 5 0000AFC8 7c90e494 00000100
>>>>> 6 0000B0C8 009cfe14 000001ec
>>>>> 7 0000B2B4 7c90e494 00000100
>>>>> 8 0000B3B4 00447000 000165a8
>>>>> Total memory: 1d004
>>>>>
>>>>> one question remains
>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i can
>>>>> get the 94 from outsize 1d004 from adding up all sizes what should i
>>>>> use to get the rva 48c4 ?
>>>>>
>>>>> On 5/2/12, raj_r wrote:
>>>>>> note to self
>>>>>> when in doubt refer header file do not refer chm or web or random
>>>>>> tidbits in obscure corners of internet
>>>>>>
>>>>>> this seem to be a documentation glitch in debugger.chm
>>>>>>
>>>>>> in debughelp.h it is dword
>>>>>>
>>>>>> typedef DWORD RVA;
>>>>>> typedef ULONG64 RVA64;
>>>>>>
>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>>>>>> ULONG32 DataSize;
>>>>>> RVA Rva;
>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>>>>>
>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>>>>>> ULONG64 DataSize;
>>>>>> RVA64 Rva;
>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>>>>>
>>>>>> On 5/2/12, raj_r wrote:
>>>>>>> Thanks Tim
>>>>>>>
>>>>>>> you wrote
>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>>>>>>> 32-bit size and 32-bit RVA,
>>>>>>>
>>>>>>> the debughelp.chm has this
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>>>>>
>>>>>>> Contains information describing the location of a data stream within
>>>>>>> a minidump file.
>>>>>>>
>>>>>>>
>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize;
>>>>>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The size
>>>>>>> of the data stream, in bytes.
>>>>>>>
>>>>>>> Rva
>>>>>>> The relative virtual address (RVA) of the data. This is the byte
>>>>>>> offset of the data stream from the beginning of the minidump file.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 5/2/12, Tim Roberts wrote:
>>>>>>>> raj_r wrote:
>>>>>>>>> not exactly related to ops question but it is regarding request of
>>>>>>>>> streamtype MemoryListStream …
>>>>>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>>>>>
>>>>>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>>>>>
>>>>>>>>> does the second QWORD7df4c point to
>>>>>>>>> MemoryRanges[0].StartofMemoryRange
>>>>>>>>> ??
>>>>>>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>>>>>>
>>>>>>>> They don’t POINT to those things. They CONTAIN those things. The
>>>>>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges,
>>>>>>>> followed by an array of MINIDUMP_MEMORY_DESCRIPTOR. The
>>>>>>>> MINIDUMP_MEMORY_DESCRIPTOR has a 64-bit start of range, followed by
>>>>>>>> a MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>> has 32-bit size and 32-bit RVA,
>>>>>>>>
>>>>>>>>> these seem to described as ULONG 64 in dbghelp.chm but windbg
>>>>>>>>> doesnt seem to honor it
>>>>>>>>>
>>>>>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>>>>>> +0x008 Memory : MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>> +0x000 DataSize : 0x20b4
>>>>>>>>> +0x004 Rva : 0x4958
>>>>>>>>>
>>>>>>>>> see the +4
>>>>>>>>
>>>>>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>>>>>> NumberOfMemoryRanges,
>>>>>>>> DataSize, and Rva are all 32-bit.
>>>>>>>>
>>>>>>>>> if i print it to scree with
>>>>>>>>>
>>>>>>>>> printf(
>>>>>>>>> “Number of memory range = %08x\t\n”
>>>>>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>>>>>> “Data Size is %I64x\t\n”
>>>>>>>>> “Rva is %I64x\t\n”,
>>>>>>>>> mml->NumberOfMemoryRanges,
>>>>>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>>>>>
>>>>>>>>> );
>>>>>>>>
>>>>>>>> “Data Size” and “Rva” should both be %08x.
>>>>>>>>
>>>>>>>> –
>>>>>>>> Tim Roberts, xxxxx@probo.com
>>>>>>>> Providenza & Boekelheide, Inc.
>>>>>>>>
>>>>>>>>
>>>>>>>> —
>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>
>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>> http://www.osr.com/seminars
>>>>>>>>
>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></dbghelp.h></engextcpp.hpp></stdio.h>

char * sep = “”;

#define ShowBit(something, x) if ((something) & (x)) { printf(“%s”, sep);
printf(#x); sep = " | "; break;

if(value == MiniDumpNormal)
printf(“MiniDumpNormal”);
else
{
ShowBit(value, MiniDumpWithSegs);
ShowBit(value, MiniDumpSomeOtherKind);
ShowBit(value, MiniDumpYetOnOtherType);
}

Note this does require you special-case the “0” type.
joe

Thanks Dr Newcomer,

for posting the #defines
PMDST(something, x) if((something) == (x)) printf(#x)

switch(something)
{
#define MDSTcase(x) case x: printf(#x); break
MDSTcase(UnusedStream);

#undef MDSTcase
}

i at the moment used what tim posted in one of the earlier posts

now on to next question

typedef enum _MINIDUMP_TYPE {
MiniDumpNormal = 0x00000000,
MiniDumpWithDataSegs = 0x00000001,

---

MiniDumpWithUnloadedModules = 0x00000020,

}MINIDUMP_TYPE;

now if i have a flag of 21

i should be printing all the three strings isnt it ??

int mask = 0
if ( (Flags & mask) == mask)
{

dont know why Dumpchk omits the flag 0 MiniDumpNormal i can start with

int mask = 1; to get the same behavior but i dont think that would
print the MiniDumpNormal String ever

here is a sample snippet i glued together to parse the Flags and print
out the MiniDumptypes

struct MiniDumpTypeLookup {

int Value;

PSTR Str;

} MiniDumpTypeLookupTable = {

MAKE_LOOKUP( MiniDumpNormal ),

MAKE_LOOKUP( MiniDumpWithDataSegs ),

---

MAKE_LOOKUP( MiniDumpValidTypeFlags ),

{ 0 , NULL }

};

char MiniDumpTypeNameBuff[0x1000] = {0};
****
As soon as you declare a character array of a fixed size, you have already
lost. This should never be written, anywhere. It is dead, obsolete, C
code. Use std::string or CString data types instead. I would no more do
this than write in assembly code.

And why is this declared as a static variable global to the function
instead of as a stack local? It isn’t thread-safe, and it represents an
antiquated programming pattern that is best dead and buried
*****

PCHAR MiniDumpTypeName (ULONG64 Flags)

{

struct MiniDumpTypeLookup * mlk = MiniDumpTypeLookupTable;

int i = 0;

int mask = 0;

while ( mask < 0x7ffff )
****
Wrong test. I have no idea what this is testing, but it would never occur
to me to write this code
****

{

if( (Flags & mask ) == mask )

{

if(mlk->Value == mask)

{

strncat_s(

MiniDumpTypeNameBuff,

sizeof(MiniDumpTypeNameBuff),
****
Note that you have made a consistent error in all the programs, which I
did not attempt to correct: that the program always and forever uses 8-bit
character strings. You should either assume Unicode or code
Unicode-aware, using T-data types, _T() for literals, etc. Note that I
prefer, when doing bit masks, to use the vertical bar (with spaces around
it) as the separator, which is more in keeping with how a programmer
thinks of the bit fields.
*****

"\n ",

_TRUNCATE

);

strncat_s(

MiniDumpTypeNameBuff,

sizeof(MiniDumpTypeNameBuff),

mlk->Str,

_TRUNCATE

);

}

}

mask = 1<_>
i++;

mlk++;

}

return MiniDumpTypeNameBuff;
***
This makes no sense; you are returning a pointer to a buffer which is
statically allocated. Bad practice, not thread-safe, potentially a
disaster.

Again, avoid C data types and use std::string or CString types.
Programming applications in C is about as antiuated as programming
applications in assembly code.
*****

}

i get an output like this

MINIDUMP_HEADER TimeDateStamp = Tue Mar 27 01:22:16 2012 (UTC +
5:30)
MINIDUMP_HEADER Flags = 21
MiniDumpNormal
MiniDumpWithDataSegs
MiniDumpWithUnloadedModules
****
No surprise, because you have to special-case the 0 flag value. Look at
your code:

if((Flags & 0) == 0)

which is going to be always true. If you want to make a fully-general
subroutine, you can impose rules like “the first entry in the table might
be a zero value, special-case the first entry” or even more general, if
the value Flags is 0, scan the table for the 0 value, print it and return,
else iterate the bit mask as you have done.
****

whereas dumpchk prints out

Debug session time: Tue Mar 27 01:22:16.000 2012 (UTC + 5:30)
System Uptime: not available
Process Uptime: not available
…
Loading unloaded module list
…
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(f0f0f0f0.9e8): Access violation - code c0000005 (first/second chance not
availa
ble)
----- User Mini Dump Analysis

MINIDUMP_HEADER:
Version A793 (6003)
NumberOfStreams 8
Flags 21
0001 MiniDumpWithDataSegs
0020 MiniDumpWithUnloadedModules

****
That’s because they properly handle the 0 case.
joe
****

On 5/6/12, xxxxx@flounder.com wrote:
>> No, the question isn’t stupid, it just reflects one of the major defects
>> of the C language: the lack of reflection.
>>
>> The corect way to handle this is definitely NOT
>>
>> if(something == 3) printf(“ThreadListStream”);
>>
>> it would be correct, but tedious, to handle every case correctly, by
>> typing
>>
>> if(something == ThreadListStream) printf(“ThreadListStream”)
>>
>> I fail to see any purpose in using the constant “3” when there is a
>> perfectly good name!
>>
>> However, I have used a couple techniques
>>
>> #define PMDST(something, x) if((something) == (x)) printf(#x)
>>
>> then you can write
>>
>> PMDST(something, UnusedStream);
>> else
>> PMDST(something, ThreadListStream);
>> else
>> …
>> else
>> printf(“Unknown stream type %d”, something);
>>
>> or, I’ll sometimes do
>>
>> switch(something)
>> {
>> #define MDSTcase(x) case x: printf(#x); break
>> MDSTcase(UnusedStream);
>> MDSTcase(ThreadlistStream);
>> …
>> default:
>> printf(“Unknown stream type %d”, something);
>> break;
>> #undef MDSTcase
>> }
>>
>> It depends on my mood which one I might use.
>> joe
>>> THIS must be a STUPID c 101 QUESTION
>>> still i will ask it
>>>
>>> dbghelp.h has this declared
>>>
>>> typedef enum _MINIDUMP_STREAM_TYPE {
>>>
>>> UnusedStream = 0,
>>> ReservedStream0 = 1,
>>> ReservedStream1 = 2,
>>> ThreadListStream = 3,
>>> ModuleListStream = 4, … s ON }
>>>
>>> now if i want to printf
>>>
>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff; MiniDir->StreamType,
>>>
>>> say if 3 printf (“ThreadListStream”);
>>>
>>> should i be doing it like this ?? error prone copy paste modify by
>>> hand of the enum from dbghelp.h ?? like below
>>>
>>>
>>> PSTR
>>>
>>> __cdecl
>>>
>>> MiniStreamTypeName (
>>> int StreamType
>>> )
>>> {
>>> PSTR Ministr = {
>>>
>>> “UnusedStream”,
>>> “ReservedStream0”,
>>> “ReservedStream1”,
>>> “ThreadListStream”,
>>> “ModuleListStream”,
>>> …
>>> …
>>> …
>>>
>>> };
>>> return Ministr[StreamType];
>>> }
>>>
>>>
>>> and call it with say
>>>
>>> printf(
>>> “%7d %08x\x20\x20\x20\x20 %-30s %08x %08x\n”,
>>> i,
>>> MiniDir->StreamType,
>>> MiniStreamTypeName(MiniDir->StreamType),
>>> MiniDir->Location.DataSize,
>>> MiniDir->Location.Rva
>>> );
>>>
>>> this seems to work though i feel this must really not be the way to go
>>> about
>>>
>>> -====Dumping DumpHeader From Memory Dump====-
>>>
>>> Minidump Header Signature = 504d444d
>>> MINIDUMP_VERSION = 0000a793
>>> MINIDUMP_VERSION(Internal) = 00006003
>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>> MINIDUMP_HEADER CheckSum = 00000000
>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>> MINIDUMP_HEADER Flags = 00000021
>>> Stream# StreamType StreamName Size RVA
>>> 0 00000003 ThreadListStream 000000c4 00000160
>>> 1 00000004 ModuleListStream 00001a2c 00000224
>>> 2 0000000e UnloadedModuleListStream 00000114 00001c50
>>> 3 00000005 MemoryListStream 00000094 000048c4
>>> 4 00000006 ExceptionStream 000000a8 000000b8
>>> 5 00000007 SystemInfoStream 00000038 00000080
>>> 6 00000000 UnusedStream 00000000 00000000
>>> 7 00000000 UnusedStream 00000000 00000000
>>> Dump Header Dumped
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 5/3/12, raj_r wrote:
>>>> thanks jen for answering fast
>>>> it seems i am able to get the directories and rvas with code below
>>>>
>>>> ftell(fp);
>>>>
>>>> ULONG NumberOfStreams = MiniHeader->NumberOfStreams;
>>>>
>>>> for (ULONG i = 0; i>>>> {
>>>> fread(
>>>> Buff,
>>>> 1,
>>>> sizeof(MINIDUMP_DIRECTORY),
>>>> fp
>>>> );
>>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff;
>>>> printf(
>>>> “StreamType\t%08x\tSize\t%08x\tRva\t%08x\n”,
>>>> MiniDir->StreamType,
>>>> MiniDir->Location.DataSize,
>>>> MiniDir->Location.Rva
>>>> );
>>>> ftell(fp);
>>>> }
>>>>
>>>> StreamType 00000003 Size 000000c4 Rva
>>>> 00000160
>>>> StreamType 00000004 Size 00001a2c Rva
>>>> 00000224
>>>> StreamType 0000000e Size 00000114 Rva
>>>> 00001c50
>>>> StreamType 00000005 Size 00000094 Rva
>>>> 000048c4
>>>> StreamType 00000006 Size 000000a8 Rva
>>>> 000000b8
>>>> StreamType 00000007 Size 00000038 Rva
>>>> 00000080
>>>> StreamType 00000000 Size 00000000 Rva
>>>> 00000000
>>>> StreamType 00000000 Size 00000000 Rva
>>>> 00000000
>>>> Dump Header Dumped
>>>>
>>>>
>>>> t>Dumpchk test.dmp | grep -i stream
>>>> Loading dump file test.dmp
>>>> NumberOfStreams 8
>>>> Streams:
>>>> Stream 0: type ThreadListStream (3), size 000000C4, RVA 00000160
>>>> Stream 1: type ModuleListStream (4), size 00001A2C, RVA 00000224
>>>> Stream 2: type UnloadedModuleListStream (14), size 00000114, RVA
>>>> 00001C50
>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>> Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000B8
>>>> Stream 5: type SystemInfoStream (7), size 00000038, RVA 00000080
>>>> Stream 6: type UnusedStream (0), size 00000000, RVA 00000000
>>>> Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
>>>>
>>>>
>>>> so all left is to parse and the remaining bytes
>>>>
>>>>
>>>> On 5/3/12, Jen-Lung Chiu wrote:
>>>>> Yes no API support to get those data from dump headers.
>>>>>
>>>>> -----Original Message-----
>>>>> From: xxxxx@lists.osr.com
>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>> Sent: Wednesday, May 2, 2012 01:37 PM
>>>>> To: Kernel Debugging Interest List
>>>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>>>
>>>>> Thanks jen
>>>>>
>>>>> So I Need To do Something Like below Myself no request or interface
>>>>> exist
>>>>> ??
>>>>>
>>>>>
>>>>> int__cdecl DumpDumpHeader(void) {
>>>>>
>>>>> HRESULT status = S_OK;
>>>>>
>>>>> PMINIDUMP_HEADER MiniHeader;
>>>>>
>>>>> FILE * fp;
>>>>>
>>>>> size_t result;
>>>>>
>>>>> if (( fp = fopen(
>>>>>
>>>>> “test.dmp”,
>>>>>
>>>>> “rb”
>>>>>
>>>>> ) ) == 0 ) {
>>>>>
>>>>> Exit (
>>>>>
>>>>> FALSE,
>>>>>
>>>>> “fopen ( %s ) Failed”,
>>>>>
>>>>> “test.dmp”
>>>>>
>>>>> );
>>>>>
>>>>> }
>>>>>
>>>>> if (( result = fread(
>>>>>
>>>>> Buff,
>>>>>
>>>>> 1,
>>>>>
>>>>> sizeof(MINIDUMP_HEADER),
>>>>>
>>>>> fp
>>>>>
>>>>> ) ) != sizeof(MINIDUMP_HEADER)) {
>>>>>
>>>>> Exit(
>>>>>
>>>>> FALSE,
>>>>>
>>>>> “fread(fp) failed\n”
>>>>>
>>>>> );
>>>>>
>>>>> }
>>>>>
>>>>> MiniHeader = (PMINIDUMP_HEADER)Buff;
>>>>>
>>>>> printf(
>>>>>
>>>>> “Minidump Header Signature = %08x\n”
>>>>>
>>>>> “MINIDUMP_VERSION = %08x\n”
>>>>>
>>>>> “MINIDUMP_VERSION(Internal) = %08x\n”
>>>>>
>>>>> “MINIDUMP_HEADER NumberofStreams = %08x\n”
>>>>>
>>>>> “MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”
>>>>>
>>>>> “MINIDUMP_HEADER CheckSum = %08x\n”
>>>>>
>>>>> “MINIDUMP_HEADER reserved = %08x\n”
>>>>>
>>>>> “MINIDUMP_HEADER TimeDateStamp = %08x\n”
>>>>>
>>>>> “MINIDUMP_HEADER Flags = %08x\n”,
>>>>>
>>>>> MiniHeader->Signature,
>>>>>
>>>>> LOWORD(MiniHeader->Version),
>>>>>
>>>>> HIWORD(MiniHeader->Version),
>>>>>
>>>>> MiniHeader->NumberOfStreams,
>>>>>
>>>>> MiniHeader->StreamDirectoryRva,
>>>>>
>>>>> MiniHeader->CheckSum,
>>>>>
>>>>> MiniHeader->Reserved,
>>>>>
>>>>> MiniHeader->TimeDateStamp,
>>>>>
>>>>> MiniHeader->Flags
>>>>>
>>>>> );
>>>>>
>>>>> fclose(fp);
>>>>>
>>>>> return status;
>>>>>
>>>>> }
>>>>>
>>>>> -====Dumping DumpHeader From Memory Dump====-
>>>>>
>>>>> Minidump Header Signature = 504d444d
>>>>> MINIDUMP_VERSION = 0000a793
>>>>> MINIDUMP_VERSION(Internal) = 00006003
>>>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>>>> MINIDUMP_HEADER CheckSum = 00000000
>>>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>>>> MINIDUMP_HEADER Flags = 00000021
>>>>> Dump Header Dumped
>>>>>
>>>>>
>>>>> ----- User Mini Dump Analysis
>>>>>
>>>>> MINIDUMP_HEADER:
>>>>> Version A793 (6003)
>>>>> NumberOfStreams 8
>>>>> Flags 21
>>>>> 0001 MiniDumpWithDataSegs
>>>>> 0020 MiniDumpWithUnloadedModules
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 5/2/12, Jen-Lung Chiu wrote:
>>>>>> You could check MSDN or dbghelp.h for user-mode minidump format,
>>>>>> then
>>>>>> use binary editor to browse the dump file.
>>>>>>
>>>>>> The user-mode minidump starts with a MINIDUMP_HEADER structure, then
>>>>>> follows a list of MINIDUMP_DIRECTORY structure (the number of
>>>>>> MINIDUMP_DIRECTORY structures is MINIDUMP_HEADER::NumberOfStreams).
>>>>>> The MINIDUMP_DIRECTORY block defines the type of the stream (in your
>>>>>> case, MemoryListStream) as well as the RVA/size of the stream.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: xxxxx@lists.osr.com
>>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>>> Sent: Wednesday, May 2, 2012 02:42 AM
>>>>>> To: Kernel Debugging Interest List
>>>>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>>>>
>>>>>> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h it
>>>>>> seems now i can dump the MemoryListStream below is code and output
>>>>>> Dissections are Welcome
>>>>>>
>>>>>> #include <stdio.h>
>>>>>>
>>>>>> #include <engextcpp.hpp>
>>>>>>
>>>>>> #include <dbghelp.h>
>>>>>>
>>>>>> const ULONG MBUFFSIZE = 0x1000;
>>>>>>
>>>>>> IDebugClient* g_Client;
>>>>>>
>>>>>> IDebugControl* g_Control;
>>>>>>
>>>>>> IDebugAdvanced2* g_Advanced2;
>>>>>>
>>>>>> PVOID Buff;
>>>>>>
>>>>>> void
>>>>>>
>>>>>> Exit( in int Code,
>>>>>>
>>>>>> in PCSTR Format,
>>>>>>
>>>>>> …)
>>>>>>
>>>>>> {
>>>>>>
>>>>>> if (g_Client != NULL) {
>>>>>>
>>>>>> g_Client->EndSession(DEBUG_END_DISCONNECT);
>>>>>>
>>>>>> g_Client->Release();
>>>>>>
>>>>>> g_Client = NULL;
>>>>>>
>>>>>> }
>>>>>>
>>>>>> if (g_Control != NULL) {
>>>>>>
>>>>>> g_Control->Release();
>>>>>>
>>>>>> g_Control = NULL;
>>>>>>
>>>>>> }
>>>>>>
>>>>>> if (g_Advanced2 !=NULL) {
>>>>>>
>>>>>> g_Advanced2->Release();
>>>>>>
>>>>>> g_Advanced2 = NULL;
>>>>>>
>>>>>> }
>>>>>>
>>>>>> if( Buff != NULL) {
>>>>>>
>>>>>> free(Buff);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> if (Format != NULL) {
>>>>>>
>>>>>> va_list Args;
>>>>>>
>>>>>> va_start(Args, Format);
>>>>>>
>>>>>> vfprintf(stderr, Format, Args);
>>>>>>
>>>>>> va_end(Args);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> exit(Code);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> int __cdecl DumpMemoryListStream(void){
>>>>>>
>>>>>> HRESULT status;
>>>>>>
>>>>>> if ( ( status = DebugCreate(
>>>>>>
>>>>>>__uuidof(IDebugClient),
>>>>>>
>>>>>> (void**)&g_Client
>>>>>>
>>>>>> ) ) !=S_OK) {
>>>>>>
>>>>>> Exit(
>>>>>>
>>>>>> FALSE,
>>>>>>
>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>
>>>>>> “DebugCreate”,
>>>>>>
>>>>>> “IDebugClient”,
>>>>>>
>>>>>> status);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>>
>>>>>> __uuidof(IDebugControl),
>>>>>>
>>>>>> (void**)&g_Control
>>>>>>
>>>>>> ) ) != S_OK ) {
>>>>>>
>>>>>> Exit(
>>>>>>
>>>>>> FALSE,
>>>>>>
>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>
>>>>>> “QueryInterface”,
>>>>>>
>>>>>> “IDebugControl”,
>>>>>>
>>>>>> status);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>>
>>>>>>__uuidof(IDebugAdvanced2),
>>>>>>
>>>>>> (void**)&g_Advanced2
>>>>>>
>>>>>> )) != S_OK ) {
>>>>>>
>>>>>> Exit(
>>>>>>
>>>>>> FALSE,
>>>>>>
>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>
>>>>>> “QueryInterface”,
>>>>>>
>>>>>> “IDebugAdvanced2”,
>>>>>>
>>>>>> status);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> if (( status = g_Client->OpenDumpFile(
>>>>>>
>>>>>> “test.dmp”
>>>>>>
>>>>>> )) != S_OK ) {
>>>>>>
>>>>>> Exit(
>>>>>>
>>>>>> FALSE,
>>>>>>
>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>
>>>>>> “g_Client”,
>>>>>>
>>>>>> “OpenDumpFile”,
>>>>>>
>>>>>> status);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> if (( status = g_Control->WaitForEvent(
>>>>>>
>>>>>> 0,
>>>>>>
>>>>>> INFINITE
>>>>>>
>>>>>> ) ) != S_OK ) {
>>>>>>
>>>>>> Exit(
>>>>>>
>>>>>> FALSE,
>>>>>>
>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>
>>>>>> “g_Control”,
>>>>>>
>>>>>> “WaitForEvent”,
>>>>>>
>>>>>> status);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> PVOID OutBuffer;
>>>>>>
>>>>>> ULONG OutBufferSize;
>>>>>>
>>>>>> ULONG OutSize;
>>>>>>
>>>>>> PMINIDUMP_MEMORY_LIST mml;
>>>>>>
>>>>>> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>>>>>>
>>>>>> InBuffer.StreamType = MemoryListStream;
>>>>>>
>>>>>> InBuffer.Flags = 0;
>>>>>>
>>>>>> InBuffer.Offset = 0;
>>>>>>
>>>>>> InBuffer.Buffer = Buff;
>>>>>>
>>>>>> InBuffer.BufferSize = MBUFFSIZE;
>>>>>>
>>>>>> InBuffer.BufferUsed = 0;
>>>>>>
>>>>>> OutBuffer = NULL;
>>>>>>
>>>>>> OutBufferSize = NULL;
>>>>>>
>>>>>> if (( status = g_Advanced2->Request(
>>>>>>
>>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>>
>>>>>> &InBuffer,
>>>>>>
>>>>>> sizeof(InBuffer),
>>>>>>
>>>>>> OutBuffer,
>>>>>>
>>>>>> OutBufferSize,
>>>>>>
>>>>>> &OutSize
>>>>>>
>>>>>> ) ) != S_OK ) {
>>>>>>
>>>>>> Exit(
>>>>>>
>>>>>> FALSE,
>>>>>>
>>>>>> “%s (\n”
>>>>>>
>>>>>> “\t%s,\n”
>>>>>>
>>>>>> “\t%s\n\t) Failed %08x\n”,
>>>>>>
>>>>>> “g_Advanced2->Request”,
>>>>>>
>>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>>
>>>>>> “MemoryListStream”,
>>>>>>
>>>>>> status);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>>>>>>
>>>>>> printf (
>>>>>>
>>>>>> " Number Of Memory ranges = %x\n\n"
>>>>>>
>>>>>> " range# RVA Address Size\n",
>>>>>>
>>>>>> mml->NumberOfMemoryRanges
>>>>>>
>>>>>> );
>>>>>>
>>>>>> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>>>>>>
>>>>>> printf(
>>>>>>
>>>>>> " %d %08x %08I64x %08x\n",
>>>>>>
>>>>>> i,
>>>>>>
>>>>>> mml->MemoryRanges[i].Memory.Rva,
>>>>>>
>>>>>> mml->MemoryRanges[i].StartOfMemoryRange,
>>>>>>
>>>>>> mml->MemoryRanges[i].Memory.DataSize
>>>>>>
>>>>>> );
>>>>>>
>>>>>> }
>>>>>>
>>>>>> Exit(
>>>>>>
>>>>>> TRUE,
>>>>>>
>>>>>> “%s (\n”
>>>>>>
>>>>>> “\t%s,\n”
>>>>>>
>>>>>> “\t%s\n\t) Succeeded %08x\n”,
>>>>>>
>>>>>> “g_Advanced2->Request”,
>>>>>>
>>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>>
>>>>>> “MemoryListStream”,
>>>>>>
>>>>>> status);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> int __cdecl main (void){
>>>>>>
>>>>>> Buff = (PVOID) malloc( MBUFFSIZE );
>>>>>>
>>>>>> if(Buff == 0) {
>>>>>>
>>>>>> printf(
>>>>>>
>>>>>> “malloc failed\n”
>>>>>>
>>>>>> );
>>>>>>
>>>>>> Exit ( FALSE,“malloc Failed \n”);
>>>>>>
>>>>>> }
>>>>>>
>>>>>> printf(“\n\n -====Dumping MemoryListStream From Memory
>>>>>> Dump====-\n\n”);
>>>>>>
>>>>>> DumpMemoryListStream();
>>>>>>
>>>>>> }
>>>>>>
>>>>>> t>OpenDumpStream.exe
>>>>>>
>>>>>>
>>>>>> -====Dumping MemoryListStream From Memory Dump====-
>>>>>>
>>>>>> Number Of Memory ranges = 9
>>>>>>
>>>>>> range# RVA Address Size
>>>>>> 0 00004958 0007df4c 000020b4
>>>>>> 1 00006a0c 7c90e494 00000100
>>>>>> 2 00006b0c 00ccff98 00000068
>>>>>> 3 00006b74 7c90e494 00000100
>>>>>> 4 00006c74 00f1bcac 00004354
>>>>>> 5 0000afc8 7c90e494 00000100
>>>>>> 6 0000b0c8 009cfe14 000001ec
>>>>>> 7 0000b2b4 7c90e494 00000100
>>>>>> 8 0000b3b4 00447000 000165a8
>>>>>> g_Advanced2->Request (
>>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>> MemoryListStream
>>>>>> ) Succeeded 00000000
>>>>>>
>>>>>> same dmp checked via dumpchk util
>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>>> 9 memory ranges
>>>>>> range# RVA Address Size
>>>>>> 0 00004958 0007df4c 000020b4
>>>>>> 1 00006A0C 7c90e494 00000100
>>>>>> 2 00006B0C 00ccff98 00000068
>>>>>> 3 00006B74 7c90e494 00000100
>>>>>> 4 00006C74 00f1bcac 00004354
>>>>>> 5 0000AFC8 7c90e494 00000100
>>>>>> 6 0000B0C8 009cfe14 000001ec
>>>>>> 7 0000B2B4 7c90e494 00000100
>>>>>> 8 0000B3B4 00447000 000165a8
>>>>>> Total memory: 1d004
>>>>>>
>>>>>> one question remains
>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i
>>>>>> can
>>>>>> get the 94 from outsize 1d004 from adding up all sizes what should
>>>>>> i
>>>>>> use to get the rva 48c4 ?
>>>>>>
>>>>>> On 5/2/12, raj_r wrote:
>>>>>>> note to self
>>>>>>> when in doubt refer header file do not refer chm or web or random
>>>>>>> tidbits in obscure corners of internet
>>>>>>>
>>>>>>> this seem to be a documentation glitch in debugger.chm
>>>>>>>
>>>>>>> in debughelp.h it is dword
>>>>>>>
>>>>>>> typedef DWORD RVA;
>>>>>>> typedef ULONG64 RVA64;
>>>>>>>
>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>>>>>>> ULONG32 DataSize;
>>>>>>> RVA Rva;
>>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>>>>>>
>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>>>>>>> ULONG64 DataSize;
>>>>>>> RVA64 Rva;
>>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>>>>>>
>>>>>>> On 5/2/12, raj_r wrote:
>>>>>>>> Thanks Tim
>>>>>>>>
>>>>>>>> you wrote
>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>> has
>>>>>>>> 32-bit size and 32-bit RVA,
>>>>>>>>
>>>>>>>> the debughelp.chm has this
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>>>>>>
>>>>>>>> Contains information describing the location of a data stream
>>>>>>>> within
>>>>>>>> a minidump file.
>>>>>>>>
>>>>>>>>
>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize;
>>>>>>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The
>>>>>>>> size
>>>>>>>> of the data stream, in bytes.
>>>>>>>>
>>>>>>>> Rva
>>>>>>>> The relative virtual address (RVA) of the data. This is the byte
>>>>>>>> offset of the data stream from the beginning of the minidump file.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 5/2/12, Tim Roberts wrote:
>>>>>>>>> raj_r wrote:
>>>>>>>>>> not exactly related to ops question but it is regarding request
>>>>>>>>>> of
>>>>>>>>>> streamtype MemoryListStream …
>>>>>>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>>>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>>>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>>>>>>
>>>>>>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>>>>>>
>>>>>>>>>> does the second QWORD7df4c point to
>>>>>>>>>> MemoryRanges[0].StartofMemoryRange
>>>>>>>>>> ??
>>>>>>>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>>>>>>>
>>>>>>>>> They don’t POINT to those things. They CONTAIN those things.
>>>>>>>>> The
>>>>>>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges,
>>>>>>>>> followed by an array of MINIDUMP_MEMORY_DESCRIPTOR. The
>>>>>>>>> MINIDUMP_MEMORY_DESCRIPTOR has a 64-bit start of range, followed
>>>>>>>>> by
>>>>>>>>> a MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>> has 32-bit size and 32-bit RVA,
>>>>>>>>>
>>>>>>>>>> these seem to described as ULONG 64 in dbghelp.chm but windbg
>>>>>>>>>> doesnt seem to honor it
>>>>>>>>>>
>>>>>>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>>>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>>>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>>>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>>>>>>> +0x008 Memory : MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>> +0x000 DataSize : 0x20b4
>>>>>>>>>> +0x004 Rva : 0x4958
>>>>>>>>>>
>>>>>>>>>> see the +4
>>>>>>>>>
>>>>>>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>>>>>>> NumberOfMemoryRanges,
>>>>>>>>> DataSize, and Rva are all 32-bit.
>>>>>>>>>
>>>>>>>>>> if i print it to scree with
>>>>>>>>>>
>>>>>>>>>> printf(
>>>>>>>>>> “Number of memory range = %08x\t\n”
>>>>>>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>>>>>>> “Data Size is %I64x\t\n”
>>>>>>>>>> “Rva is %I64x\t\n”,
>>>>>>>>>> mml->NumberOfMemoryRanges,
>>>>>>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>>>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>>>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>>>>>>
>>>>>>>>>> );
>>>>>>>>>
>>>>>>>>> “Data Size” and “Rva” should both be %08x.
>>>>>>>>>
>>>>>>>>> –
>>>>>>>>> Tim Roberts, xxxxx@probo.com
>>>>>>>>> Providenza & Boekelheide, Inc.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> —
>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>
>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>
>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> —
>>>>>> WINDBG is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>>
>>>>>>
>>>>>> —
>>>>>> WINDBG is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></dbghelp.h></engextcpp.hpp></stdio.h>

thanks Dr Newcomer,

for the comments i am not aware if i can use those
Cstring and std::string constructs in wdk build environemt

i tried using them some time back and all i got was lots and lots of
compile errors

starting with cannot find note not <string.h> plain

On 5/6/12, xxxxx@flounder.com wrote:
> char * sep = “”;
>
> #define ShowBit(something, x) if ((something) & (x)) { printf(“%s”, sep);
> printf(#x); sep = " | “; break;
>
> if(value == MiniDumpNormal)
> printf(“MiniDumpNormal”);
> else
> {
> ShowBit(value, MiniDumpWithSegs);
> ShowBit(value, MiniDumpSomeOtherKind);
> ShowBit(value, MiniDumpYetOnOtherType);
> }
>
> Note this does require you special-case the “0” type.
> joe
>
>> Thanks Dr Newcomer,
>>
>> for posting the #defines
>> PMDST(something, x) if((something) == (x)) printf(#x)
>>
>> switch(something)
>> {
>> #define MDSTcase(x) case x: printf(#x); break
>> MDSTcase(UnusedStream);
>> ----
>> #undef MDSTcase
>> }
>>
>> i at the moment used what tim posted in one of the earlier posts
>>
>> now on to next question
>>
>> typedef enum _MINIDUMP_TYPE {
>> MiniDumpNormal = 0x00000000,
>> MiniDumpWithDataSegs = 0x00000001,
>>
>> -------
>> MiniDumpWithUnloadedModules = 0x00000020,
>> ----
>> }MINIDUMP_TYPE;
>>
>>
>> now if i have a flag of 21
>>
>> i should be printing all the three strings isnt it ??
>>
>> int mask = 0
>> if ( (Flags & mask) == mask)
>> {
>>
>> dont know why Dumpchk omits the flag 0 MiniDumpNormal i can start with
>>
>> int mask = 1; to get the same behavior but i dont think that would
>> print the MiniDumpNormal String ever
>>
>> here is a sample snippet i glued together to parse the Flags and print
>> out the MiniDumptypes
>>
>>
>>
>> struct MiniDumpTypeLookup {
>>
>> int Value;
>>
>> PSTR Str;
>>
>> } MiniDumpTypeLookupTable = {
>>
>> MAKE_LOOKUP( MiniDumpNormal ),
>>
>> MAKE_LOOKUP( MiniDumpWithDataSegs ),
>>
>> -------
>>
>> MAKE_LOOKUP( MiniDumpValidTypeFlags ),
>>
>> { 0 , NULL }
>>
>> };
>>
>> char MiniDumpTypeNameBuff[0x1000] = {0};
>
> As soon as you declare a character array of a fixed size, you have already
> lost. This should never be written, anywhere. It is dead, obsolete, C
> code. Use std::string or CString data types instead. I would no more do
> this than write in assembly code.
>
> And why is this declared as a static variable global to the function
> instead of as a stack local? It isn’t thread-safe, and it represents an
> antiquated programming pattern that is best dead and buried
>*
>>
>> PCHAR MiniDumpTypeName (ULONG64 Flags)
>>
>> {
>>
>> struct MiniDumpTypeLookup * mlk = MiniDumpTypeLookupTable;
>>
>> int i = 0;
>>
>> int mask = 0;
>>
>> while ( mask < 0x7ffff )
>
> Wrong test. I have no idea what this is testing, but it would never occur
> to me to write this code
>
>>
>> {
>>
>> if( (Flags & mask ) == mask )
>>
>> {
>>
>> if(mlk->Value == mask)
>>
>> {
>>
>> strncat_s(
>>
>> MiniDumpTypeNameBuff,
>>
>> sizeof(MiniDumpTypeNameBuff),
>
> Note that you have made a consistent error in all the programs, which I
> did not attempt to correct: that the program always and forever uses 8-bit
> character strings. You should either assume Unicode or code
> Unicode-aware, using T-data types, _T() for literals, etc. Note that I
> prefer, when doing bit masks, to use the vertical bar (with spaces around
> it) as the separator, which is more in keeping with how a programmer
> thinks of the bit fields.
>***
>>
>> "\n ",
>>
>> _TRUNCATE
>>
>> );
>>
>> strncat_s(
>>
>> MiniDumpTypeNameBuff,
>>
>> sizeof(MiniDumpTypeNameBuff),
>>
>> mlk->Str,
>>
>> _TRUNCATE
>>
>> );
>>
>> }
>>
>> }
>>
>> mask = 1<>>
>> i++;
>>
>> mlk++;
>>
>> }
>>
>> return MiniDumpTypeNameBuff;
>
> This makes no sense; you are returning a pointer to a buffer which is
> statically allocated. Bad practice, not thread-safe, potentially a
> disaster.
>
> Again, avoid C data types and use std::string or CString types.
> Programming applications in C is about as antiuated as programming
> applications in assembly code.
>
>>
>> }
>>
>> i get an output like this
>>
>> MINIDUMP_HEADER TimeDateStamp = Tue Mar 27 01:22:16 2012 (UTC +
>> 5:30)
>> MINIDUMP_HEADER Flags = 21
>> MiniDumpNormal
>> MiniDumpWithDataSegs
>> MiniDumpWithUnloadedModules
>
> No surprise, because you have to special-case the 0 flag value. Look at
> your code:
>
> if((Flags & 0) == 0)
>
> which is going to be always true. If you want to make a fully-general
> subroutine, you can impose rules like “the first entry in the table might
> be a zero value, special-case the first entry” or even more general, if
> the value Flags is 0, scan the table for the 0 value, print it and return,
> else iterate the bit mask as you have done.
>
>>
>> whereas dumpchk prints out
>>
>> Debug session time: Tue Mar 27 01:22:16.000 2012 (UTC + 5:30)
>> System Uptime: not available
>> Process Uptime: not available
>> …
>> Loading unloaded module list
>> …
>> This dump file has an exception of interest stored in it.
>> The stored exception information can be accessed via .ecxr.
>> (f0f0f0f0.9e8): Access violation - code c0000005 (first/second chance not
>> availa
>> ble)
>> ----- User Mini Dump Analysis
>>
>> MINIDUMP_HEADER:
>> Version A793 (6003)
>> NumberOfStreams 8
>> Flags 21
>> 0001 MiniDumpWithDataSegs
>> 0020 MiniDumpWithUnloadedModules
>>
>>
>
> That’s because they properly handle the 0 case.
> joe
>
>>
>>
>>
>> On 5/6/12, xxxxx@flounder.com wrote:
>>> No, the question isn’t stupid, it just reflects one of the major defects
>>> of the C language: the lack of reflection.
>>>
>>> The corect way to handle this is definitely NOT
>>>
>>> if(something == 3) printf(“ThreadListStream”);
>>>
>>> it would be correct, but tedious, to handle every case correctly, by
>>> typing
>>>
>>> if(something == ThreadListStream) printf(“ThreadListStream”)
>>>
>>> I fail to see any purpose in using the constant “3” when there is a
>>> perfectly good name!
>>>
>>> However, I have used a couple techniques
>>>
>>> #define PMDST(something, x) if((something) == (x)) printf(#x)
>>>
>>> then you can write
>>>
>>> PMDST(something, UnusedStream);
>>> else
>>> PMDST(something, ThreadListStream);
>>> else
>>> …
>>> else
>>> printf(“Unknown stream type %d”, something);
>>>
>>> or, I’ll sometimes do
>>>
>>> switch(something)
>>> {
>>> #define MDSTcase(x) case x: printf(#x); break
>>> MDSTcase(UnusedStream);
>>> MDSTcase(ThreadlistStream);
>>> …
>>> default:
>>> printf(“Unknown stream type %d”, something);
>>> break;
>>> #undef MDSTcase
>>> }
>>>
>>> It depends on my mood which one I might use.
>>> joe
>>>> THIS must be a STUPID c 101 QUESTION
>>>> still i will ask it
>>>>
>>>> dbghelp.h has this declared
>>>>
>>>> typedef enum _MINIDUMP_STREAM_TYPE {
>>>>
>>>> UnusedStream = 0,
>>>> ReservedStream0 = 1,
>>>> ReservedStream1 = 2,
>>>> ThreadListStream = 3,
>>>> ModuleListStream = 4, … s ON }
>>>>
>>>> now if i want to printf
>>>>
>>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff; MiniDir->StreamType,
>>>>
>>>> say if 3 printf (“ThreadListStream”);
>>>>
>>>> should i be doing it like this ?? error prone copy paste modify by
>>>> hand of the enum from dbghelp.h ?? like below
>>>>
>>>>
>>>> PSTR
>>>>
>>>> __cdecl
>>>>
>>>> MiniStreamTypeName (
>>>> int StreamType
>>>> )
>>>> {
>>>> PSTR Ministr[] = {
>>>>
>>>> “UnusedStream”,
>>>> “ReservedStream0”,
>>>> “ReservedStream1”,
>>>> “ThreadListStream”,
>>>> “ModuleListStream”,
>>>> …
>>>> …
>>>> …
>>>>
>>>> };
>>>> return Ministr[StreamType];
>>>> }
>>>>
>>>>
>>>> and call it with say
>>>>
>>>> printf(
>>>> “%7d %08x\x20\x20\x20\x20 %-30s %08x %08x\n”,
>>>> i,
>>>> MiniDir->StreamType,
>>>> MiniStreamTypeName(MiniDir->StreamType),
>>>> MiniDir->Location.DataSize,
>>>> MiniDir->Location.Rva
>>>> );
>>>>
>>>> this seems to work though i feel this must really not be the way to go
>>>> about
>>>>
>>>> -====Dumping DumpHeader From Memory Dump====-
>>>>
>>>> Minidump Header Signature = 504d444d
>>>> MINIDUMP_VERSION = 0000a793
>>>> MINIDUMP_VERSION(Internal) = 00006003
>>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>>> MINIDUMP_HEADER CheckSum = 00000000
>>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>>> MINIDUMP_HEADER Flags = 00000021
>>>> Stream# StreamType StreamName Size RVA
>>>> 0 00000003 ThreadListStream 000000c4 00000160
>>>> 1 00000004 ModuleListStream 00001a2c 00000224
>>>> 2 0000000e UnloadedModuleListStream 00000114 00001c50
>>>> 3 00000005 MemoryListStream 00000094 000048c4
>>>> 4 00000006 ExceptionStream 000000a8 000000b8
>>>> 5 00000007 SystemInfoStream 00000038 00000080
>>>> 6 00000000 UnusedStream 00000000 00000000
>>>> 7 00000000 UnusedStream 00000000 00000000
>>>> Dump Header Dumped
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 5/3/12, raj_r wrote:
>>>>> thanks jen for answering fast
>>>>> it seems i am able to get the directories and rvas with code below
>>>>>
>>>>> ftell(fp);
>>>>>
>>>>> ULONG NumberOfStreams = MiniHeader->NumberOfStreams;
>>>>>
>>>>> for (ULONG i = 0; i>>>>> {
>>>>> fread(
>>>>> Buff,
>>>>> 1,
>>>>> sizeof(MINIDUMP_DIRECTORY),
>>>>> fp
>>>>> );
>>>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff;
>>>>> printf(
>>>>> “StreamType\t%08x\tSize\t%08x\tRva\t%08x\n”,
>>>>> MiniDir->StreamType,
>>>>> MiniDir->Location.DataSize,
>>>>> MiniDir->Location.Rva
>>>>> );
>>>>> ftell(fp);
>>>>> }
>>>>>
>>>>> StreamType 00000003 Size 000000c4 Rva
>>>>> 00000160
>>>>> StreamType 00000004 Size 00001a2c Rva
>>>>> 00000224
>>>>> StreamType 0000000e Size 00000114 Rva
>>>>> 00001c50
>>>>> StreamType 00000005 Size 00000094 Rva
>>>>> 000048c4
>>>>> StreamType 00000006 Size 000000a8 Rva
>>>>> 000000b8
>>>>> StreamType 00000007 Size 00000038 Rva
>>>>> 00000080
>>>>> StreamType 00000000 Size 00000000 Rva
>>>>> 00000000
>>>>> StreamType 00000000 Size 00000000 Rva
>>>>> 00000000
>>>>> Dump Header Dumped
>>>>>
>>>>>
>>>>> t>Dumpchk test.dmp | grep -i stream
>>>>> Loading dump file test.dmp
>>>>> NumberOfStreams 8
>>>>> Streams:
>>>>> Stream 0: type ThreadListStream (3), size 000000C4, RVA 00000160
>>>>> Stream 1: type ModuleListStream (4), size 00001A2C, RVA 00000224
>>>>> Stream 2: type UnloadedModuleListStream (14), size 00000114, RVA
>>>>> 00001C50
>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>> Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000B8
>>>>> Stream 5: type SystemInfoStream (7), size 00000038, RVA 00000080
>>>>> Stream 6: type UnusedStream (0), size 00000000, RVA 00000000
>>>>> Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
>>>>>
>>>>>
>>>>> so all left is to parse and the remaining bytes
>>>>>
>>>>>
>>>>> On 5/3/12, Jen-Lung Chiu wrote:
>>>>>> Yes no API support to get those data from dump headers.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: xxxxx@lists.osr.com
>>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>>> Sent: Wednesday, May 2, 2012 01:37 PM
>>>>>> To: Kernel Debugging Interest List
>>>>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>>>>
>>>>>> Thanks jen
>>>>>>
>>>>>> So I Need To do Something Like below Myself no request or interface
>>>>>> exist
>>>>>> ??
>>>>>>
>>>>>>
>>>>>> int__cdecl DumpDumpHeader(void) {
>>>>>>
>>>>>> HRESULT status = S_OK;
>>>>>>
>>>>>> PMINIDUMP_HEADER MiniHeader;
>>>>>>
>>>>>> FILE * fp;
>>>>>>
>>>>>> size_t result;
>>>>>>
>>>>>> if (( fp = fopen(
>>>>>>
>>>>>> “test.dmp”,
>>>>>>
>>>>>> “rb”
>>>>>>
>>>>>> ) ) == 0 ) {
>>>>>>
>>>>>> Exit (
>>>>>>
>>>>>> FALSE,
>>>>>>
>>>>>> “fopen ( %s ) Failed”,
>>>>>>
>>>>>> “test.dmp”
>>>>>>
>>>>>> );
>>>>>>
>>>>>> }
>>>>>>
>>>>>> if (( result = fread(
>>>>>>
>>>>>> Buff,
>>>>>>
>>>>>> 1,
>>>>>>
>>>>>> sizeof(MINIDUMP_HEADER),
>>>>>>
>>>>>> fp
>>>>>>
>>>>>> ) ) != sizeof(MINIDUMP_HEADER)) {
>>>>>>
>>>>>> Exit(
>>>>>>
>>>>>> FALSE,
>>>>>>
>>>>>> “fread(fp) failed\n”
>>>>>>
>>>>>> );
>>>>>>
>>>>>> }
>>>>>>
>>>>>> MiniHeader = (PMINIDUMP_HEADER)Buff;
>>>>>>
>>>>>> printf(
>>>>>>
>>>>>> “Minidump Header Signature = %08x\n”
>>>>>>
>>>>>> “MINIDUMP_VERSION = %08x\n”
>>>>>>
>>>>>> “MINIDUMP_VERSION(Internal) = %08x\n”
>>>>>>
>>>>>> “MINIDUMP_HEADER NumberofStreams = %08x\n”
>>>>>>
>>>>>> “MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”
>>>>>>
>>>>>> “MINIDUMP_HEADER CheckSum = %08x\n”
>>>>>>
>>>>>> “MINIDUMP_HEADER reserved = %08x\n”
>>>>>>
>>>>>> “MINIDUMP_HEADER TimeDateStamp = %08x\n”
>>>>>>
>>>>>> “MINIDUMP_HEADER Flags = %08x\n”,
>>>>>>
>>>>>> MiniHeader->Signature,
>>>>>>
>>>>>> LOWORD(MiniHeader->Version),
>>>>>>
>>>>>> HIWORD(MiniHeader->Version),
>>>>>>
>>>>>> MiniHeader->NumberOfStreams,
>>>>>>
>>>>>> MiniHeader->StreamDirectoryRva,
>>>>>>
>>>>>> MiniHeader->CheckSum,
>>>>>>
>>>>>> MiniHeader->Reserved,
>>>>>>
>>>>>> MiniHeader->TimeDateStamp,
>>>>>>
>>>>>> MiniHeader->Flags
>>>>>>
>>>>>> );
>>>>>>
>>>>>> fclose(fp);
>>>>>>
>>>>>> return status;
>>>>>>
>>>>>> }
>>>>>>
>>>>>> -====Dumping DumpHeader From Memory Dump====-
>>>>>>
>>>>>> Minidump Header Signature = 504d444d
>>>>>> MINIDUMP_VERSION = 0000a793
>>>>>> MINIDUMP_VERSION(Internal) = 00006003
>>>>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>>>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>>>>> MINIDUMP_HEADER CheckSum = 00000000
>>>>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>>>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>>>>> MINIDUMP_HEADER Flags = 00000021
>>>>>> Dump Header Dumped
>>>>>>
>>>>>>
>>>>>> ----- User Mini Dump Analysis
>>>>>>
>>>>>> MINIDUMP_HEADER:
>>>>>> Version A793 (6003)
>>>>>> NumberOfStreams 8
>>>>>> Flags 21
>>>>>> 0001 MiniDumpWithDataSegs
>>>>>> 0020 MiniDumpWithUnloadedModules
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 5/2/12, Jen-Lung Chiu wrote:
>>>>>>> You could check MSDN or dbghelp.h for user-mode minidump format,
>>>>>>> then
>>>>>>> use binary editor to browse the dump file.
>>>>>>>
>>>>>>> The user-mode minidump starts with a MINIDUMP_HEADER structure, then
>>>>>>> follows a list of MINIDUMP_DIRECTORY structure (the number of
>>>>>>> MINIDUMP_DIRECTORY structures is MINIDUMP_HEADER::NumberOfStreams).
>>>>>>> The MINIDUMP_DIRECTORY block defines the type of the stream (in your
>>>>>>> case, MemoryListStream) as well as the RVA/size of the stream.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: xxxxx@lists.osr.com
>>>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>>>> Sent: Wednesday, May 2, 2012 02:42 AM
>>>>>>> To: Kernel Debugging Interest List
>>>>>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>>>>>
>>>>>>> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h it
>>>>>>> seems now i can dump the MemoryListStream below is code and output
>>>>>>> Dissections are Welcome
>>>>>>>
>>>>>>> #include <stdio.h>
>>>>>>>
>>>>>>> #include <engextcpp.hpp>
>>>>>>>
>>>>>>> #include <dbghelp.h>
>>>>>>>
>>>>>>> const ULONG MBUFFSIZE = 0x1000;
>>>>>>>
>>>>>>> IDebugClient g_Client;
>>>>>>>
>>>>>>> IDebugControl g_Control;
>>>>>>>
>>>>>>> IDebugAdvanced2 g_Advanced2;
>>>>>>>
>>>>>>> PVOID Buff;
>>>>>>>
>>>>>>> void
>>>>>>>
>>>>>>> Exit( in int Code,
>>>>>>>
>>>>>>> in PCSTR Format,
>>>>>>>
>>>>>>> …)
>>>>>>>
>>>>>>> {
>>>>>>>
>>>>>>> if (g_Client != NULL) {
>>>>>>>
>>>>>>> g_Client->EndSession(DEBUG_END_DISCONNECT);
>>>>>>>
>>>>>>> g_Client->Release();
>>>>>>>
>>>>>>> g_Client = NULL;
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> if (g_Control != NULL) {
>>>>>>>
>>>>>>> g_Control->Release();
>>>>>>>
>>>>>>> g_Control = NULL;
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> if (g_Advanced2 !=NULL) {
>>>>>>>
>>>>>>> g_Advanced2->Release();
>>>>>>>
>>>>>>> g_Advanced2 = NULL;
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> if( Buff != NULL) {
>>>>>>>
>>>>>>> free(Buff);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> if (Format != NULL) {
>>>>>>>
>>>>>>> va_list Args;
>>>>>>>
>>>>>>> va_start(Args, Format);
>>>>>>>
>>>>>>> vfprintf(stderr, Format, Args);
>>>>>>>
>>>>>>> va_end(Args);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> exit(Code);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> int __cdecl DumpMemoryListStream(void){
>>>>>>>
>>>>>>> HRESULT status;
>>>>>>>
>>>>>>> if ( ( status = DebugCreate(
>>>>>>>
>>>>>>>__uuidof(IDebugClient),
>>>>>>>
>>>>>>> (void*)&g_Client
>>>>>>>
>>>>>>> ) ) !=S_OK) {
>>>>>>>
>>>>>>> Exit(
>>>>>>>
>>>>>>> FALSE,
>>>>>>>
>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>
>>>>>>> “DebugCreate”,
>>>>>>>
>>>>>>> “IDebugClient”,
>>>>>>>
>>>>>>> status);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>>>
>>>>>>> __uuidof(IDebugControl),
>>>>>>>
>>>>>>> (void**)&g_Control
>>>>>>>
>>>>>>> ) ) != S_OK ) {
>>>>>>>
>>>>>>> Exit(
>>>>>>>
>>>>>>> FALSE,
>>>>>>>
>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>
>>>>>>> “QueryInterface”,
>>>>>>>
>>>>>>> “IDebugControl”,
>>>>>>>
>>>>>>> status);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>>>
>>>>>>>__uuidof(IDebugAdvanced2),
>>>>>>>
>>>>>>> (void**)&g_Advanced2
>>>>>>>
>>>>>>> )) != S_OK ) {
>>>>>>>
>>>>>>> Exit(
>>>>>>>
>>>>>>> FALSE,
>>>>>>>
>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>
>>>>>>> “QueryInterface”,
>>>>>>>
>>>>>>> “IDebugAdvanced2”,
>>>>>>>
>>>>>>> status);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> if (( status = g_Client->OpenDumpFile(
>>>>>>>
>>>>>>> “test.dmp”
>>>>>>>
>>>>>>> )) != S_OK ) {
>>>>>>>
>>>>>>> Exit(
>>>>>>>
>>>>>>> FALSE,
>>>>>>>
>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>
>>>>>>> “g_Client”,
>>>>>>>
>>>>>>> “OpenDumpFile”,
>>>>>>>
>>>>>>> status);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> if (( status = g_Control->WaitForEvent(
>>>>>>>
>>>>>>> 0,
>>>>>>>
>>>>>>> INFINITE
>>>>>>>
>>>>>>> ) ) != S_OK ) {
>>>>>>>
>>>>>>> Exit(
>>>>>>>
>>>>>>> FALSE,
>>>>>>>
>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>
>>>>>>> “g_Control”,
>>>>>>>
>>>>>>> “WaitForEvent”,
>>>>>>>
>>>>>>> status);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> PVOID OutBuffer;
>>>>>>>
>>>>>>> ULONG OutBufferSize;
>>>>>>>
>>>>>>> ULONG OutSize;
>>>>>>>
>>>>>>> PMINIDUMP_MEMORY_LIST mml;
>>>>>>>
>>>>>>> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>>>>>>>
>>>>>>> InBuffer.StreamType = MemoryListStream;
>>>>>>>
>>>>>>> InBuffer.Flags = 0;
>>>>>>>
>>>>>>> InBuffer.Offset = 0;
>>>>>>>
>>>>>>> InBuffer.Buffer = Buff;
>>>>>>>
>>>>>>> InBuffer.BufferSize = MBUFFSIZE;
>>>>>>>
>>>>>>> InBuffer.BufferUsed = 0;
>>>>>>>
>>>>>>> OutBuffer = NULL;
>>>>>>>
>>>>>>> OutBufferSize = NULL;
>>>>>>>
>>>>>>> if (( status = g_Advanced2->Request(
>>>>>>>
>>>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>>>
>>>>>>> &InBuffer,
>>>>>>>
>>>>>>> sizeof(InBuffer),
>>>>>>>
>>>>>>> OutBuffer,
>>>>>>>
>>>>>>> OutBufferSize,
>>>>>>>
>>>>>>> &OutSize
>>>>>>>
>>>>>>> ) ) != S_OK ) {
>>>>>>>
>>>>>>> Exit(
>>>>>>>
>>>>>>> FALSE,
>>>>>>>
>>>>>>> “%s (\n”
>>>>>>>
>>>>>>> “\t%s,\n”
>>>>>>>
>>>>>>> “\t%s\n\t) Failed %08x\n”,
>>>>>>>
>>>>>>> “g_Advanced2->Request”,
>>>>>>>
>>>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>>>
>>>>>>> “MemoryListStream”,
>>>>>>>
>>>>>>> status);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>>>>>>>
>>>>>>> printf (
>>>>>>>
>>>>>>> " Number Of Memory ranges = %x\n\n”
>>>>>>>
>>>>>>> " range# RVA Address Size\n",
>>>>>>>
>>>>>>> mml->NumberOfMemoryRanges
>>>>>>>
>>>>>>> );
>>>>>>>
>>>>>>> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>>>>>>>
>>>>>>> printf(
>>>>>>>
>>>>>>> " %d %08x %08I64x %08x\n",
>>>>>>>
>>>>>>> i,
>>>>>>>
>>>>>>> mml->MemoryRanges[i].Memory.Rva,
>>>>>>>
>>>>>>> mml->MemoryRanges[i].StartOfMemoryRange,
>>>>>>>
>>>>>>> mml->MemoryRanges[i].Memory.DataSize
>>>>>>>
>>>>>>> );
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> Exit(
>>>>>>>
>>>>>>> TRUE,
>>>>>>>
>>>>>>> “%s (\n”
>>>>>>>
>>>>>>> “\t%s,\n”
>>>>>>>
>>>>>>> “\t%s\n\t) Succeeded %08x\n”,
>>>>>>>
>>>>>>> “g_Advanced2->Request”,
>>>>>>>
>>>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>>>
>>>>>>> “MemoryListStream”,
>>>>>>>
>>>>>>> status);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> int __cdecl main (void){
>>>>>>>
>>>>>>> Buff = (PVOID) malloc( MBUFFSIZE );
>>>>>>>
>>>>>>> if(Buff == 0) {
>>>>>>>
>>>>>>> printf(
>>>>>>>
>>>>>>> “malloc failed\n”
>>>>>>>
>>>>>>> );
>>>>>>>
>>>>>>> Exit ( FALSE,“malloc Failed \n”);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> printf(“\n\n -====Dumping MemoryListStream From Memory
>>>>>>> Dump====-\n\n”);
>>>>>>>
>>>>>>> DumpMemoryListStream();
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> t>OpenDumpStream.exe
>>>>>>>
>>>>>>>
>>>>>>> -====Dumping MemoryListStream From Memory Dump====-
>>>>>>>
>>>>>>> Number Of Memory ranges = 9
>>>>>>>
>>>>>>> range# RVA Address Size
>>>>>>> 0 00004958 0007df4c 000020b4
>>>>>>> 1 00006a0c 7c90e494 00000100
>>>>>>> 2 00006b0c 00ccff98 00000068
>>>>>>> 3 00006b74 7c90e494 00000100
>>>>>>> 4 00006c74 00f1bcac 00004354
>>>>>>> 5 0000afc8 7c90e494 00000100
>>>>>>> 6 0000b0c8 009cfe14 000001ec
>>>>>>> 7 0000b2b4 7c90e494 00000100
>>>>>>> 8 0000b3b4 00447000 000165a8
>>>>>>> g_Advanced2->Request (
>>>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>>> MemoryListStream
>>>>>>> ) Succeeded 00000000
>>>>>>>
>>>>>>> same dmp checked via dumpchk util
>>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>>>> 9 memory ranges
>>>>>>> range# RVA Address Size
>>>>>>> 0 00004958 0007df4c 000020b4
>>>>>>> 1 00006A0C 7c90e494 00000100
>>>>>>> 2 00006B0C 00ccff98 00000068
>>>>>>> 3 00006B74 7c90e494 00000100
>>>>>>> 4 00006C74 00f1bcac 00004354
>>>>>>> 5 0000AFC8 7c90e494 00000100
>>>>>>> 6 0000B0C8 009cfe14 000001ec
>>>>>>> 7 0000B2B4 7c90e494 00000100
>>>>>>> 8 0000B3B4 00447000 000165a8
>>>>>>> Total memory: 1d004
>>>>>>>
>>>>>>> one question remains
>>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i
>>>>>>> can
>>>>>>> get the 94 from outsize 1d004 from adding up all sizes what should
>>>>>>> i
>>>>>>> use to get the rva 48c4 ?
>>>>>>>
>>>>>>> On 5/2/12, raj_r wrote:
>>>>>>>> note to self
>>>>>>>> when in doubt refer header file do not refer chm or web or random
>>>>>>>> tidbits in obscure corners of internet
>>>>>>>>
>>>>>>>> this seem to be a documentation glitch in debugger.chm
>>>>>>>>
>>>>>>>> in debughelp.h it is dword
>>>>>>>>
>>>>>>>> typedef DWORD RVA;
>>>>>>>> typedef ULONG64 RVA64;
>>>>>>>>
>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>>>>>>>> ULONG32 DataSize;
>>>>>>>> RVA Rva;
>>>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>>>>>>>
>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>>>>>>>> ULONG64 DataSize;
>>>>>>>> RVA64 Rva;
>>>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>>>>>>>
>>>>>>>> On 5/2/12, raj_r wrote:
>>>>>>>>> Thanks Tim
>>>>>>>>>
>>>>>>>>> you wrote
>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>> has
>>>>>>>>> 32-bit size and 32-bit RVA,
>>>>>>>>>
>>>>>>>>> the debughelp.chm has this
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>>>>>>>
>>>>>>>>> Contains information describing the location of a data stream
>>>>>>>>> within
>>>>>>>>> a minidump file.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize;
>>>>>>>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The
>>>>>>>>> size
>>>>>>>>> of the data stream, in bytes.
>>>>>>>>>
>>>>>>>>> Rva
>>>>>>>>> The relative virtual address (RVA) of the data. This is the byte
>>>>>>>>> offset of the data stream from the beginning of the minidump file.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 5/2/12, Tim Roberts wrote:
>>>>>>>>>> raj_r wrote:
>>>>>>>>>>> not exactly related to ops question but it is regarding request
>>>>>>>>>>> of
>>>>>>>>>>> streamtype MemoryListStream …
>>>>>>>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>>>>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>>>>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>>>>>>>
>>>>>>>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>>>>>>>
>>>>>>>>>>> does the second QWORD7df4c point to
>>>>>>>>>>> MemoryRanges[0].StartofMemoryRange
>>>>>>>>>>> ??
>>>>>>>>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>>>>>>>>
>>>>>>>>>> They don’t POINT to those things. They CONTAIN those things.
>>>>>>>>>> The
>>>>>>>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges,
>>>>>>>>>> followed by an array of MINIDUMP_MEMORY_DESCRIPTOR. The
>>>>>>>>>> MINIDUMP_MEMORY_DESCRIPTOR has a 64-bit start of range, followed
>>>>>>>>>> by
>>>>>>>>>> a MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>> has 32-bit size and 32-bit RVA,
>>>>>>>>>>
>>>>>>>>>>> these seem to described as ULONG 64 in dbghelp.chm but windbg
>>>>>>>>>>> doesnt seem to honor it
>>>>>>>>>>>
>>>>>>>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>>>>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>>>>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>>>>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>>>>>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>>> +0x000 DataSize : 0x20b4
>>>>>>>>>>> +0x004 Rva : 0x4958
>>>>>>>>>>>
>>>>>>>>>>> see the +4
>>>>>>>>>>
>>>>>>>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>>>>>>>> NumberOfMemoryRanges,
>>>>>>>>>> DataSize, and Rva are all 32-bit.
>>>>>>>>>>
>>>>>>>>>>> if i print it to scree with
>>>>>>>>>>>
>>>>>>>>>>> printf(
>>>>>>>>>>> “Number of memory range = %08x\t\n”
>>>>>>>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>>>>>>>> “Data Size is %I64x\t\n”
>>>>>>>>>>> “Rva is %I64x\t\n”,
>>>>>>>>>>> mml->NumberOfMemoryRanges,
>>>>>>>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>>>>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>>>>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>>>>>>>
>>>>>>>>>>> );
>>>>>>>>>>
>>>>>>>>>> “Data Size” and “Rva” should both be %08x.
>>>>>>>>>>
>>>>>>>>>> –
>>>>>>>>>> Tim Roberts, xxxxx@probo.com
>>>>>>>>>> Providenza & Boekelheide, Inc.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> —
>>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>>
>>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>>
>>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> —
>>>>>>> WINDBG is sponsored by OSR
>>>>>>>
>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>> http://www.osr.com/seminars
>>>>>>>
>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> —
>>>>>>> WINDBG is sponsored by OSR
>>>>>>>
>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>> http://www.osr.com/seminars
>>>>>>>
>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>
>>>>>>
>>>>>> —
>>>>>> WINDBG is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>>
>>>>>>
>>>>>> —
>>>>>> WINDBG is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></dbghelp.h></engextcpp.hpp></stdio.h></string.h>

CString is probably not available for wdk builds, but std::string is part
of the C++ Standard.

But if you use std::string you have to include the correct header files,
and remember to either specify the namespace as a default or always
prepend std:: to names that are part of that namespace.

joe

thanks Dr Newcomer,

for the comments i am not aware if i can use those
Cstring and std::string constructs in wdk build environemt

i tried using them some time back and all i got was lots and lots of
compile errors

starting with cannot find note not <string.h> plain
>
>
>
>
> On 5/6/12, xxxxx@flounder.com wrote:
>> char * sep = “”;
>>
>> #define ShowBit(something, x) if ((something) & (x)) { printf(“%s”,
>> sep);
>> printf(#x); sep = " | “; break;
>>
>> if(value == MiniDumpNormal)
>> printf(“MiniDumpNormal”);
>> else
>> {
>> ShowBit(value, MiniDumpWithSegs);
>> ShowBit(value, MiniDumpSomeOtherKind);
>> ShowBit(value, MiniDumpYetOnOtherType);
>> }
>>
>> Note this does require you special-case the “0” type.
>> joe
>>
>>> Thanks Dr Newcomer,
>>>
>>> for posting the #defines
>>> PMDST(something, x) if((something) == (x)) printf(#x)
>>>
>>> switch(something)
>>> {
>>> #define MDSTcase(x) case x: printf(#x); break
>>> MDSTcase(UnusedStream);
>>> ----
>>> #undef MDSTcase
>>> }
>>>
>>> i at the moment used what tim posted in one of the earlier posts
>>>
>>> now on to next question
>>>
>>> typedef enum _MINIDUMP_TYPE {
>>> MiniDumpNormal = 0x00000000,
>>> MiniDumpWithDataSegs = 0x00000001,
>>>
>>> -------
>>> MiniDumpWithUnloadedModules = 0x00000020,
>>> ----
>>> }MINIDUMP_TYPE;
>>>
>>>
>>> now if i have a flag of 21
>>>
>>> i should be printing all the three strings isnt it ??
>>>
>>> int mask = 0
>>> if ( (Flags & mask) == mask)
>>> {
>>>
>>> dont know why Dumpchk omits the flag 0 MiniDumpNormal i can start
>>> with
>>>
>>> int mask = 1; to get the same behavior but i dont think that would
>>> print the MiniDumpNormal String ever
>>>
>>> here is a sample snippet i glued together to parse the Flags and print
>>> out the MiniDumptypes
>>>
>>>
>>>
>>> struct MiniDumpTypeLookup {
>>>
>>> int Value;
>>>
>>> PSTR Str;
>>>
>>> } MiniDumpTypeLookupTable = {
>>>
>>> MAKE_LOOKUP( MiniDumpNormal ),
>>>
>>> MAKE_LOOKUP( MiniDumpWithDataSegs ),
>>>
>>> -------
>>>
>>> MAKE_LOOKUP( MiniDumpValidTypeFlags ),
>>>
>>> { 0 , NULL }
>>>
>>> };
>>>
>>> char MiniDumpTypeNameBuff[0x1000] = {0};
>>
>> As soon as you declare a character array of a fixed size, you have
>> already
>> lost. This should never be written, anywhere. It is dead, obsolete, C
>> code. Use std::string or CString data types instead. I would no more
>> do
>> this than write in assembly code.
>>
>> And why is this declared as a static variable global to the function
>> instead of as a stack local? It isn’t thread-safe, and it represents an
>> antiquated programming pattern that is best dead and buried
>>*
>>>
>>> PCHAR MiniDumpTypeName (ULONG64 Flags)
>>>
>>> {
>>>
>>> struct MiniDumpTypeLookup * mlk = MiniDumpTypeLookupTable;
>>>
>>> int i = 0;
>>>
>>> int mask = 0;
>>>
>>> while ( mask < 0x7ffff )
>>
>> Wrong test. I have no idea what this is testing, but it would never
>> occur
>> to me to write this code
>>
>>>
>>> {
>>>
>>> if( (Flags & mask ) == mask )
>>>
>>> {
>>>
>>> if(mlk->Value == mask)
>>>
>>> {
>>>
>>> strncat_s(
>>>
>>> MiniDumpTypeNameBuff,
>>>
>>> sizeof(MiniDumpTypeNameBuff),
>>
>> Note that you have made a consistent error in all the programs, which I
>> did not attempt to correct: that the program always and forever uses
>> 8-bit
>> character strings. You should either assume Unicode or code
>> Unicode-aware, using T-data types, _T() for literals, etc. Note that I
>> prefer, when doing bit masks, to use the vertical bar (with spaces
>> around
>> it) as the separator, which is more in keeping with how a programmer
>> thinks of the bit fields.
>>***
>>>
>>> "\n ",
>>>
>>> _TRUNCATE
>>>
>>> );
>>>
>>> strncat_s(
>>>
>>> MiniDumpTypeNameBuff,
>>>
>>> sizeof(MiniDumpTypeNameBuff),
>>>
>>> mlk->Str,
>>>
>>> _TRUNCATE
>>>
>>> );
>>>
>>> }
>>>
>>> }
>>>
>>> mask = 1<>>>
>>> i++;
>>>
>>> mlk++;
>>>
>>> }
>>>
>>> return MiniDumpTypeNameBuff;
>>
>> This makes no sense; you are returning a pointer to a buffer which is
>> statically allocated. Bad practice, not thread-safe, potentially a
>> disaster.
>>
>> Again, avoid C data types and use std::string or CString types.
>> Programming applications in C is about as antiuated as programming
>> applications in assembly code.
>>
>>>
>>> }
>>>
>>> i get an output like this
>>>
>>> MINIDUMP_HEADER TimeDateStamp = Tue Mar 27 01:22:16 2012 (UTC +
>>> 5:30)
>>> MINIDUMP_HEADER Flags = 21
>>> MiniDumpNormal
>>> MiniDumpWithDataSegs
>>> MiniDumpWithUnloadedModules
>>
>> No surprise, because you have to special-case the 0 flag value. Look at
>> your code:
>>
>> if((Flags & 0) == 0)
>>
>> which is going to be always true. If you want to make a fully-general
>> subroutine, you can impose rules like “the first entry in the table
>> might
>> be a zero value, special-case the first entry” or even more general, if
>> the value Flags is 0, scan the table for the 0 value, print it and
>> return,
>> else iterate the bit mask as you have done.
>>
>>>
>>> whereas dumpchk prints out
>>>
>>> Debug session time: Tue Mar 27 01:22:16.000 2012 (UTC + 5:30)
>>> System Uptime: not available
>>> Process Uptime: not available
>>> …
>>> Loading unloaded module list
>>> …
>>> This dump file has an exception of interest stored in it.
>>> The stored exception information can be accessed via .ecxr.
>>> (f0f0f0f0.9e8): Access violation - code c0000005 (first/second chance
>>> not
>>> availa
>>> ble)
>>> ----- User Mini Dump Analysis
>>>
>>> MINIDUMP_HEADER:
>>> Version A793 (6003)
>>> NumberOfStreams 8
>>> Flags 21
>>> 0001 MiniDumpWithDataSegs
>>> 0020 MiniDumpWithUnloadedModules
>>>
>>>
>>
>> That’s because they properly handle the 0 case.
>> joe
>>
>>>
>>>
>>>
>>> On 5/6/12, xxxxx@flounder.com wrote:
>>>> No, the question isn’t stupid, it just reflects one of the major
>>>> defects
>>>> of the C language: the lack of reflection.
>>>>
>>>> The corect way to handle this is definitely NOT
>>>>
>>>> if(something == 3) printf(“ThreadListStream”);
>>>>
>>>> it would be correct, but tedious, to handle every case correctly, by
>>>> typing
>>>>
>>>> if(something == ThreadListStream) printf(“ThreadListStream”)
>>>>
>>>> I fail to see any purpose in using the constant “3” when there is a
>>>> perfectly good name!
>>>>
>>>> However, I have used a couple techniques
>>>>
>>>> #define PMDST(something, x) if((something) == (x)) printf(#x)
>>>>
>>>> then you can write
>>>>
>>>> PMDST(something, UnusedStream);
>>>> else
>>>> PMDST(something, ThreadListStream);
>>>> else
>>>> …
>>>> else
>>>> printf(“Unknown stream type %d”, something);
>>>>
>>>> or, I’ll sometimes do
>>>>
>>>> switch(something)
>>>> {
>>>> #define MDSTcase(x) case x: printf(#x); break
>>>> MDSTcase(UnusedStream);
>>>> MDSTcase(ThreadlistStream);
>>>> …
>>>> default:
>>>> printf(“Unknown stream type %d”, something);
>>>> break;
>>>> #undef MDSTcase
>>>> }
>>>>
>>>> It depends on my mood which one I might use.
>>>> joe
>>>>> THIS must be a STUPID c 101 QUESTION
>>>>> still i will ask it
>>>>>
>>>>> dbghelp.h has this declared
>>>>>
>>>>> typedef enum _MINIDUMP_STREAM_TYPE {
>>>>>
>>>>> UnusedStream = 0,
>>>>> ReservedStream0 = 1,
>>>>> ReservedStream1 = 2,
>>>>> ThreadListStream = 3,
>>>>> ModuleListStream = 4, … s ON }
>>>>>
>>>>> now if i want to printf
>>>>>
>>>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff; MiniDir->StreamType,
>>>>>
>>>>> say if 3 printf (“ThreadListStream”);
>>>>>
>>>>> should i be doing it like this ?? error prone copy paste modify by
>>>>> hand of the enum from dbghelp.h ?? like below
>>>>>
>>>>>
>>>>> PSTR
>>>>>
>>>>> __cdecl
>>>>>
>>>>> MiniStreamTypeName (
>>>>> int StreamType
>>>>> )
>>>>> {
>>>>> PSTR Ministr[] = {
>>>>>
>>>>> “UnusedStream”,
>>>>> “ReservedStream0”,
>>>>> “ReservedStream1”,
>>>>> “ThreadListStream”,
>>>>> “ModuleListStream”,
>>>>> …
>>>>> …
>>>>> …
>>>>>
>>>>> };
>>>>> return Ministr[StreamType];
>>>>> }
>>>>>
>>>>>
>>>>> and call it with say
>>>>>
>>>>> printf(
>>>>> “%7d %08x\x20\x20\x20\x20 %-30s %08x %08x\n”,
>>>>> i,
>>>>> MiniDir->StreamType,
>>>>> MiniStreamTypeName(MiniDir->StreamType),
>>>>> MiniDir->Location.DataSize,
>>>>> MiniDir->Location.Rva
>>>>> );
>>>>>
>>>>> this seems to work though i feel this must really not be the way to
>>>>> go
>>>>> about
>>>>>
>>>>> -====Dumping DumpHeader From Memory Dump====-
>>>>>
>>>>> Minidump Header Signature = 504d444d
>>>>> MINIDUMP_VERSION = 0000a793
>>>>> MINIDUMP_VERSION(Internal) = 00006003
>>>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>>>> MINIDUMP_HEADER CheckSum = 00000000
>>>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>>>> MINIDUMP_HEADER Flags = 00000021
>>>>> Stream# StreamType StreamName Size RVA
>>>>> 0 00000003 ThreadListStream 000000c4 00000160
>>>>> 1 00000004 ModuleListStream 00001a2c 00000224
>>>>> 2 0000000e UnloadedModuleListStream 00000114 00001c50
>>>>> 3 00000005 MemoryListStream 00000094 000048c4
>>>>> 4 00000006 ExceptionStream 000000a8 000000b8
>>>>> 5 00000007 SystemInfoStream 00000038 00000080
>>>>> 6 00000000 UnusedStream 00000000 00000000
>>>>> 7 00000000 UnusedStream 00000000 00000000
>>>>> Dump Header Dumped
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 5/3/12, raj_r wrote:
>>>>>> thanks jen for answering fast
>>>>>> it seems i am able to get the directories and rvas with code below
>>>>>>
>>>>>> ftell(fp);
>>>>>>
>>>>>> ULONG NumberOfStreams = MiniHeader->NumberOfStreams;
>>>>>>
>>>>>> for (ULONG i = 0; i>>>>>> {
>>>>>> fread(
>>>>>> Buff,
>>>>>> 1,
>>>>>> sizeof(MINIDUMP_DIRECTORY),
>>>>>> fp
>>>>>> );
>>>>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff;
>>>>>> printf(
>>>>>> “StreamType\t%08x\tSize\t%08x\tRva\t%08x\n”,
>>>>>> MiniDir->StreamType,
>>>>>> MiniDir->Location.DataSize,
>>>>>> MiniDir->Location.Rva
>>>>>> );
>>>>>> ftell(fp);
>>>>>> }
>>>>>>
>>>>>> StreamType 00000003 Size 000000c4 Rva
>>>>>> 00000160
>>>>>> StreamType 00000004 Size 00001a2c Rva
>>>>>> 00000224
>>>>>> StreamType 0000000e Size 00000114 Rva
>>>>>> 00001c50
>>>>>> StreamType 00000005 Size 00000094 Rva
>>>>>> 000048c4
>>>>>> StreamType 00000006 Size 000000a8 Rva
>>>>>> 000000b8
>>>>>> StreamType 00000007 Size 00000038 Rva
>>>>>> 00000080
>>>>>> StreamType 00000000 Size 00000000 Rva
>>>>>> 00000000
>>>>>> StreamType 00000000 Size 00000000 Rva
>>>>>> 00000000
>>>>>> Dump Header Dumped
>>>>>>
>>>>>>
>>>>>> t>Dumpchk test.dmp | grep -i stream
>>>>>> Loading dump file test.dmp
>>>>>> NumberOfStreams 8
>>>>>> Streams:
>>>>>> Stream 0: type ThreadListStream (3), size 000000C4, RVA 00000160
>>>>>> Stream 1: type ModuleListStream (4), size 00001A2C, RVA 00000224
>>>>>> Stream 2: type UnloadedModuleListStream (14), size 00000114, RVA
>>>>>> 00001C50
>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>>> Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000B8
>>>>>> Stream 5: type SystemInfoStream (7), size 00000038, RVA 00000080
>>>>>> Stream 6: type UnusedStream (0), size 00000000, RVA 00000000
>>>>>> Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
>>>>>>
>>>>>>
>>>>>> so all left is to parse and the remaining bytes
>>>>>>
>>>>>>
>>>>>> On 5/3/12, Jen-Lung Chiu wrote:
>>>>>>> Yes no API support to get those data from dump headers.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: xxxxx@lists.osr.com
>>>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>>>> Sent: Wednesday, May 2, 2012 01:37 PM
>>>>>>> To: Kernel Debugging Interest List
>>>>>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>>>>>
>>>>>>> Thanks jen
>>>>>>>
>>>>>>> So I Need To do Something Like below Myself no request or interface
>>>>>>> exist
>>>>>>> ??
>>>>>>>
>>>>>>>
>>>>>>> int__cdecl DumpDumpHeader(void) {
>>>>>>>
>>>>>>> HRESULT status = S_OK;
>>>>>>>
>>>>>>> PMINIDUMP_HEADER MiniHeader;
>>>>>>>
>>>>>>> FILE * fp;
>>>>>>>
>>>>>>> size_t result;
>>>>>>>
>>>>>>> if (( fp = fopen(
>>>>>>>
>>>>>>> “test.dmp”,
>>>>>>>
>>>>>>> “rb”
>>>>>>>
>>>>>>> ) ) == 0 ) {
>>>>>>>
>>>>>>> Exit (
>>>>>>>
>>>>>>> FALSE,
>>>>>>>
>>>>>>> “fopen ( %s ) Failed”,
>>>>>>>
>>>>>>> “test.dmp”
>>>>>>>
>>>>>>> );
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> if (( result = fread(
>>>>>>>
>>>>>>> Buff,
>>>>>>>
>>>>>>> 1,
>>>>>>>
>>>>>>> sizeof(MINIDUMP_HEADER),
>>>>>>>
>>>>>>> fp
>>>>>>>
>>>>>>> ) ) != sizeof(MINIDUMP_HEADER)) {
>>>>>>>
>>>>>>> Exit(
>>>>>>>
>>>>>>> FALSE,
>>>>>>>
>>>>>>> “fread(fp) failed\n”
>>>>>>>
>>>>>>> );
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> MiniHeader = (PMINIDUMP_HEADER)Buff;
>>>>>>>
>>>>>>> printf(
>>>>>>>
>>>>>>> “Minidump Header Signature = %08x\n”
>>>>>>>
>>>>>>> “MINIDUMP_VERSION = %08x\n”
>>>>>>>
>>>>>>> “MINIDUMP_VERSION(Internal) = %08x\n”
>>>>>>>
>>>>>>> “MINIDUMP_HEADER NumberofStreams = %08x\n”
>>>>>>>
>>>>>>> “MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”
>>>>>>>
>>>>>>> “MINIDUMP_HEADER CheckSum = %08x\n”
>>>>>>>
>>>>>>> “MINIDUMP_HEADER reserved = %08x\n”
>>>>>>>
>>>>>>> “MINIDUMP_HEADER TimeDateStamp = %08x\n”
>>>>>>>
>>>>>>> “MINIDUMP_HEADER Flags = %08x\n”,
>>>>>>>
>>>>>>> MiniHeader->Signature,
>>>>>>>
>>>>>>> LOWORD(MiniHeader->Version),
>>>>>>>
>>>>>>> HIWORD(MiniHeader->Version),
>>>>>>>
>>>>>>> MiniHeader->NumberOfStreams,
>>>>>>>
>>>>>>> MiniHeader->StreamDirectoryRva,
>>>>>>>
>>>>>>> MiniHeader->CheckSum,
>>>>>>>
>>>>>>> MiniHeader->Reserved,
>>>>>>>
>>>>>>> MiniHeader->TimeDateStamp,
>>>>>>>
>>>>>>> MiniHeader->Flags
>>>>>>>
>>>>>>> );
>>>>>>>
>>>>>>> fclose(fp);
>>>>>>>
>>>>>>> return status;
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> -====Dumping DumpHeader From Memory Dump====-
>>>>>>>
>>>>>>> Minidump Header Signature = 504d444d
>>>>>>> MINIDUMP_VERSION = 0000a793
>>>>>>> MINIDUMP_VERSION(Internal) = 00006003
>>>>>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>>>>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>>>>>> MINIDUMP_HEADER CheckSum = 00000000
>>>>>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>>>>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>>>>>> MINIDUMP_HEADER Flags = 00000021
>>>>>>> Dump Header Dumped
>>>>>>>
>>>>>>>
>>>>>>> ----- User Mini Dump Analysis
>>>>>>>
>>>>>>> MINIDUMP_HEADER:
>>>>>>> Version A793 (6003)
>>>>>>> NumberOfStreams 8
>>>>>>> Flags 21
>>>>>>> 0001 MiniDumpWithDataSegs
>>>>>>> 0020 MiniDumpWithUnloadedModules
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 5/2/12, Jen-Lung Chiu wrote:
>>>>>>>> You could check MSDN or dbghelp.h for user-mode minidump format,
>>>>>>>> then
>>>>>>>> use binary editor to browse the dump file.
>>>>>>>>
>>>>>>>> The user-mode minidump starts with a MINIDUMP_HEADER structure,
>>>>>>>> then
>>>>>>>> follows a list of MINIDUMP_DIRECTORY structure (the number of
>>>>>>>> MINIDUMP_DIRECTORY structures is
>>>>>>>> MINIDUMP_HEADER::NumberOfStreams).
>>>>>>>> The MINIDUMP_DIRECTORY block defines the type of the stream (in
>>>>>>>> your
>>>>>>>> case, MemoryListStream) as well as the RVA/size of the stream.
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: xxxxx@lists.osr.com
>>>>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>>>>> Sent: Wednesday, May 2, 2012 02:42 AM
>>>>>>>> To: Kernel Debugging Interest List
>>>>>>>> Subject: Re: [windbg] Error when reading user stream from dump
>>>>>>>> file
>>>>>>>>
>>>>>>>> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h
>>>>>>>> it
>>>>>>>> seems now i can dump the MemoryListStream below is code and output
>>>>>>>> Dissections are Welcome
>>>>>>>>
>>>>>>>> #include <stdio.h>
>>>>>>>>
>>>>>>>> #include <engextcpp.hpp>
>>>>>>>>
>>>>>>>> #include <dbghelp.h>
>>>>>>>>
>>>>>>>> const ULONG MBUFFSIZE = 0x1000;
>>>>>>>>
>>>>>>>> IDebugClient g_Client;
>>>>>>>>
>>>>>>>> IDebugControl g_Control;
>>>>>>>>
>>>>>>>> IDebugAdvanced2 g_Advanced2;
>>>>>>>>
>>>>>>>> PVOID Buff;
>>>>>>>>
>>>>>>>> void
>>>>>>>>
>>>>>>>> Exit( in int Code,
>>>>>>>>
>>>>>>>> in PCSTR Format,
>>>>>>>>
>>>>>>>> …)
>>>>>>>>
>>>>>>>> {
>>>>>>>>
>>>>>>>> if (g_Client != NULL) {
>>>>>>>>
>>>>>>>> g_Client->EndSession(DEBUG_END_DISCONNECT);
>>>>>>>>
>>>>>>>> g_Client->Release();
>>>>>>>>
>>>>>>>> g_Client = NULL;
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> if (g_Control != NULL) {
>>>>>>>>
>>>>>>>> g_Control->Release();
>>>>>>>>
>>>>>>>> g_Control = NULL;
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> if (g_Advanced2 !=NULL) {
>>>>>>>>
>>>>>>>> g_Advanced2->Release();
>>>>>>>>
>>>>>>>> g_Advanced2 = NULL;
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> if( Buff != NULL) {
>>>>>>>>
>>>>>>>> free(Buff);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> if (Format != NULL) {
>>>>>>>>
>>>>>>>> va_list Args;
>>>>>>>>
>>>>>>>> va_start(Args, Format);
>>>>>>>>
>>>>>>>> vfprintf(stderr, Format, Args);
>>>>>>>>
>>>>>>>> va_end(Args);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> exit(Code);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> int __cdecl DumpMemoryListStream(void){
>>>>>>>>
>>>>>>>> HRESULT status;
>>>>>>>>
>>>>>>>> if ( ( status = DebugCreate(
>>>>>>>>
>>>>>>>>__uuidof(IDebugClient),
>>>>>>>>
>>>>>>>> (void*)&g_Client
>>>>>>>>
>>>>>>>> ) ) !=S_OK) {
>>>>>>>>
>>>>>>>> Exit(
>>>>>>>>
>>>>>>>> FALSE,
>>>>>>>>
>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>
>>>>>>>> “DebugCreate”,
>>>>>>>>
>>>>>>>> “IDebugClient”,
>>>>>>>>
>>>>>>>> status);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>>>>
>>>>>>>> __uuidof(IDebugControl),
>>>>>>>>
>>>>>>>> (void**)&g_Control
>>>>>>>>
>>>>>>>> ) ) != S_OK ) {
>>>>>>>>
>>>>>>>> Exit(
>>>>>>>>
>>>>>>>> FALSE,
>>>>>>>>
>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>
>>>>>>>> “QueryInterface”,
>>>>>>>>
>>>>>>>> “IDebugControl”,
>>>>>>>>
>>>>>>>> status);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>>>>
>>>>>>>>__uuidof(IDebugAdvanced2),
>>>>>>>>
>>>>>>>> (void**)&g_Advanced2
>>>>>>>>
>>>>>>>> )) != S_OK ) {
>>>>>>>>
>>>>>>>> Exit(
>>>>>>>>
>>>>>>>> FALSE,
>>>>>>>>
>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>
>>>>>>>> “QueryInterface”,
>>>>>>>>
>>>>>>>> “IDebugAdvanced2”,
>>>>>>>>
>>>>>>>> status);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> if (( status = g_Client->OpenDumpFile(
>>>>>>>>
>>>>>>>> “test.dmp”
>>>>>>>>
>>>>>>>> )) != S_OK ) {
>>>>>>>>
>>>>>>>> Exit(
>>>>>>>>
>>>>>>>> FALSE,
>>>>>>>>
>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>
>>>>>>>> “g_Client”,
>>>>>>>>
>>>>>>>> “OpenDumpFile”,
>>>>>>>>
>>>>>>>> status);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> if (( status = g_Control->WaitForEvent(
>>>>>>>>
>>>>>>>> 0,
>>>>>>>>
>>>>>>>> INFINITE
>>>>>>>>
>>>>>>>> ) ) != S_OK ) {
>>>>>>>>
>>>>>>>> Exit(
>>>>>>>>
>>>>>>>> FALSE,
>>>>>>>>
>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>
>>>>>>>> “g_Control”,
>>>>>>>>
>>>>>>>> “WaitForEvent”,
>>>>>>>>
>>>>>>>> status);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> PVOID OutBuffer;
>>>>>>>>
>>>>>>>> ULONG OutBufferSize;
>>>>>>>>
>>>>>>>> ULONG OutSize;
>>>>>>>>
>>>>>>>> PMINIDUMP_MEMORY_LIST mml;
>>>>>>>>
>>>>>>>> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>>>>>>>>
>>>>>>>> InBuffer.StreamType = MemoryListStream;
>>>>>>>>
>>>>>>>> InBuffer.Flags = 0;
>>>>>>>>
>>>>>>>> InBuffer.Offset = 0;
>>>>>>>>
>>>>>>>> InBuffer.Buffer = Buff;
>>>>>>>>
>>>>>>>> InBuffer.BufferSize = MBUFFSIZE;
>>>>>>>>
>>>>>>>> InBuffer.BufferUsed = 0;
>>>>>>>>
>>>>>>>> OutBuffer = NULL;
>>>>>>>>
>>>>>>>> OutBufferSize = NULL;
>>>>>>>>
>>>>>>>> if (( status = g_Advanced2->Request(
>>>>>>>>
>>>>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>>>>
>>>>>>>> &InBuffer,
>>>>>>>>
>>>>>>>> sizeof(InBuffer),
>>>>>>>>
>>>>>>>> OutBuffer,
>>>>>>>>
>>>>>>>> OutBufferSize,
>>>>>>>>
>>>>>>>> &OutSize
>>>>>>>>
>>>>>>>> ) ) != S_OK ) {
>>>>>>>>
>>>>>>>> Exit(
>>>>>>>>
>>>>>>>> FALSE,
>>>>>>>>
>>>>>>>> “%s (\n”
>>>>>>>>
>>>>>>>> “\t%s,\n”
>>>>>>>>
>>>>>>>> “\t%s\n\t) Failed %08x\n”,
>>>>>>>>
>>>>>>>> “g_Advanced2->Request”,
>>>>>>>>
>>>>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>>>>
>>>>>>>> “MemoryListStream”,
>>>>>>>>
>>>>>>>> status);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>>>>>>>>
>>>>>>>> printf (
>>>>>>>>
>>>>>>>> " Number Of Memory ranges = %x\n\n”
>>>>>>>>
>>>>>>>> " range# RVA Address Size\n",
>>>>>>>>
>>>>>>>> mml->NumberOfMemoryRanges
>>>>>>>>
>>>>>>>> );
>>>>>>>>
>>>>>>>> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>>>>>>>>
>>>>>>>> printf(
>>>>>>>>
>>>>>>>> " %d %08x %08I64x %08x\n",
>>>>>>>>
>>>>>>>> i,
>>>>>>>>
>>>>>>>> mml->MemoryRanges[i].Memory.Rva,
>>>>>>>>
>>>>>>>> mml->MemoryRanges[i].StartOfMemoryRange,
>>>>>>>>
>>>>>>>> mml->MemoryRanges[i].Memory.DataSize
>>>>>>>>
>>>>>>>> );
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> Exit(
>>>>>>>>
>>>>>>>> TRUE,
>>>>>>>>
>>>>>>>> “%s (\n”
>>>>>>>>
>>>>>>>> “\t%s,\n”
>>>>>>>>
>>>>>>>> “\t%s\n\t) Succeeded %08x\n”,
>>>>>>>>
>>>>>>>> “g_Advanced2->Request”,
>>>>>>>>
>>>>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>>>>
>>>>>>>> “MemoryListStream”,
>>>>>>>>
>>>>>>>> status);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> int __cdecl main (void){
>>>>>>>>
>>>>>>>> Buff = (PVOID) malloc( MBUFFSIZE );
>>>>>>>>
>>>>>>>> if(Buff == 0) {
>>>>>>>>
>>>>>>>> printf(
>>>>>>>>
>>>>>>>> “malloc failed\n”
>>>>>>>>
>>>>>>>> );
>>>>>>>>
>>>>>>>> Exit ( FALSE,“malloc Failed \n”);
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> printf(“\n\n -====Dumping MemoryListStream From Memory
>>>>>>>> Dump====-\n\n”);
>>>>>>>>
>>>>>>>> DumpMemoryListStream();
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> t>OpenDumpStream.exe
>>>>>>>>
>>>>>>>>
>>>>>>>> -====Dumping MemoryListStream From Memory Dump====-
>>>>>>>>
>>>>>>>> Number Of Memory ranges = 9
>>>>>>>>
>>>>>>>> range# RVA Address Size
>>>>>>>> 0 00004958 0007df4c 000020b4
>>>>>>>> 1 00006a0c 7c90e494 00000100
>>>>>>>> 2 00006b0c 00ccff98 00000068
>>>>>>>> 3 00006b74 7c90e494 00000100
>>>>>>>> 4 00006c74 00f1bcac 00004354
>>>>>>>> 5 0000afc8 7c90e494 00000100
>>>>>>>> 6 0000b0c8 009cfe14 000001ec
>>>>>>>> 7 0000b2b4 7c90e494 00000100
>>>>>>>> 8 0000b3b4 00447000 000165a8
>>>>>>>> g_Advanced2->Request (
>>>>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>>>> MemoryListStream
>>>>>>>> ) Succeeded 00000000
>>>>>>>>
>>>>>>>> same dmp checked via dumpchk util
>>>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>>>>> 9 memory ranges
>>>>>>>> range# RVA Address Size
>>>>>>>> 0 00004958 0007df4c 000020b4
>>>>>>>> 1 00006A0C 7c90e494 00000100
>>>>>>>> 2 00006B0C 00ccff98 00000068
>>>>>>>> 3 00006B74 7c90e494 00000100
>>>>>>>> 4 00006C74 00f1bcac 00004354
>>>>>>>> 5 0000AFC8 7c90e494 00000100
>>>>>>>> 6 0000B0C8 009cfe14 000001ec
>>>>>>>> 7 0000B2B4 7c90e494 00000100
>>>>>>>> 8 0000B3B4 00447000 000165a8
>>>>>>>> Total memory: 1d004
>>>>>>>>
>>>>>>>> one question remains
>>>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i
>>>>>>>> can
>>>>>>>> get the 94 from outsize 1d004 from adding up all sizes what
>>>>>>>> should
>>>>>>>> i
>>>>>>>> use to get the rva 48c4 ?
>>>>>>>>
>>>>>>>> On 5/2/12, raj_r wrote:
>>>>>>>>> note to self
>>>>>>>>> when in doubt refer header file do not refer chm or web or random
>>>>>>>>> tidbits in obscure corners of internet
>>>>>>>>>
>>>>>>>>> this seem to be a documentation glitch in debugger.chm
>>>>>>>>>
>>>>>>>>> in debughelp.h it is dword
>>>>>>>>>
>>>>>>>>> typedef DWORD RVA;
>>>>>>>>> typedef ULONG64 RVA64;
>>>>>>>>>
>>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>>>>>>>>> ULONG32 DataSize;
>>>>>>>>> RVA Rva;
>>>>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>>>>>>>>
>>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>>>>>>>>> ULONG64 DataSize;
>>>>>>>>> RVA64 Rva;
>>>>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>>>>>>>>
>>>>>>>>> On 5/2/12, raj_r wrote:
>>>>>>>>>> Thanks Tim
>>>>>>>>>>
>>>>>>>>>> you wrote
>>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>> has
>>>>>>>>>> 32-bit size and 32-bit RVA,
>>>>>>>>>>
>>>>>>>>>> the debughelp.chm has this
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>>>>>>>>
>>>>>>>>>> Contains information describing the location of a data stream
>>>>>>>>>> within
>>>>>>>>>> a minidump file.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64
>>>>>>>>>> DataSize;
>>>>>>>>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The
>>>>>>>>>> size
>>>>>>>>>> of the data stream, in bytes.
>>>>>>>>>>
>>>>>>>>>> Rva
>>>>>>>>>> The relative virtual address (RVA) of the data. This is the byte
>>>>>>>>>> offset of the data stream from the beginning of the minidump
>>>>>>>>>> file.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 5/2/12, Tim Roberts wrote:
>>>>>>>>>>> raj_r wrote:
>>>>>>>>>>>> not exactly related to ops question but it is regarding
>>>>>>>>>>>> request
>>>>>>>>>>>> of
>>>>>>>>>>>> streamtype MemoryListStream …
>>>>>>>>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>>>>>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>>>>>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>>>>>>>>
>>>>>>>>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>>>>>>>>
>>>>>>>>>>>> does the second QWORD7df4c point to
>>>>>>>>>>>> MemoryRanges[0].StartofMemoryRange
>>>>>>>>>>>> ??
>>>>>>>>>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>>>>>>>>>
>>>>>>>>>>> They don’t POINT to those things. They CONTAIN those things.
>>>>>>>>>>> The
>>>>>>>>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges,
>>>>>>>>>>> followed by an array of MINIDUMP_MEMORY_DESCRIPTOR. The
>>>>>>>>>>> MINIDUMP_MEMORY_DESCRIPTOR has a 64-bit start of range,
>>>>>>>>>>> followed
>>>>>>>>>>> by
>>>>>>>>>>> a MINIDUMP_LOCATION_DESCRIPTOR. The
>>>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>>> has 32-bit size and 32-bit RVA,
>>>>>>>>>>>
>>>>>>>>>>>> these seem to described as ULONG 64 in dbghelp.chm but windbg
>>>>>>>>>>>> doesnt seem to honor it
>>>>>>>>>>>>
>>>>>>>>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>>>>>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>>>>>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>>>>>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>>>>>>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>>>> +0x000 DataSize : 0x20b4
>>>>>>>>>>>> +0x004 Rva : 0x4958
>>>>>>>>>>>>
>>>>>>>>>>>> see the +4
>>>>>>>>>>>
>>>>>>>>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>>>>>>>>> NumberOfMemoryRanges,
>>>>>>>>>>> DataSize, and Rva are all 32-bit.
>>>>>>>>>>>
>>>>>>>>>>>> if i print it to scree with
>>>>>>>>>>>>
>>>>>>>>>>>> printf(
>>>>>>>>>>>> “Number of memory range = %08x\t\n”
>>>>>>>>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>>>>>>>>> “Data Size is %I64x\t\n”
>>>>>>>>>>>> “Rva is %I64x\t\n”,
>>>>>>>>>>>> mml->NumberOfMemoryRanges,
>>>>>>>>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>>>>>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>>>>>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>>>>>>>>
>>>>>>>>>>>> );
>>>>>>>>>>>
>>>>>>>>>>> “Data Size” and “Rva” should both be %08x.
>>>>>>>>>>>
>>>>>>>>>>> –
>>>>>>>>>>> Tim Roberts, xxxxx@probo.com
>>>>>>>>>>> Providenza & Boekelheide, Inc.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> —
>>>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>>>
>>>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars
>>>>>>>>>>> visit:
>>>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>>>
>>>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> —
>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>
>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>> http://www.osr.com/seminars
>>>>>>>>
>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> —
>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>
>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>> http://www.osr.com/seminars
>>>>>>>>
>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>
>>>>>>>
>>>>>>> —
>>>>>>> WINDBG is sponsored by OSR
>>>>>>>
>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>> http://www.osr.com/seminars
>>>>>>>
>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> —
>>>>>>> WINDBG is sponsored by OSR
>>>>>>>
>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>> http://www.osr.com/seminars
>>>>>>>
>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>
>>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></dbghelp.h></engextcpp.hpp></stdio.h></string.h>

ok std::string is available it seems

to use std::string

add

USE_STL =1
and
USE_NATIVE_EH =1

to the sources file

add

#include no .h at end only string
using namespace std;

to the actual .cpp file where you use std::string

this seems to compile link and run

string MiniDumpTypeNameBuff;

const char * MiniDumpTypeName (ULONG64 Flags)

{

struct MiniDumpTypeLookup * mlk = MiniDumpTypeLookupTable;

int i = 0;

int mask = 0;

while ( mask < MiniDumpValidTypeFlags )

{
if (Flags == MiniDumpNormal)
{
return “MiniDumpNormal”;
}

if( (mask) && ((Flags & mask ) == mask ) )

{

if(mlk->Value == mask)

{

MiniDumpTypeNameBuff.append (
“\n “
);
MiniDumpTypeNameBuff.append (
mlk->Str
);
}

}

mask = 1<
i++;

mlk++;

}

return MiniDumpTypeNameBuff.data();

}

MINIDUMP_HEADER TimeDateStamp = Tue Mar 27 01:22:16 2012 (UTC + 5:30)
MINIDUMP_HEADER Flags = 21
MiniDumpWithDataSegs
MiniDumpWithUnloadedModules
Stream# StreamType StreamName Size RVA
0 00000003 ThreadListStream 000000c4 00000160

On 5/6/12, xxxxx@flounder.com wrote:
> CString is probably not available for wdk builds, but std::string is part
> of the C++ Standard.
>
> But if you use std::string you have to include the correct header files,
> and remember to either specify the namespace as a default or always
> prepend std:: to names that are part of that namespace.
>
> joe
>
>
>> thanks Dr Newcomer,
>>
>> for the comments i am not aware if i can use those
>> Cstring and std::string constructs in wdk build environemt
>>
>> i tried using them some time back and all i got was lots and lots of
>> compile errors
>>
>> starting with cannot find note not <string.h> plain
>>
>>
>>
>>
>> On 5/6/12, xxxxx@flounder.com wrote:
>>> char * sep = “”;
>>>
>>> #define ShowBit(something, x) if ((something) & (x)) { printf(”%s”,
>>> sep);
>>> printf(#x); sep = " | “; break;
>>>
>>> if(value == MiniDumpNormal)
>>> printf(“MiniDumpNormal”);
>>> else
>>> {
>>> ShowBit(value, MiniDumpWithSegs);
>>> ShowBit(value, MiniDumpSomeOtherKind);
>>> ShowBit(value, MiniDumpYetOnOtherType);
>>> }
>>>
>>> Note this does require you special-case the “0” type.
>>> joe
>>>
>>>> Thanks Dr Newcomer,
>>>>
>>>> for posting the #defines
>>>> PMDST(something, x) if((something) == (x)) printf(#x)
>>>>
>>>> switch(something)
>>>> {
>>>> #define MDSTcase(x) case x: printf(#x); break
>>>> MDSTcase(UnusedStream);
>>>> ----
>>>> #undef MDSTcase
>>>> }
>>>>
>>>> i at the moment used what tim posted in one of the earlier posts
>>>>
>>>> now on to next question
>>>>
>>>> typedef enum _MINIDUMP_TYPE {
>>>> MiniDumpNormal = 0x00000000,
>>>> MiniDumpWithDataSegs = 0x00000001,
>>>>
>>>> -------
>>>> MiniDumpWithUnloadedModules = 0x00000020,
>>>> ----
>>>> }MINIDUMP_TYPE;
>>>>
>>>>
>>>> now if i have a flag of 21
>>>>
>>>> i should be printing all the three strings isnt it ??
>>>>
>>>> int mask = 0
>>>> if ( (Flags & mask) == mask)
>>>> {
>>>>
>>>> dont know why Dumpchk omits the flag 0 MiniDumpNormal i can start
>>>> with
>>>>
>>>> int mask = 1; to get the same behavior but i dont think that would
>>>> print the MiniDumpNormal String ever
>>>>
>>>> here is a sample snippet i glued together to parse the Flags and print
>>>> out the MiniDumptypes
>>>>
>>>>
>>>>
>>>> struct MiniDumpTypeLookup {
>>>>
>>>> int Value;
>>>>
>>>> PSTR Str;
>>>>
>>>> } MiniDumpTypeLookupTable = {
>>>>
>>>> MAKE_LOOKUP( MiniDumpNormal ),
>>>>
>>>> MAKE_LOOKUP( MiniDumpWithDataSegs ),
>>>>
>>>> -------
>>>>
>>>> MAKE_LOOKUP( MiniDumpValidTypeFlags ),
>>>>
>>>> { 0 , NULL }
>>>>
>>>> };
>>>>
>>>> char MiniDumpTypeNameBuff[0x1000] = {0};
>>>
>>> As soon as you declare a character array of a fixed size, you have
>>> already
>>> lost. This should never be written, anywhere. It is dead, obsolete, C
>>> code. Use std::string or CString data types instead. I would no more
>>> do
>>> this than write in assembly code.
>>>
>>> And why is this declared as a static variable global to the function
>>> instead of as a stack local? It isn’t thread-safe, and it represents an
>>> antiquated programming pattern that is best dead and buried
>>>*
>>>>
>>>> PCHAR MiniDumpTypeName (ULONG64 Flags)
>>>>
>>>> {
>>>>
>>>> struct MiniDumpTypeLookup * mlk = MiniDumpTypeLookupTable;
>>>>
>>>> int i = 0;
>>>>
>>>> int mask = 0;
>>>>
>>>> while ( mask < 0x7ffff )
>>>
>>> Wrong test. I have no idea what this is testing, but it would never
>>> occur
>>> to me to write this code
>>>
>>>>
>>>> {
>>>>
>>>> if( (Flags & mask ) == mask )
>>>>
>>>> {
>>>>
>>>> if(mlk->Value == mask)
>>>>
>>>> {
>>>>
>>>> strncat_s(
>>>>
>>>> MiniDumpTypeNameBuff,
>>>>
>>>> sizeof(MiniDumpTypeNameBuff),
>>>
>>> Note that you have made a consistent error in all the programs, which I
>>> did not attempt to correct: that the program always and forever uses
>>> 8-bit
>>> character strings. You should either assume Unicode or code
>>> Unicode-aware, using T-data types, _T() for literals, etc. Note that I
>>> prefer, when doing bit masks, to use the vertical bar (with spaces
>>> around
>>> it) as the separator, which is more in keeping with how a programmer
>>> thinks of the bit fields.
>>>***
>>>>
>>>> "\n ",
>>>>
>>>> _TRUNCATE
>>>>
>>>> );
>>>>
>>>> strncat_s(
>>>>
>>>> MiniDumpTypeNameBuff,
>>>>
>>>> sizeof(MiniDumpTypeNameBuff),
>>>>
>>>> mlk->Str,
>>>>
>>>> _TRUNCATE
>>>>
>>>> );
>>>>
>>>> }
>>>>
>>>> }
>>>>
>>>> mask = 1<>>>>
>>>> i++;
>>>>
>>>> mlk++;
>>>>
>>>> }
>>>>
>>>> return MiniDumpTypeNameBuff;
>>>
>>> This makes no sense; you are returning a pointer to a buffer which is
>>> statically allocated. Bad practice, not thread-safe, potentially a
>>> disaster.
>>>
>>> Again, avoid C data types and use std::string or CString types.
>>> Programming applications in C is about as antiuated as programming
>>> applications in assembly code.
>>>
>>>>
>>>> }
>>>>
>>>> i get an output like this
>>>>
>>>> MINIDUMP_HEADER TimeDateStamp = Tue Mar 27 01:22:16 2012 (UTC +
>>>> 5:30)
>>>> MINIDUMP_HEADER Flags = 21
>>>> MiniDumpNormal
>>>> MiniDumpWithDataSegs
>>>>
>>>> MiniDumpWithUnloadedModules
>>>
>>> No surprise, because you have to special-case the 0 flag value. Look at
>>> your code:
>>>
>>> if((Flags & 0) == 0)
>>>
>>> which is going to be always true. If you want to make a fully-general
>>> subroutine, you can impose rules like “the first entry in the table
>>> might
>>> be a zero value, special-case the first entry” or even more general, if
>>> the value Flags is 0, scan the table for the 0 value, print it and
>>> return,
>>> else iterate the bit mask as you have done.
>>>
>>>>
>>>> whereas dumpchk prints out
>>>>
>>>> Debug session time: Tue Mar 27 01:22:16.000 2012 (UTC + 5:30)
>>>> System Uptime: not available
>>>> Process Uptime: not available
>>>> …
>>>> Loading unloaded module list
>>>> …
>>>> This dump file has an exception of interest stored in it.
>>>> The stored exception information can be accessed via .ecxr.
>>>> (f0f0f0f0.9e8): Access violation - code c0000005 (first/second chance
>>>> not
>>>> availa
>>>> ble)
>>>> ----- User Mini Dump Analysis
>>>>
>>>> MINIDUMP_HEADER:
>>>> Version A793 (6003)
>>>> NumberOfStreams 8
>>>> Flags 21
>>>> 0001 MiniDumpWithDataSegs
>>>> 0020 MiniDumpWithUnloadedModules
>>>>
>>>>
>>>
>>> That’s because they properly handle the 0 case.
>>> joe
>>>
>>>>
>>>>
>>>>
>>>> On 5/6/12, xxxxx@flounder.com wrote:
>>>>> No, the question isn’t stupid, it just reflects one of the major
>>>>> defects
>>>>> of the C language: the lack of reflection.
>>>>>
>>>>> The corect way to handle this is definitely NOT
>>>>>
>>>>> if(something == 3) printf(“ThreadListStream”);
>>>>>
>>>>> it would be correct, but tedious, to handle every case correctly, by
>>>>> typing
>>>>>
>>>>> if(something == ThreadListStream) printf(“ThreadListStream”)
>>>>>
>>>>> I fail to see any purpose in using the constant “3” when there is a
>>>>> perfectly good name!
>>>>>
>>>>> However, I have used a couple techniques
>>>>>
>>>>> #define PMDST(something, x) if((something) == (x)) printf(#x)
>>>>>
>>>>> then you can write
>>>>>
>>>>> PMDST(something, UnusedStream);
>>>>> else
>>>>> PMDST(something, ThreadListStream);
>>>>> else
>>>>> …
>>>>> else
>>>>> printf(“Unknown stream type %d”, something);
>>>>>
>>>>> or, I’ll sometimes do
>>>>>
>>>>> switch(something)
>>>>> {
>>>>> #define MDSTcase(x) case x: printf(#x); break
>>>>> MDSTcase(UnusedStream);
>>>>> MDSTcase(ThreadlistStream);
>>>>> …
>>>>> default:
>>>>> printf(“Unknown stream type %d”, something);
>>>>> break;
>>>>> #undef MDSTcase
>>>>> }
>>>>>
>>>>> It depends on my mood which one I might use.
>>>>> joe
>>>>>> THIS must be a STUPID c 101 QUESTION
>>>>>> still i will ask it
>>>>>>
>>>>>> dbghelp.h has this declared
>>>>>>
>>>>>> typedef enum _MINIDUMP_STREAM_TYPE {
>>>>>>
>>>>>> UnusedStream = 0,
>>>>>> ReservedStream0 = 1,
>>>>>> ReservedStream1 = 2,
>>>>>> ThreadListStream = 3,
>>>>>> ModuleListStream = 4, … s ON }
>>>>>>
>>>>>> now if i want to printf
>>>>>>
>>>>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff; MiniDir->StreamType,
>>>>>>
>>>>>> say if 3 printf (“ThreadListStream”);
>>>>>>
>>>>>> should i be doing it like this ?? error prone copy paste modify by
>>>>>> hand of the enum from dbghelp.h ?? like below
>>>>>>
>>>>>>
>>>>>> PSTR
>>>>>>
>>>>>> __cdecl
>>>>>>
>>>>>> MiniStreamTypeName (
>>>>>> int StreamType
>>>>>> )
>>>>>> {
>>>>>> PSTR Ministr[] = {
>>>>>>
>>>>>> “UnusedStream”,
>>>>>> “ReservedStream0”,
>>>>>> “ReservedStream1”,
>>>>>> “ThreadListStream”,
>>>>>> “ModuleListStream”,
>>>>>> …
>>>>>> …
>>>>>> …
>>>>>>
>>>>>> };
>>>>>> return Ministr[StreamType];
>>>>>> }
>>>>>>
>>>>>>
>>>>>> and call it with say
>>>>>>
>>>>>> printf(
>>>>>> “%7d %08x\x20\x20\x20\x20 %-30s %08x %08x\n”,
>>>>>> i,
>>>>>> MiniDir->StreamType,
>>>>>> MiniStreamTypeName(MiniDir->StreamType),
>>>>>> MiniDir->Location.DataSize,
>>>>>> MiniDir->Location.Rva
>>>>>> );
>>>>>>
>>>>>> this seems to work though i feel this must really not be the way to
>>>>>> go
>>>>>> about
>>>>>>
>>>>>> -====Dumping DumpHeader From Memory Dump====-
>>>>>>
>>>>>> Minidump Header Signature = 504d444d
>>>>>> MINIDUMP_VERSION = 0000a793
>>>>>> MINIDUMP_VERSION(Internal) = 00006003
>>>>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>>>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>>>>> MINIDUMP_HEADER CheckSum = 00000000
>>>>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>>>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>>>>> MINIDUMP_HEADER Flags = 00000021
>>>>>> Stream# StreamType StreamName Size RVA
>>>>>> 0 00000003 ThreadListStream 000000c4 00000160
>>>>>> 1 00000004 ModuleListStream 00001a2c 00000224
>>>>>> 2 0000000e UnloadedModuleListStream 00000114 00001c50
>>>>>> 3 00000005 MemoryListStream 00000094 000048c4
>>>>>> 4 00000006 ExceptionStream 000000a8 000000b8
>>>>>> 5 00000007 SystemInfoStream 00000038 00000080
>>>>>> 6 00000000 UnusedStream 00000000 00000000
>>>>>> 7 00000000 UnusedStream 00000000 00000000
>>>>>> Dump Header Dumped
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 5/3/12, raj_r wrote:
>>>>>>> thanks jen for answering fast
>>>>>>> it seems i am able to get the directories and rvas with code below
>>>>>>>
>>>>>>> ftell(fp);
>>>>>>>
>>>>>>> ULONG NumberOfStreams = MiniHeader->NumberOfStreams;
>>>>>>>
>>>>>>> for (ULONG i = 0; i>>>>>>> {
>>>>>>> fread(
>>>>>>> Buff,
>>>>>>> 1,
>>>>>>> sizeof(MINIDUMP_DIRECTORY),
>>>>>>> fp
>>>>>>> );
>>>>>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff;
>>>>>>> printf(
>>>>>>> “StreamType\t%08x\tSize\t%08x\tRva\t%08x\n”,
>>>>>>> MiniDir->StreamType,
>>>>>>> MiniDir->Location.DataSize,
>>>>>>> MiniDir->Location.Rva
>>>>>>> );
>>>>>>> ftell(fp);
>>>>>>> }
>>>>>>>
>>>>>>> StreamType 00000003 Size 000000c4 Rva
>>>>>>> 00000160
>>>>>>> StreamType 00000004 Size 00001a2c Rva
>>>>>>> 00000224
>>>>>>> StreamType 0000000e Size 00000114 Rva
>>>>>>> 00001c50
>>>>>>> StreamType 00000005 Size 00000094 Rva
>>>>>>> 000048c4
>>>>>>> StreamType 00000006 Size 000000a8 Rva
>>>>>>> 000000b8
>>>>>>> StreamType 00000007 Size 00000038 Rva
>>>>>>> 00000080
>>>>>>> StreamType 00000000 Size 00000000 Rva
>>>>>>> 00000000
>>>>>>> StreamType 00000000 Size 00000000 Rva
>>>>>>> 00000000
>>>>>>> Dump Header Dumped
>>>>>>>
>>>>>>>
>>>>>>> t>Dumpchk test.dmp | grep -i stream
>>>>>>> Loading dump file test.dmp
>>>>>>> NumberOfStreams 8
>>>>>>> Streams:
>>>>>>> Stream 0: type ThreadListStream (3), size 000000C4, RVA 00000160
>>>>>>> Stream 1: type ModuleListStream (4), size 00001A2C, RVA 00000224
>>>>>>> Stream 2: type UnloadedModuleListStream (14), size 00000114, RVA
>>>>>>> 00001C50
>>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>>>> Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000B8
>>>>>>> Stream 5: type SystemInfoStream (7), size 00000038, RVA 00000080
>>>>>>> Stream 6: type UnusedStream (0), size 00000000, RVA 00000000
>>>>>>> Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
>>>>>>>
>>>>>>>
>>>>>>> so all left is to parse and the remaining bytes
>>>>>>>
>>>>>>>
>>>>>>> On 5/3/12, Jen-Lung Chiu wrote:
>>>>>>>> Yes no API support to get those data from dump headers.
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: xxxxx@lists.osr.com
>>>>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>>>>> Sent: Wednesday, May 2, 2012 01:37 PM
>>>>>>>> To: Kernel Debugging Interest List
>>>>>>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>>>>>>
>>>>>>>> Thanks jen
>>>>>>>>
>>>>>>>> So I Need To do Something Like below Myself no request or interface
>>>>>>>> exist
>>>>>>>> ??
>>>>>>>>
>>>>>>>>
>>>>>>>> int__cdecl DumpDumpHeader(void) {
>>>>>>>>
>>>>>>>> HRESULT status = S_OK;
>>>>>>>>
>>>>>>>> PMINIDUMP_HEADER MiniHeader;
>>>>>>>>
>>>>>>>> FILE * fp;
>>>>>>>>
>>>>>>>> size_t result;
>>>>>>>>
>>>>>>>> if (( fp = fopen(
>>>>>>>>
>>>>>>>> “test.dmp”,
>>>>>>>>
>>>>>>>> “rb”
>>>>>>>>
>>>>>>>> ) ) == 0 ) {
>>>>>>>>
>>>>>>>> Exit (
>>>>>>>>
>>>>>>>> FALSE,
>>>>>>>>
>>>>>>>> “fopen ( %s ) Failed”,
>>>>>>>>
>>>>>>>> “test.dmp”
>>>>>>>>
>>>>>>>> );
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> if (( result = fread(
>>>>>>>>
>>>>>>>> Buff,
>>>>>>>>
>>>>>>>> 1,
>>>>>>>>
>>>>>>>> sizeof(MINIDUMP_HEADER),
>>>>>>>>
>>>>>>>> fp
>>>>>>>>
>>>>>>>> ) ) != sizeof(MINIDUMP_HEADER)) {
>>>>>>>>
>>>>>>>> Exit(
>>>>>>>>
>>>>>>>> FALSE,
>>>>>>>>
>>>>>>>> “fread(fp) failed\n”
>>>>>>>>
>>>>>>>> );
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> MiniHeader = (PMINIDUMP_HEADER)Buff;
>>>>>>>>
>>>>>>>> printf(
>>>>>>>>
>>>>>>>> “Minidump Header Signature = %08x\n”
>>>>>>>>
>>>>>>>> “MINIDUMP_VERSION = %08x\n”
>>>>>>>>
>>>>>>>> “MINIDUMP_VERSION(Internal) = %08x\n”
>>>>>>>>
>>>>>>>> “MINIDUMP_HEADER NumberofStreams = %08x\n”
>>>>>>>>
>>>>>>>> “MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”
>>>>>>>>
>>>>>>>> “MINIDUMP_HEADER CheckSum = %08x\n”
>>>>>>>>
>>>>>>>> “MINIDUMP_HEADER reserved = %08x\n”
>>>>>>>>
>>>>>>>> “MINIDUMP_HEADER TimeDateStamp = %08x\n”
>>>>>>>>
>>>>>>>> “MINIDUMP_HEADER Flags = %08x\n”,
>>>>>>>>
>>>>>>>> MiniHeader->Signature,
>>>>>>>>
>>>>>>>> LOWORD(MiniHeader->Version),
>>>>>>>>
>>>>>>>> HIWORD(MiniHeader->Version),
>>>>>>>>
>>>>>>>> MiniHeader->NumberOfStreams,
>>>>>>>>
>>>>>>>> MiniHeader->StreamDirectoryRva,
>>>>>>>>
>>>>>>>> MiniHeader->CheckSum,
>>>>>>>>
>>>>>>>> MiniHeader->Reserved,
>>>>>>>>
>>>>>>>> MiniHeader->TimeDateStamp,
>>>>>>>>
>>>>>>>> MiniHeader->Flags
>>>>>>>>
>>>>>>>> );
>>>>>>>>
>>>>>>>> fclose(fp);
>>>>>>>>
>>>>>>>> return status;
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>> -====Dumping DumpHeader From Memory Dump====-
>>>>>>>>
>>>>>>>> Minidump Header Signature = 504d444d
>>>>>>>> MINIDUMP_VERSION = 0000a793
>>>>>>>> MINIDUMP_VERSION(Internal) = 00006003
>>>>>>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>>>>>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>>>>>>> MINIDUMP_HEADER CheckSum = 00000000
>>>>>>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>>>>>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>>>>>>> MINIDUMP_HEADER Flags = 00000021
>>>>>>>> Dump Header Dumped
>>>>>>>>
>>>>>>>>
>>>>>>>> ----- User Mini Dump Analysis
>>>>>>>>
>>>>>>>> MINIDUMP_HEADER:
>>>>>>>> Version A793 (6003)
>>>>>>>> NumberOfStreams 8
>>>>>>>> Flags 21
>>>>>>>> 0001 MiniDumpWithDataSegs
>>>>>>>> 0020 MiniDumpWithUnloadedModules
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 5/2/12, Jen-Lung Chiu wrote:
>>>>>>>>> You could check MSDN or dbghelp.h for user-mode minidump format,
>>>>>>>>> then
>>>>>>>>> use binary editor to browse the dump file.
>>>>>>>>>
>>>>>>>>> The user-mode minidump starts with a MINIDUMP_HEADER structure,
>>>>>>>>> then
>>>>>>>>> follows a list of MINIDUMP_DIRECTORY structure (the number of
>>>>>>>>> MINIDUMP_DIRECTORY structures is
>>>>>>>>> MINIDUMP_HEADER::NumberOfStreams).
>>>>>>>>> The MINIDUMP_DIRECTORY block defines the type of the stream (in
>>>>>>>>> your
>>>>>>>>> case, MemoryListStream) as well as the RVA/size of the stream.
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: xxxxx@lists.osr.com
>>>>>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>>>>>> Sent: Wednesday, May 2, 2012 02:42 AM
>>>>>>>>> To: Kernel Debugging Interest List
>>>>>>>>> Subject: Re: [windbg] Error when reading user stream from dump
>>>>>>>>> file
>>>>>>>>>
>>>>>>>>> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h
>>>>>>>>> it
>>>>>>>>> seems now i can dump the MemoryListStream below is code and output
>>>>>>>>> Dissections are Welcome
>>>>>>>>>
>>>>>>>>> #include <stdio.h>
>>>>>>>>>
>>>>>>>>> #include <engextcpp.hpp>
>>>>>>>>>
>>>>>>>>> #include <dbghelp.h>
>>>>>>>>>
>>>>>>>>> const ULONG MBUFFSIZE = 0x1000;
>>>>>>>>>
>>>>>>>>> IDebugClient g_Client;
>>>>>>>>>
>>>>>>>>> IDebugControl g_Control;
>>>>>>>>>
>>>>>>>>> IDebugAdvanced2 g_Advanced2;
>>>>>>>>>
>>>>>>>>> PVOID Buff;
>>>>>>>>>
>>>>>>>>> void
>>>>>>>>>
>>>>>>>>> Exit( in int Code,
>>>>>>>>>
>>>>>>>>> in PCSTR Format,
>>>>>>>>>
>>>>>>>>> …)
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>>
>>>>>>>>> if (g_Client != NULL) {
>>>>>>>>>
>>>>>>>>> g_Client->EndSession(DEBUG_END_DISCONNECT);
>>>>>>>>>
>>>>>>>>> g_Client->Release();
>>>>>>>>>
>>>>>>>>> g_Client = NULL;
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> if (g_Control != NULL) {
>>>>>>>>>
>>>>>>>>> g_Control->Release();
>>>>>>>>>
>>>>>>>>> g_Control = NULL;
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> if (g_Advanced2 !=NULL) {
>>>>>>>>>
>>>>>>>>> g_Advanced2->Release();
>>>>>>>>>
>>>>>>>>> g_Advanced2 = NULL;
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> if( Buff != NULL) {
>>>>>>>>>
>>>>>>>>> free(Buff);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> if (Format != NULL) {
>>>>>>>>>
>>>>>>>>> va_list Args;
>>>>>>>>>
>>>>>>>>> va_start(Args, Format);
>>>>>>>>>
>>>>>>>>> vfprintf(stderr, Format, Args);
>>>>>>>>>
>>>>>>>>> va_end(Args);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> exit(Code);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> int __cdecl DumpMemoryListStream(void){
>>>>>>>>>
>>>>>>>>> HRESULT status;
>>>>>>>>>
>>>>>>>>> if ( ( status = DebugCreate(
>>>>>>>>>
>>>>>>>>>__uuidof(IDebugClient),
>>>>>>>>>
>>>>>>>>> (void*)&g_Client
>>>>>>>>>
>>>>>>>>> ) ) !=S_OK) {
>>>>>>>>>
>>>>>>>>> Exit(
>>>>>>>>>
>>>>>>>>> FALSE,
>>>>>>>>>
>>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>>
>>>>>>>>> “DebugCreate”,
>>>>>>>>>
>>>>>>>>> “IDebugClient”,
>>>>>>>>>
>>>>>>>>> status);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>>>>>
>>>>>>>>> __uuidof(IDebugControl),
>>>>>>>>>
>>>>>>>>> (void**)&g_Control
>>>>>>>>>
>>>>>>>>> ) ) != S_OK ) {
>>>>>>>>>
>>>>>>>>> Exit(
>>>>>>>>>
>>>>>>>>> FALSE,
>>>>>>>>>
>>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>>
>>>>>>>>> “QueryInterface”,
>>>>>>>>>
>>>>>>>>> “IDebugControl”,
>>>>>>>>>
>>>>>>>>> status);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>>>>>
>>>>>>>>>__uuidof(IDebugAdvanced2),
>>>>>>>>>
>>>>>>>>> (void**)&g_Advanced2
>>>>>>>>>
>>>>>>>>> )) != S_OK ) {
>>>>>>>>>
>>>>>>>>> Exit(
>>>>>>>>>
>>>>>>>>> FALSE,
>>>>>>>>>
>>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>>
>>>>>>>>> “QueryInterface”,
>>>>>>>>>
>>>>>>>>> “IDebugAdvanced2”,
>>>>>>>>>
>>>>>>>>> status);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> if (( status = g_Client->OpenDumpFile(
>>>>>>>>>
>>>>>>>>> “test.dmp”
>>>>>>>>>
>>>>>>>>> )) != S_OK ) {
>>>>>>>>>
>>>>>>>>> Exit(
>>>>>>>>>
>>>>>>>>> FALSE,
>>>>>>>>>
>>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>>
>>>>>>>>> “g_Client”,
>>>>>>>>>
>>>>>>>>> “OpenDumpFile”,
>>>>>>>>>
>>>>>>>>> status);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> if (( status = g_Control->WaitForEvent(
>>>>>>>>>
>>>>>>>>> 0,
>>>>>>>>>
>>>>>>>>> INFINITE
>>>>>>>>>
>>>>>>>>> ) ) != S_OK ) {
>>>>>>>>>
>>>>>>>>> Exit(
>>>>>>>>>
>>>>>>>>> FALSE,
>>>>>>>>>
>>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>>
>>>>>>>>> “g_Control”,
>>>>>>>>>
>>>>>>>>> “WaitForEvent”,
>>>>>>>>>
>>>>>>>>> status);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> PVOID OutBuffer;
>>>>>>>>>
>>>>>>>>> ULONG OutBufferSize;
>>>>>>>>>
>>>>>>>>> ULONG OutSize;
>>>>>>>>>
>>>>>>>>> PMINIDUMP_MEMORY_LIST mml;
>>>>>>>>>
>>>>>>>>> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>>>>>>>>>
>>>>>>>>> InBuffer.StreamType = MemoryListStream;
>>>>>>>>>
>>>>>>>>> InBuffer.Flags = 0;
>>>>>>>>>
>>>>>>>>> InBuffer.Offset = 0;
>>>>>>>>>
>>>>>>>>> InBuffer.Buffer = Buff;
>>>>>>>>>
>>>>>>>>> InBuffer.BufferSize = MBUFFSIZE;
>>>>>>>>>
>>>>>>>>> InBuffer.BufferUsed = 0;
>>>>>>>>>
>>>>>>>>> OutBuffer = NULL;
>>>>>>>>>
>>>>>>>>> OutBufferSize = NULL;
>>>>>>>>>
>>>>>>>>> if (( status = g_Advanced2->Request(
>>>>>>>>>
>>>>>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>>>>>
>>>>>>>>> &InBuffer,
>>>>>>>>>
>>>>>>>>> sizeof(InBuffer),
>>>>>>>>>
>>>>>>>>> OutBuffer,
>>>>>>>>>
>>>>>>>>> OutBufferSize,
>>>>>>>>>
>>>>>>>>> &OutSize
>>>>>>>>>
>>>>>>>>> ) ) != S_OK ) {
>>>>>>>>>
>>>>>>>>> Exit(
>>>>>>>>>
>>>>>>>>> FALSE,
>>>>>>>>>
>>>>>>>>> “%s (\n”
>>>>>>>>>
>>>>>>>>> “\t%s,\n”
>>>>>>>>>
>>>>>>>>> “\t%s\n\t) Failed %08x\n”,
>>>>>>>>>
>>>>>>>>> “g_Advanced2->Request”,
>>>>>>>>>
>>>>>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>>>>>
>>>>>>>>> “MemoryListStream”,
>>>>>>>>>
>>>>>>>>> status);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>>>>>>>>>
>>>>>>>>> printf (
>>>>>>>>>
>>>>>>>>> " Number Of Memory ranges = %x\n\n”
>>>>>>>>>
>>>>>>>>> " range# RVA Address Size\n",
>>>>>>>>>
>>>>>>>>> mml->NumberOfMemoryRanges
>>>>>>>>>
>>>>>>>>> );
>>>>>>>>>
>>>>>>>>> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>>>>>>>>>
>>>>>>>>> printf(
>>>>>>>>>
>>>>>>>>> " %d %08x %08I64x %08x\n",
>>>>>>>>>
>>>>>>>>> i,
>>>>>>>>>
>>>>>>>>> mml->MemoryRanges[i].Memory.Rva,
>>>>>>>>>
>>>>>>>>> mml->MemoryRanges[i].StartOfMemoryRange,
>>>>>>>>>
>>>>>>>>> mml->MemoryRanges[i].Memory.DataSize
>>>>>>>>>
>>>>>>>>> );
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> Exit(
>>>>>>>>>
>>>>>>>>> TRUE,
>>>>>>>>>
>>>>>>>>> “%s (\n”
>>>>>>>>>
>>>>>>>>> “\t%s,\n”
>>>>>>>>>
>>>>>>>>> “\t%s\n\t) Succeeded %08x\n”,
>>>>>>>>>
>>>>>>>>> “g_Advanced2->Request”,
>>>>>>>>>
>>>>>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>>>>>
>>>>>>>>> “MemoryListStream”,
>>>>>>>>>
>>>>>>>>> status);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> int __cdecl main (void){
>>>>>>>>>
>>>>>>>>> Buff = (PVOID) malloc( MBUFFSIZE );
>>>>>>>>>
>>>>>>>>> if(Buff == 0) {
>>>>>>>>>
>>>>>>>>> printf(
>>>>>>>>>
>>>>>>>>> “malloc failed\n”
>>>>>>>>>
>>>>>>>>> );
>>>>>>>>>
>>>>>>>>> Exit ( FALSE,“malloc Failed \n”);
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> printf(“\n\n -====Dumping MemoryListStream From Memory
>>>>>>>>> Dump====-\n\n”);
>>>>>>>>>
>>>>>>>>> DumpMemoryListStream();
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> t>OpenDumpStream.exe
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -====Dumping MemoryListStream From Memory Dump====-
>>>>>>>>>
>>>>>>>>> Number Of Memory ranges = 9
>>>>>>>>>
>>>>>>>>> range# RVA Address Size
>>>>>>>>> 0 00004958 0007df4c 000020b4
>>>>>>>>> 1 00006a0c 7c90e494 00000100
>>>>>>>>> 2 00006b0c 00ccff98 00000068
>>>>>>>>> 3 00006b74 7c90e494 00000100
>>>>>>>>> 4 00006c74 00f1bcac 00004354
>>>>>>>>> 5 0000afc8 7c90e494 00000100
>>>>>>>>> 6 0000b0c8 009cfe14 000001ec
>>>>>>>>> 7 0000b2b4 7c90e494 00000100
>>>>>>>>> 8 0000b3b4 00447000 000165a8
>>>>>>>>> g_Advanced2->Request (
>>>>>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>>>>> MemoryListStream
>>>>>>>>> ) Succeeded 00000000
>>>>>>>>>
>>>>>>>>> same dmp checked via dumpchk util
>>>>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>>>>>> 9 memory ranges
>>>>>>>>> range# RVA Address Size
>>>>>>>>> 0 00004958 0007df4c 000020b4
>>>>>>>>> 1 00006A0C 7c90e494 00000100
>>>>>>>>> 2 00006B0C 00ccff98 00000068
>>>>>>>>> 3 00006B74 7c90e494 00000100
>>>>>>>>> 4 00006C74 00f1bcac 00004354
>>>>>>>>> 5 0000AFC8 7c90e494 00000100
>>>>>>>>> 6 0000B0C8 009cfe14 000001ec
>>>>>>>>> 7 0000B2B4 7c90e494 00000100
>>>>>>>>> 8 0000B3B4 00447000 000165a8
>>>>>>>>> Total memory: 1d004
>>>>>>>>>
>>>>>>>>> one question remains
>>>>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i
>>>>>>>>> can
>>>>>>>>> get the 94 from outsize 1d004 from adding up all sizes what
>>>>>>>>> should
>>>>>>>>> i
>>>>>>>>> use to get the rva 48c4 ?
>>>>>>>>>
>>>>>>>>> On 5/2/12, raj_r wrote:
>>>>>>>>>> note to self
>>>>>>>>>> when in doubt refer header file do not refer chm or web or random
>>>>>>>>>> tidbits in obscure corners of internet
>>>>>>>>>>
>>>>>>>>>> this seem to be a documentation glitch in debugger.chm
>>>>>>>>>>
>>>>>>>>>> in debughelp.h it is dword
>>>>>>>>>>
>>>>>>>>>> typedef DWORD RVA;
>>>>>>>>>> typedef ULONG64 RVA64;
>>>>>>>>>>
>>>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>>>>>>>>>> ULONG32 DataSize;
>>>>>>>>>> RVA Rva;
>>>>>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>>>>>>>>>
>>>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>>>>>>>>>> ULONG64 DataSize;
>>>>>>>>>> RVA64 Rva;
>>>>>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>>>>>>>>>
>>>>>>>>>> On 5/2/12, raj_r wrote:
>>>>>>>>>>> Thanks Tim
>>>>>>>>>>>
>>>>>>>>>>> you wrote
>>>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>>> has
>>>>>>>>>>> 32-bit size and 32-bit RVA,
>>>>>>>>>>>
>>>>>>>>>>> the debughelp.chm has this
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>>>>>>>>>
>>>>>>>>>>> Contains information describing the location of a data stream
>>>>>>>>>>> within
>>>>>>>>>>> a minidump file.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64
>>>>>>>>>>> DataSize;
>>>>>>>>>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The
>>>>>>>>>>> size
>>>>>>>>>>> of the data stream, in bytes.
>>>>>>>>>>>
>>>>>>>>>>> Rva
>>>>>>>>>>> The relative virtual address (RVA) of the data. This is the byte
>>>>>>>>>>> offset of the data stream from the beginning of the minidump
>>>>>>>>>>> file.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 5/2/12, Tim Roberts wrote:
>>>>>>>>>>>> raj_r wrote:
>>>>>>>>>>>>> not exactly related to ops question but it is regarding
>>>>>>>>>>>>> request
>>>>>>>>>>>>> of
>>>>>>>>>>>>> streamtype MemoryListStream …
>>>>>>>>>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>>>>>>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>>>>>>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>>>>>>>>>
>>>>>>>>>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>>>>>>>>>
>>>>>>>>>>>>> does the second QWORD7df4c point to
>>>>>>>>>>>>> MemoryRanges[0].StartofMemoryRange
>>>>>>>>>>>>> ??
>>>>>>>>>>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>>>>>>>>>>
>>>>>>>>>>>> They don’t POINT to those things. They CONTAIN those things.
>>>>>>>>>>>> The
>>>>>>>>>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges,
>>>>>>>>>>>> followed by an array of MINIDUMP_MEMORY_DESCRIPTOR. The
>>>>>>>>>>>> MINIDUMP_MEMORY_DESCRIPTOR has a 64-bit start of range,
>>>>>>>>>>>> followed
>>>>>>>>>>>> by
>>>>>>>>>>>> a MINIDUMP_LOCATION_DESCRIPTOR. The
>>>>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>>>> has 32-bit size and 32-bit RVA,
>>>>>>>>>>>>
>>>>>>>>>>>>> these seem to described as ULONG 64 in dbghelp.chm but windbg
>>>>>>>>>>>>> doesnt seem to honor it
>>>>>>>>>>>>>
>>>>>>>>>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>>>>>>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>>>>>>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>>>>>>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>>>>>>>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>>>>> +0x000 DataSize : 0x20b4
>>>>>>>>>>>>> +0x004 Rva : 0x4958
>>>>>>>>>>>>>
>>>>>>>>>>>>> see the +4
>>>>>>>>>>>>
>>>>>>>>>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>>>>>>>>>> NumberOfMemoryRanges,
>>>>>>>>>>>> DataSize, and Rva are all 32-bit.
>>>>>>>>>>>>
>>>>>>>>>>>>> if i print it to scree with
>>>>>>>>>>>>>
>>>>>>>>>>>>> printf(
>>>>>>>>>>>>> “Number of memory range = %08x\t\n”
>>>>>>>>>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>>>>>>>>>> “Data Size is %I64x\t\n”
>>>>>>>>>>>>> “Rva is %I64x\t\n”,
>>>>>>>>>>>>> mml->NumberOfMemoryRanges,
>>>>>>>>>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>>>>>>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>>>>>>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>>>>>>>>>
>>>>>>>>>>>>> );
>>>>>>>>>>>>
>>>>>>>>>>>> “Data Size” and “Rva” should both be %08x.
>>>>>>>>>>>>
>>>>>>>>>>>> –
>>>>>>>>>>>> Tim Roberts, xxxxx@probo.com
>>>>>>>>>>>> Providenza & Boekelheide, Inc.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> —
>>>>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>>>>
>>>>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars
>>>>>>>>>>>> visit:
>>>>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>>>>
>>>>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> —
>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>
>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>
>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> —
>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>
>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>
>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>
>>>>>>>>
>>>>>>>> —
>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>
>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>> http://www.osr.com/seminars
>>>>>>>>
>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> —
>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>
>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>> http://www.osr.com/seminars
>>>>>>>>
>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> —
>>>>>> WINDBG is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></dbghelp.h></engextcpp.hpp></stdio.h></string.h>

ok std::string is available it seems

to use std::string

add

USE_STL =1
and
USE_NATIVE_EH =1

to the sources file

add

#include no .h at end only string
using namespace std;

to the actual .cpp file where you use std::string

instead of the global allocation passing a Buffer

special cased MiniDumpNormal

this seems to compile link and run

void MiniDumpTypeName (ULONG64 Flags, PCHAR Buff, ULONG Buffsize)

{

struct MiniDumpTypeLookup * mlk = MiniDumpTypeLookupTable;

int i = 0;

int mask = 0;

string TempBuff;

while ( mask < MiniDumpValidTypeFlags )

{

if (Flags == MiniDumpNormal)

{

TempBuff.append(“MiniDumpNormal”);

goto end;

}

if( (mask) && ((Flags & mask ) == mask ) )

{

if(mlk->Value == mask)

{

TempBuff.append (

“\n
“

);

TempBuff.append (

mlk->Str

);

}

}

mask = 1<
i++;

mlk++;

}

end:

strncpy_s(

Buff,

Buffsize-2,

TempBuff.data(),

_TRUNCATE

);

return;

MINIDUMP_HEADER TimeDateStamp = Tue Mar 27 01:22:16 2012 (UTC + 5:30)
MINIDUMP_HEADER Flags = 21

MiniDumpWithDataSegs
MiniDumpWithUnloadedModules
Stream# StreamType StreamName Size RVA
0 00000003 ThreadListStream 000000c4 00000160

> On 5/6/12, xxxxx@flounder.com wrote:
>> CString is probably not available for wdk builds, but std::string is part
>> of the C++ Standard.
>>
>> But if you use std::string you have to include the correct header files,
>> and remember to either specify the namespace as a default or always
>> prepend std:: to names that are part of that namespace.
>>
>> joe
>>
>>
>>> thanks Dr Newcomer,
>>>
>>> for the comments i am not aware if i can use those
>>> Cstring and std::string constructs in wdk build environemt
>>>
>>> i tried using them some time back and all i got was lots and lots of
>>> compile errors
>>>
>>> starting with cannot find note not <string.h> plain
>>>
>>>
>>>
>>>
>>> On 5/6/12, xxxxx@flounder.com wrote:
>>>> char * sep = “”;
>>>>
>>>> #define ShowBit(something, x) if ((something) & (x)) { printf(”%s”,
>>>> sep);
>>>> printf(#x); sep = " | “; break;
>>>>
>>>> if(value == MiniDumpNormal)
>>>> printf(“MiniDumpNormal”);
>>>> else
>>>> {
>>>> ShowBit(value, MiniDumpWithSegs);
>>>> ShowBit(value, MiniDumpSomeOtherKind);
>>>> ShowBit(value, MiniDumpYetOnOtherType);
>>>> }
>>>>
>>>> Note this does require you special-case the “0” type.
>>>> joe
>>>>
>>>>> Thanks Dr Newcomer,
>>>>>
>>>>> for posting the #defines
>>>>> PMDST(something, x) if((something) == (x)) printf(#x)
>>>>>
>>>>> switch(something)
>>>>> {
>>>>> #define MDSTcase(x) case x: printf(#x); break
>>>>> MDSTcase(UnusedStream);
>>>>> ----
>>>>> #undef MDSTcase
>>>>> }
>>>>>
>>>>> i at the moment used what tim posted in one of the earlier posts
>>>>>
>>>>> now on to next question
>>>>>
>>>>> typedef enum _MINIDUMP_TYPE {
>>>>> MiniDumpNormal = 0x00000000,
>>>>> MiniDumpWithDataSegs = 0x00000001,
>>>>>
>>>>> -------
>>>>> MiniDumpWithUnloadedModules = 0x00000020,
>>>>> ----
>>>>> }MINIDUMP_TYPE;
>>>>>
>>>>>
>>>>> now if i have a flag of 21
>>>>>
>>>>> i should be printing all the three strings isnt it ??
>>>>>
>>>>> int mask = 0
>>>>> if ( (Flags & mask) == mask)
>>>>> {
>>>>>
>>>>> dont know why Dumpchk omits the flag 0 MiniDumpNormal i can start
>>>>> with
>>>>>
>>>>> int mask = 1; to get the same behavior but i dont think that would
>>>>> print the MiniDumpNormal String ever
>>>>>
>>>>> here is a sample snippet i glued together to parse the Flags and print
>>>>> out the MiniDumptypes
>>>>>
>>>>>
>>>>>
>>>>> struct MiniDumpTypeLookup {
>>>>>
>>>>> int Value;
>>>>>
>>>>> PSTR Str;
>>>>>
>>>>> } MiniDumpTypeLookupTable = {
>>>>>
>>>>> MAKE_LOOKUP( MiniDumpNormal ),
>>>>>
>>>>> MAKE_LOOKUP( MiniDumpWithDataSegs ),
>>>>>
>>>>> -------
>>>>>
>>>>> MAKE_LOOKUP( MiniDumpValidTypeFlags ),
>>>>>
>>>>> { 0 , NULL }
>>>>>
>>>>> };
>>>>>
>>>>> char MiniDumpTypeNameBuff[0x1000] = {0};
>>>>
>>>> As soon as you declare a character array of a fixed size, you have
>>>> already
>>>> lost. This should never be written, anywhere. It is dead, obsolete, C
>>>> code. Use std::string or CString data types instead. I would no more
>>>> do
>>>> this than write in assembly code.
>>>>
>>>> And why is this declared as a static variable global to the function
>>>> instead of as a stack local? It isn’t thread-safe, and it represents
>>>> an
>>>> antiquated programming pattern that is best dead and buried
>>>>*
>>>>>
>>>>> PCHAR MiniDumpTypeName (ULONG64 Flags)
>>>>>
>>>>> {
>>>>>
>>>>> struct MiniDumpTypeLookup * mlk = MiniDumpTypeLookupTable;
>>>>>
>>>>> int i = 0;
>>>>>
>>>>> int mask = 0;
>>>>>
>>>>> while ( mask < 0x7ffff )
>>>>
>>>> Wrong test. I have no idea what this is testing, but it would never
>>>> occur
>>>> to me to write this code
>>>>
>>>>>
>>>>> {
>>>>>
>>>>> if( (Flags & mask ) == mask )
>>>>>
>>>>> {
>>>>>
>>>>> if(mlk->Value == mask)
>>>>>
>>>>> {
>>>>>
>>>>> strncat_s(
>>>>>
>>>>> MiniDumpTypeNameBuff,
>>>>>
>>>>> sizeof(MiniDumpTypeNameBuff),
>>>>
>>>> Note that you have made a consistent error in all the programs, which I
>>>> did not attempt to correct: that the program always and forever uses
>>>> 8-bit
>>>> character strings. You should either assume Unicode or code
>>>> Unicode-aware, using T-data types, _T() for literals, etc. Note that I
>>>> prefer, when doing bit masks, to use the vertical bar (with spaces
>>>> around
>>>> it) as the separator, which is more in keeping with how a programmer
>>>> thinks of the bit fields.
>>>>***
>>>>>
>>>>> "\n ",
>>>>>
>>>>> _TRUNCATE
>>>>>
>>>>> );
>>>>>
>>>>> strncat_s(
>>>>>
>>>>> MiniDumpTypeNameBuff,
>>>>>
>>>>> sizeof(MiniDumpTypeNameBuff),
>>>>>
>>>>> mlk->Str,
>>>>>
>>>>> _TRUNCATE
>>>>>
>>>>> );
>>>>>
>>>>> }
>>>>>
>>>>> }
>>>>>
>>>>> mask = 1<>>>>>
>>>>> i++;
>>>>>
>>>>> mlk++;
>>>>>
>>>>> }
>>>>>
>>>>> return MiniDumpTypeNameBuff;
>>>>
>>>> This makes no sense; you are returning a pointer to a buffer which is
>>>> statically allocated. Bad practice, not thread-safe, potentially a
>>>> disaster.
>>>>
>>>> Again, avoid C data types and use std::string or CString types.
>>>> Programming applications in C is about as antiuated as programming
>>>> applications in assembly code.
>>>>
>>>>>
>>>>> }
>>>>>
>>>>> i get an output like this
>>>>>
>>>>> MINIDUMP_HEADER TimeDateStamp = Tue Mar 27 01:22:16 2012 (UTC +
>>>>> 5:30)
>>>>> MINIDUMP_HEADER Flags = 21
>>>>> MiniDumpNormal
>>>>> MiniDumpWithDataSegs
>>>>>
>>>>> MiniDumpWithUnloadedModules
>>>>
>>>> No surprise, because you have to special-case the 0 flag value. Look
>>>> at
>>>> your code:
>>>>
>>>> if((Flags & 0) == 0)
>>>>
>>>> which is going to be always true. If you want to make a fully-general
>>>> subroutine, you can impose rules like “the first entry in the table
>>>> might
>>>> be a zero value, special-case the first entry” or even more general, if
>>>> the value Flags is 0, scan the table for the 0 value, print it and
>>>> return,
>>>> else iterate the bit mask as you have done.
>>>>
>>>>>
>>>>> whereas dumpchk prints out
>>>>>
>>>>> Debug session time: Tue Mar 27 01:22:16.000 2012 (UTC + 5:30)
>>>>> System Uptime: not available
>>>>> Process Uptime: not available
>>>>> …
>>>>> Loading unloaded module list
>>>>> …
>>>>> This dump file has an exception of interest stored in it.
>>>>> The stored exception information can be accessed via .ecxr.
>>>>> (f0f0f0f0.9e8): Access violation - code c0000005 (first/second chance
>>>>> not
>>>>> availa
>>>>> ble)
>>>>> ----- User Mini Dump Analysis
>>>>>
>>>>> MINIDUMP_HEADER:
>>>>> Version A793 (6003)
>>>>> NumberOfStreams 8
>>>>> Flags 21
>>>>> 0001 MiniDumpWithDataSegs
>>>>> 0020 MiniDumpWithUnloadedModules
>>>>>
>>>>>
>>>>
>>>> That’s because they properly handle the 0 case.
>>>> joe
>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 5/6/12, xxxxx@flounder.com wrote:
>>>>>> No, the question isn’t stupid, it just reflects one of the major
>>>>>> defects
>>>>>> of the C language: the lack of reflection.
>>>>>>
>>>>>> The corect way to handle this is definitely NOT
>>>>>>
>>>>>> if(something == 3) printf(“ThreadListStream”);
>>>>>>
>>>>>> it would be correct, but tedious, to handle every case correctly, by
>>>>>> typing
>>>>>>
>>>>>> if(something == ThreadListStream) printf(“ThreadListStream”)
>>>>>>
>>>>>> I fail to see any purpose in using the constant “3” when there is a
>>>>>> perfectly good name!
>>>>>>
>>>>>> However, I have used a couple techniques
>>>>>>
>>>>>> #define PMDST(something, x) if((something) == (x)) printf(#x)
>>>>>>
>>>>>> then you can write
>>>>>>
>>>>>> PMDST(something, UnusedStream);
>>>>>> else
>>>>>> PMDST(something, ThreadListStream);
>>>>>> else
>>>>>> …
>>>>>> else
>>>>>> printf(“Unknown stream type %d”, something);
>>>>>>
>>>>>> or, I’ll sometimes do
>>>>>>
>>>>>> switch(something)
>>>>>> {
>>>>>> #define MDSTcase(x) case x: printf(#x); break
>>>>>> MDSTcase(UnusedStream);
>>>>>> MDSTcase(ThreadlistStream);
>>>>>> …
>>>>>> default:
>>>>>> printf(“Unknown stream type %d”, something);
>>>>>> break;
>>>>>> #undef MDSTcase
>>>>>> }
>>>>>>
>>>>>> It depends on my mood which one I might use.
>>>>>> joe
>>>>>>> THIS must be a STUPID c 101 QUESTION
>>>>>>> still i will ask it
>>>>>>>
>>>>>>> dbghelp.h has this declared
>>>>>>>
>>>>>>> typedef enum _MINIDUMP_STREAM_TYPE {
>>>>>>>
>>>>>>> UnusedStream = 0,
>>>>>>> ReservedStream0 = 1,
>>>>>>> ReservedStream1 = 2,
>>>>>>> ThreadListStream = 3,
>>>>>>> ModuleListStream = 4, … s ON }
>>>>>>>
>>>>>>> now if i want to printf
>>>>>>>
>>>>>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff; MiniDir->StreamType,
>>>>>>>
>>>>>>> say if 3 printf (“ThreadListStream”);
>>>>>>>
>>>>>>> should i be doing it like this ?? error prone copy paste modify by
>>>>>>> hand of the enum from dbghelp.h ?? like below
>>>>>>>
>>>>>>>
>>>>>>> PSTR
>>>>>>>
>>>>>>> __cdecl
>>>>>>>
>>>>>>> MiniStreamTypeName (
>>>>>>> int StreamType
>>>>>>> )
>>>>>>> {
>>>>>>> PSTR Ministr[] = {
>>>>>>>
>>>>>>> “UnusedStream”,
>>>>>>> “ReservedStream0”,
>>>>>>> “ReservedStream1”,
>>>>>>> “ThreadListStream”,
>>>>>>> “ModuleListStream”,
>>>>>>> …
>>>>>>> …
>>>>>>> …
>>>>>>>
>>>>>>> };
>>>>>>> return Ministr[StreamType];
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> and call it with say
>>>>>>>
>>>>>>> printf(
>>>>>>> “%7d %08x\x20\x20\x20\x20 %-30s %08x %08x\n”,
>>>>>>> i,
>>>>>>> MiniDir->StreamType,
>>>>>>> MiniStreamTypeName(MiniDir->StreamType),
>>>>>>> MiniDir->Location.DataSize,
>>>>>>> MiniDir->Location.Rva
>>>>>>> );
>>>>>>>
>>>>>>> this seems to work though i feel this must really not be the way to
>>>>>>> go
>>>>>>> about
>>>>>>>
>>>>>>> -====Dumping DumpHeader From Memory Dump====-
>>>>>>>
>>>>>>> Minidump Header Signature = 504d444d
>>>>>>> MINIDUMP_VERSION = 0000a793
>>>>>>> MINIDUMP_VERSION(Internal) = 00006003
>>>>>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>>>>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>>>>>> MINIDUMP_HEADER CheckSum = 00000000
>>>>>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>>>>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>>>>>> MINIDUMP_HEADER Flags = 00000021
>>>>>>> Stream# StreamType StreamName Size RVA
>>>>>>> 0 00000003 ThreadListStream 000000c4
>>>>>>> 00000160
>>>>>>> 1 00000004 ModuleListStream 00001a2c
>>>>>>> 00000224
>>>>>>> 2 0000000e UnloadedModuleListStream 00000114
>>>>>>> 00001c50
>>>>>>> 3 00000005 MemoryListStream 00000094
>>>>>>> 000048c4
>>>>>>> 4 00000006 ExceptionStream 000000a8
>>>>>>> 000000b8
>>>>>>> 5 00000007 SystemInfoStream 00000038
>>>>>>> 00000080
>>>>>>> 6 00000000 UnusedStream 00000000
>>>>>>> 00000000
>>>>>>> 7 00000000 UnusedStream 00000000
>>>>>>> 00000000
>>>>>>> Dump Header Dumped
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 5/3/12, raj_r wrote:
>>>>>>>> thanks jen for answering fast
>>>>>>>> it seems i am able to get the directories and rvas with code below
>>>>>>>>
>>>>>>>> ftell(fp);
>>>>>>>>
>>>>>>>> ULONG NumberOfStreams = MiniHeader->NumberOfStreams;
>>>>>>>>
>>>>>>>> for (ULONG i = 0; i>>>>>>>> {
>>>>>>>> fread(
>>>>>>>> Buff,
>>>>>>>> 1,
>>>>>>>> sizeof(MINIDUMP_DIRECTORY),
>>>>>>>> fp
>>>>>>>> );
>>>>>>>> MiniDir = (PMINIDUMP_DIRECTORY) Buff;
>>>>>>>> printf(
>>>>>>>> “StreamType\t%08x\tSize\t%08x\tRva\t%08x\n”,
>>>>>>>> MiniDir->StreamType,
>>>>>>>> MiniDir->Location.DataSize,
>>>>>>>> MiniDir->Location.Rva
>>>>>>>> );
>>>>>>>> ftell(fp);
>>>>>>>> }
>>>>>>>>
>>>>>>>> StreamType 00000003 Size 000000c4 Rva
>>>>>>>> 00000160
>>>>>>>> StreamType 00000004 Size 00001a2c Rva
>>>>>>>> 00000224
>>>>>>>> StreamType 0000000e Size 00000114 Rva
>>>>>>>> 00001c50
>>>>>>>> StreamType 00000005 Size 00000094 Rva
>>>>>>>> 000048c4
>>>>>>>> StreamType 00000006 Size 000000a8 Rva
>>>>>>>> 000000b8
>>>>>>>> StreamType 00000007 Size 00000038 Rva
>>>>>>>> 00000080
>>>>>>>> StreamType 00000000 Size 00000000 Rva
>>>>>>>> 00000000
>>>>>>>> StreamType 00000000 Size 00000000 Rva
>>>>>>>> 00000000
>>>>>>>> Dump Header Dumped
>>>>>>>>
>>>>>>>>
>>>>>>>> t>Dumpchk test.dmp | grep -i stream
>>>>>>>> Loading dump file test.dmp
>>>>>>>> NumberOfStreams 8
>>>>>>>> Streams:
>>>>>>>> Stream 0: type ThreadListStream (3), size 000000C4, RVA 00000160
>>>>>>>> Stream 1: type ModuleListStream (4), size 00001A2C, RVA 00000224
>>>>>>>> Stream 2: type UnloadedModuleListStream (14), size 00000114, RVA
>>>>>>>> 00001C50
>>>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>>>>> Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000B8
>>>>>>>> Stream 5: type SystemInfoStream (7), size 00000038, RVA 00000080
>>>>>>>> Stream 6: type UnusedStream (0), size 00000000, RVA 00000000
>>>>>>>> Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
>>>>>>>>
>>>>>>>>
>>>>>>>> so all left is to parse and the remaining bytes
>>>>>>>>
>>>>>>>>
>>>>>>>> On 5/3/12, Jen-Lung Chiu wrote:
>>>>>>>>> Yes no API support to get those data from dump headers.
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: xxxxx@lists.osr.com
>>>>>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>>>>>> Sent: Wednesday, May 2, 2012 01:37 PM
>>>>>>>>> To: Kernel Debugging Interest List
>>>>>>>>> Subject: Re: [windbg] Error when reading user stream from dump
>>>>>>>>> file
>>>>>>>>>
>>>>>>>>> Thanks jen
>>>>>>>>>
>>>>>>>>> So I Need To do Something Like below Myself no request or
>>>>>>>>> interface
>>>>>>>>> exist
>>>>>>>>> ??
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> int__cdecl DumpDumpHeader(void) {
>>>>>>>>>
>>>>>>>>> HRESULT status = S_OK;
>>>>>>>>>
>>>>>>>>> PMINIDUMP_HEADER MiniHeader;
>>>>>>>>>
>>>>>>>>> FILE * fp;
>>>>>>>>>
>>>>>>>>> size_t result;
>>>>>>>>>
>>>>>>>>> if (( fp = fopen(
>>>>>>>>>
>>>>>>>>> “test.dmp”,
>>>>>>>>>
>>>>>>>>> “rb”
>>>>>>>>>
>>>>>>>>> ) ) == 0 ) {
>>>>>>>>>
>>>>>>>>> Exit (
>>>>>>>>>
>>>>>>>>> FALSE,
>>>>>>>>>
>>>>>>>>> “fopen ( %s ) Failed”,
>>>>>>>>>
>>>>>>>>> “test.dmp”
>>>>>>>>>
>>>>>>>>> );
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> if (( result = fread(
>>>>>>>>>
>>>>>>>>> Buff,
>>>>>>>>>
>>>>>>>>> 1,
>>>>>>>>>
>>>>>>>>> sizeof(MINIDUMP_HEADER),
>>>>>>>>>
>>>>>>>>> fp
>>>>>>>>>
>>>>>>>>> ) ) != sizeof(MINIDUMP_HEADER)) {
>>>>>>>>>
>>>>>>>>> Exit(
>>>>>>>>>
>>>>>>>>> FALSE,
>>>>>>>>>
>>>>>>>>> “fread(fp) failed\n”
>>>>>>>>>
>>>>>>>>> );
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> MiniHeader = (PMINIDUMP_HEADER)Buff;
>>>>>>>>>
>>>>>>>>> printf(
>>>>>>>>>
>>>>>>>>> “Minidump Header Signature = %08x\n”
>>>>>>>>>
>>>>>>>>> “MINIDUMP_VERSION = %08x\n”
>>>>>>>>>
>>>>>>>>> “MINIDUMP_VERSION(Internal) = %08x\n”
>>>>>>>>>
>>>>>>>>> “MINIDUMP_HEADER NumberofStreams = %08x\n”
>>>>>>>>>
>>>>>>>>> “MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”
>>>>>>>>>
>>>>>>>>> “MINIDUMP_HEADER CheckSum = %08x\n”
>>>>>>>>>
>>>>>>>>> “MINIDUMP_HEADER reserved = %08x\n”
>>>>>>>>>
>>>>>>>>> “MINIDUMP_HEADER TimeDateStamp = %08x\n”
>>>>>>>>>
>>>>>>>>> “MINIDUMP_HEADER Flags = %08x\n”,
>>>>>>>>>
>>>>>>>>> MiniHeader->Signature,
>>>>>>>>>
>>>>>>>>> LOWORD(MiniHeader->Version),
>>>>>>>>>
>>>>>>>>> HIWORD(MiniHeader->Version),
>>>>>>>>>
>>>>>>>>> MiniHeader->NumberOfStreams,
>>>>>>>>>
>>>>>>>>> MiniHeader->StreamDirectoryRva,
>>>>>>>>>
>>>>>>>>> MiniHeader->CheckSum,
>>>>>>>>>
>>>>>>>>> MiniHeader->Reserved,
>>>>>>>>>
>>>>>>>>> MiniHeader->TimeDateStamp,
>>>>>>>>>
>>>>>>>>> MiniHeader->Flags
>>>>>>>>>
>>>>>>>>> );
>>>>>>>>>
>>>>>>>>> fclose(fp);
>>>>>>>>>
>>>>>>>>> return status;
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> -====Dumping DumpHeader From Memory Dump====-
>>>>>>>>>
>>>>>>>>> Minidump Header Signature = 504d444d
>>>>>>>>> MINIDUMP_VERSION = 0000a793
>>>>>>>>> MINIDUMP_VERSION(Internal) = 00006003
>>>>>>>>> MINIDUMP_HEADER NumberofStreams = 00000008
>>>>>>>>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>>>>>>>>> MINIDUMP_HEADER CheckSum = 00000000
>>>>>>>>> MINIDUMP_HEADER reserved = 4f70c8f0
>>>>>>>>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>>>>>>>>> MINIDUMP_HEADER Flags = 00000021
>>>>>>>>> Dump Header Dumped
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----- User Mini Dump Analysis
>>>>>>>>>
>>>>>>>>> MINIDUMP_HEADER:
>>>>>>>>> Version A793 (6003)
>>>>>>>>> NumberOfStreams 8
>>>>>>>>> Flags 21
>>>>>>>>> 0001 MiniDumpWithDataSegs
>>>>>>>>> 0020 MiniDumpWithUnloadedModules
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 5/2/12, Jen-Lung Chiu wrote:
>>>>>>>>>> You could check MSDN or dbghelp.h for user-mode minidump format,
>>>>>>>>>> then
>>>>>>>>>> use binary editor to browse the dump file.
>>>>>>>>>>
>>>>>>>>>> The user-mode minidump starts with a MINIDUMP_HEADER structure,
>>>>>>>>>> then
>>>>>>>>>> follows a list of MINIDUMP_DIRECTORY structure (the number of
>>>>>>>>>> MINIDUMP_DIRECTORY structures is
>>>>>>>>>> MINIDUMP_HEADER::NumberOfStreams).
>>>>>>>>>> The MINIDUMP_DIRECTORY block defines the type of the stream (in
>>>>>>>>>> your
>>>>>>>>>> case, MemoryListStream) as well as the RVA/size of the stream.
>>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: xxxxx@lists.osr.com
>>>>>>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>>>>>>>> Sent: Wednesday, May 2, 2012 02:42 AM
>>>>>>>>>> To: Kernel Debugging Interest List
>>>>>>>>>> Subject: Re: [windbg] Error when reading user stream from dump
>>>>>>>>>> file
>>>>>>>>>>
>>>>>>>>>> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h
>>>>>>>>>> it
>>>>>>>>>> seems now i can dump the MemoryListStream below is code and
>>>>>>>>>> output
>>>>>>>>>> Dissections are Welcome
>>>>>>>>>>
>>>>>>>>>> #include <stdio.h>
>>>>>>>>>>
>>>>>>>>>> #include <engextcpp.hpp>
>>>>>>>>>>
>>>>>>>>>> #include <dbghelp.h>
>>>>>>>>>>
>>>>>>>>>> const ULONG MBUFFSIZE = 0x1000;
>>>>>>>>>>
>>>>>>>>>> IDebugClient g_Client;
>>>>>>>>>>
>>>>>>>>>> IDebugControl g_Control;
>>>>>>>>>>
>>>>>>>>>> IDebugAdvanced2 g_Advanced2;
>>>>>>>>>>
>>>>>>>>>> PVOID Buff;
>>>>>>>>>>
>>>>>>>>>> void
>>>>>>>>>>
>>>>>>>>>> Exit( in int Code,
>>>>>>>>>>
>>>>>>>>>> in PCSTR Format,
>>>>>>>>>>
>>>>>>>>>> …)
>>>>>>>>>>
>>>>>>>>>> {
>>>>>>>>>>
>>>>>>>>>> if (g_Client != NULL) {
>>>>>>>>>>
>>>>>>>>>> g_Client->EndSession(DEBUG_END_DISCONNECT);
>>>>>>>>>>
>>>>>>>>>> g_Client->Release();
>>>>>>>>>>
>>>>>>>>>> g_Client = NULL;
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> if (g_Control != NULL) {
>>>>>>>>>>
>>>>>>>>>> g_Control->Release();
>>>>>>>>>>
>>>>>>>>>> g_Control = NULL;
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> if (g_Advanced2 !=NULL) {
>>>>>>>>>>
>>>>>>>>>> g_Advanced2->Release();
>>>>>>>>>>
>>>>>>>>>> g_Advanced2 = NULL;
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> if( Buff != NULL) {
>>>>>>>>>>
>>>>>>>>>> free(Buff);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> if (Format != NULL) {
>>>>>>>>>>
>>>>>>>>>> va_list Args;
>>>>>>>>>>
>>>>>>>>>> va_start(Args, Format);
>>>>>>>>>>
>>>>>>>>>> vfprintf(stderr, Format, Args);
>>>>>>>>>>
>>>>>>>>>> va_end(Args);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> exit(Code);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> int __cdecl DumpMemoryListStream(void){
>>>>>>>>>>
>>>>>>>>>> HRESULT status;
>>>>>>>>>>
>>>>>>>>>> if ( ( status = DebugCreate(
>>>>>>>>>>
>>>>>>>>>>__uuidof(IDebugClient),
>>>>>>>>>>
>>>>>>>>>> (void*)&g_Client
>>>>>>>>>>
>>>>>>>>>> ) ) !=S_OK) {
>>>>>>>>>>
>>>>>>>>>> Exit(
>>>>>>>>>>
>>>>>>>>>> FALSE,
>>>>>>>>>>
>>>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>>>
>>>>>>>>>> “DebugCreate”,
>>>>>>>>>>
>>>>>>>>>> “IDebugClient”,
>>>>>>>>>>
>>>>>>>>>> status);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>>>>>>
>>>>>>>>>> __uuidof(IDebugControl),
>>>>>>>>>>
>>>>>>>>>> (void**)&g_Control
>>>>>>>>>>
>>>>>>>>>> ) ) != S_OK ) {
>>>>>>>>>>
>>>>>>>>>> Exit(
>>>>>>>>>>
>>>>>>>>>> FALSE,
>>>>>>>>>>
>>>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>>>
>>>>>>>>>> “QueryInterface”,
>>>>>>>>>>
>>>>>>>>>> “IDebugControl”,
>>>>>>>>>>
>>>>>>>>>> status);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> if ( ( status = g_Client->QueryInterface(
>>>>>>>>>>
>>>>>>>>>>__uuidof(IDebugAdvanced2),
>>>>>>>>>>
>>>>>>>>>> (void**)&g_Advanced2
>>>>>>>>>>
>>>>>>>>>> )) != S_OK ) {
>>>>>>>>>>
>>>>>>>>>> Exit(
>>>>>>>>>>
>>>>>>>>>> FALSE,
>>>>>>>>>>
>>>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>>>
>>>>>>>>>> “QueryInterface”,
>>>>>>>>>>
>>>>>>>>>> “IDebugAdvanced2”,
>>>>>>>>>>
>>>>>>>>>> status);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> if (( status = g_Client->OpenDumpFile(
>>>>>>>>>>
>>>>>>>>>> “test.dmp”
>>>>>>>>>>
>>>>>>>>>> )) != S_OK ) {
>>>>>>>>>>
>>>>>>>>>> Exit(
>>>>>>>>>>
>>>>>>>>>> FALSE,
>>>>>>>>>>
>>>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>>>
>>>>>>>>>> “g_Client”,
>>>>>>>>>>
>>>>>>>>>> “OpenDumpFile”,
>>>>>>>>>>
>>>>>>>>>> status);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> if (( status = g_Control->WaitForEvent(
>>>>>>>>>>
>>>>>>>>>> 0,
>>>>>>>>>>
>>>>>>>>>> INFINITE
>>>>>>>>>>
>>>>>>>>>> ) ) != S_OK ) {
>>>>>>>>>>
>>>>>>>>>> Exit(
>>>>>>>>>>
>>>>>>>>>> FALSE,
>>>>>>>>>>
>>>>>>>>>> “%s ( %s ) Failed %08x\n”,
>>>>>>>>>>
>>>>>>>>>> “g_Control”,
>>>>>>>>>>
>>>>>>>>>> “WaitForEvent”,
>>>>>>>>>>
>>>>>>>>>> status);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> PVOID OutBuffer;
>>>>>>>>>>
>>>>>>>>>> ULONG OutBufferSize;
>>>>>>>>>>
>>>>>>>>>> ULONG OutSize;
>>>>>>>>>>
>>>>>>>>>> PMINIDUMP_MEMORY_LIST mml;
>>>>>>>>>>
>>>>>>>>>> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>>>>>>>>>>
>>>>>>>>>> InBuffer.StreamType = MemoryListStream;
>>>>>>>>>>
>>>>>>>>>> InBuffer.Flags = 0;
>>>>>>>>>>
>>>>>>>>>> InBuffer.Offset = 0;
>>>>>>>>>>
>>>>>>>>>> InBuffer.Buffer = Buff;
>>>>>>>>>>
>>>>>>>>>> InBuffer.BufferSize = MBUFFSIZE;
>>>>>>>>>>
>>>>>>>>>> InBuffer.BufferUsed = 0;
>>>>>>>>>>
>>>>>>>>>> OutBuffer = NULL;
>>>>>>>>>>
>>>>>>>>>> OutBufferSize = NULL;
>>>>>>>>>>
>>>>>>>>>> if (( status = g_Advanced2->Request(
>>>>>>>>>>
>>>>>>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>>>>>>
>>>>>>>>>> &InBuffer,
>>>>>>>>>>
>>>>>>>>>> sizeof(InBuffer),
>>>>>>>>>>
>>>>>>>>>> OutBuffer,
>>>>>>>>>>
>>>>>>>>>> OutBufferSize,
>>>>>>>>>>
>>>>>>>>>> &OutSize
>>>>>>>>>>
>>>>>>>>>> ) ) != S_OK ) {
>>>>>>>>>>
>>>>>>>>>> Exit(
>>>>>>>>>>
>>>>>>>>>> FALSE,
>>>>>>>>>>
>>>>>>>>>> “%s (\n”
>>>>>>>>>>
>>>>>>>>>> “\t%s,\n”
>>>>>>>>>>
>>>>>>>>>> “\t%s\n\t) Failed %08x\n”,
>>>>>>>>>>
>>>>>>>>>> “g_Advanced2->Request”,
>>>>>>>>>>
>>>>>>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>>>>>>
>>>>>>>>>> “MemoryListStream”,
>>>>>>>>>>
>>>>>>>>>> status);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>>>>>>>>>>
>>>>>>>>>> printf (
>>>>>>>>>>
>>>>>>>>>> " Number Of Memory ranges = %x\n\n”
>>>>>>>>>>
>>>>>>>>>> " range# RVA Address Size\n",
>>>>>>>>>>
>>>>>>>>>> mml->NumberOfMemoryRanges
>>>>>>>>>>
>>>>>>>>>> );
>>>>>>>>>>
>>>>>>>>>> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>>>>>>>>>>
>>>>>>>>>> printf(
>>>>>>>>>>
>>>>>>>>>> " %d %08x %08I64x %08x\n",
>>>>>>>>>>
>>>>>>>>>> i,
>>>>>>>>>>
>>>>>>>>>> mml->MemoryRanges[i].Memory.Rva,
>>>>>>>>>>
>>>>>>>>>> mml->MemoryRanges[i].StartOfMemoryRange,
>>>>>>>>>>
>>>>>>>>>> mml->MemoryRanges[i].Memory.DataSize
>>>>>>>>>>
>>>>>>>>>> );
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> Exit(
>>>>>>>>>>
>>>>>>>>>> TRUE,
>>>>>>>>>>
>>>>>>>>>> “%s (\n”
>>>>>>>>>>
>>>>>>>>>> “\t%s,\n”
>>>>>>>>>>
>>>>>>>>>> “\t%s\n\t) Succeeded %08x\n”,
>>>>>>>>>>
>>>>>>>>>> “g_Advanced2->Request”,
>>>>>>>>>>
>>>>>>>>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>>>>>>>>
>>>>>>>>>> “MemoryListStream”,
>>>>>>>>>>
>>>>>>>>>> status);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> int __cdecl main (void){
>>>>>>>>>>
>>>>>>>>>> Buff = (PVOID) malloc( MBUFFSIZE );
>>>>>>>>>>
>>>>>>>>>> if(Buff == 0) {
>>>>>>>>>>
>>>>>>>>>> printf(
>>>>>>>>>>
>>>>>>>>>> “malloc failed\n”
>>>>>>>>>>
>>>>>>>>>> );
>>>>>>>>>>
>>>>>>>>>> Exit ( FALSE,“malloc Failed \n”);
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> printf(“\n\n -====Dumping MemoryListStream From Memory
>>>>>>>>>> Dump====-\n\n”);
>>>>>>>>>>
>>>>>>>>>> DumpMemoryListStream();
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> t>OpenDumpStream.exe
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -====Dumping MemoryListStream From Memory Dump====-
>>>>>>>>>>
>>>>>>>>>> Number Of Memory ranges = 9
>>>>>>>>>>
>>>>>>>>>> range# RVA Address Size
>>>>>>>>>> 0 00004958 0007df4c 000020b4
>>>>>>>>>> 1 00006a0c 7c90e494 00000100
>>>>>>>>>> 2 00006b0c 00ccff98 00000068
>>>>>>>>>> 3 00006b74 7c90e494 00000100
>>>>>>>>>> 4 00006c74 00f1bcac 00004354
>>>>>>>>>> 5 0000afc8 7c90e494 00000100
>>>>>>>>>> 6 0000b0c8 009cfe14 000001ec
>>>>>>>>>> 7 0000b2b4 7c90e494 00000100
>>>>>>>>>> 8 0000b3b4 00447000 000165a8
>>>>>>>>>> g_Advanced2->Request (
>>>>>>>>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>>>>>>>> MemoryListStream
>>>>>>>>>> ) Succeeded 00000000
>>>>>>>>>>
>>>>>>>>>> same dmp checked via dumpchk util
>>>>>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>>>>>>> 9 memory ranges
>>>>>>>>>> range# RVA Address Size
>>>>>>>>>> 0 00004958 0007df4c 000020b4
>>>>>>>>>> 1 00006A0C 7c90e494 00000100
>>>>>>>>>> 2 00006B0C 00ccff98 00000068
>>>>>>>>>> 3 00006B74 7c90e494 00000100
>>>>>>>>>> 4 00006C74 00f1bcac 00004354
>>>>>>>>>> 5 0000AFC8 7c90e494 00000100
>>>>>>>>>> 6 0000B0C8 009cfe14 000001ec
>>>>>>>>>> 7 0000B2B4 7c90e494 00000100
>>>>>>>>>> 8 0000B3B4 00447000 000165a8
>>>>>>>>>> Total memory: 1d004
>>>>>>>>>>
>>>>>>>>>> one question remains
>>>>>>>>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>>>>>>>>> i
>>>>>>>>>> can
>>>>>>>>>> get the 94 from outsize 1d004 from adding up all sizes what
>>>>>>>>>> should
>>>>>>>>>> i
>>>>>>>>>> use to get the rva 48c4 ?
>>>>>>>>>>
>>>>>>>>>> On 5/2/12, raj_r wrote:
>>>>>>>>>>> note to self
>>>>>>>>>>> when in doubt refer header file do not refer chm or web or
>>>>>>>>>>> random
>>>>>>>>>>> tidbits in obscure corners of internet
>>>>>>>>>>>
>>>>>>>>>>> this seem to be a documentation glitch in debugger.chm
>>>>>>>>>>>
>>>>>>>>>>> in debughelp.h it is dword
>>>>>>>>>>>
>>>>>>>>>>> typedef DWORD RVA;
>>>>>>>>>>> typedef ULONG64 RVA64;
>>>>>>>>>>>
>>>>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>>>>>>>>>>> ULONG32 DataSize;
>>>>>>>>>>> RVA Rva;
>>>>>>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>>>>>>>>>>
>>>>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>>>>>>>>>>> ULONG64 DataSize;
>>>>>>>>>>> RVA64 Rva;
>>>>>>>>>>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>>>>>>>>>>
>>>>>>>>>>> On 5/2/12, raj_r wrote:
>>>>>>>>>>>> Thanks Tim
>>>>>>>>>>>>
>>>>>>>>>>>> you wrote
>>>>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>>>> has
>>>>>>>>>>>> 32-bit size and 32-bit RVA,
>>>>>>>>>>>>
>>>>>>>>>>>> the debughelp.chm has this
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>>>>>>>>>>
>>>>>>>>>>>> Contains information describing the location of a data stream
>>>>>>>>>>>> within
>>>>>>>>>>>> a minidump file.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64
>>>>>>>>>>>> DataSize;
>>>>>>>>>>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The
>>>>>>>>>>>> size
>>>>>>>>>>>> of the data stream, in bytes.
>>>>>>>>>>>>
>>>>>>>>>>>> Rva
>>>>>>>>>>>> The relative virtual address (RVA) of the data. This is the
>>>>>>>>>>>> byte
>>>>>>>>>>>> offset of the data stream from the beginning of the minidump
>>>>>>>>>>>> file.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 5/2/12, Tim Roberts wrote:
>>>>>>>>>>>>> raj_r wrote:
>>>>>>>>>>>>>> not exactly related to ops question but it is regarding
>>>>>>>>>>>>>> request
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> streamtype MemoryListStream …
>>>>>>>>>>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>>>>>>>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>>>>>>>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> does the second QWORD7df4c point to
>>>>>>>>>>>>>> MemoryRanges[0].StartofMemoryRange
>>>>>>>>>>>>>> ??
>>>>>>>>>>>>>> and subsequent dwords point to …Datasize and … RVA
>>>>>>>>>>>>>> ??
>>>>>>>>>>>>>
>>>>>>>>>>>>> They don’t POINT to those things. They CONTAIN those things.
>>>>>>>>>>>>> The
>>>>>>>>>>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges,
>>>>>>>>>>>>> followed by an array of MINIDUMP_MEMORY_DESCRIPTOR. The
>>>>>>>>>>>>> MINIDUMP_MEMORY_DESCRIPTOR has a 64-bit start of range,
>>>>>>>>>>>>> followed
>>>>>>>>>>>>> by
>>>>>>>>>>>>> a MINIDUMP_LOCATION_DESCRIPTOR. The
>>>>>>>>>>>>> MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>>>>> has 32-bit size and 32-bit RVA,
>>>>>>>>>>>>>
>>>>>>>>>>>>>> these seem to described as ULONG 64 in dbghelp.chm but windbg
>>>>>>>>>>>>>> doesnt seem to honor it
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>>>>>>>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>>>>>>>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>>>>>>>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>>>>>>>>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>>>>>>>>> +0x000 DataSize : 0x20b4
>>>>>>>>>>>>>> +0x004 Rva : 0x4958
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> see the +4
>>>>>>>>>>>>>
>>>>>>>>>>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>>>>>>>>>>> NumberOfMemoryRanges,
>>>>>>>>>>>>> DataSize, and Rva are all 32-bit.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> if i print it to scree with
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> printf(
>>>>>>>>>>>>>> “Number of memory range = %08x\t\n”
>>>>>>>>>>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>>>>>>>>>>> “Data Size is %I64x\t\n”
>>>>>>>>>>>>>> “Rva is %I64x\t\n”,
>>>>>>>>>>>>>> mml->NumberOfMemoryRanges,
>>>>>>>>>>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>>>>>>>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>>>>>>>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> );
>>>>>>>>>>>>>
>>>>>>>>>>>>> “Data Size” and “Rva” should both be %08x.
>>>>>>>>>>>>>
>>>>>>>>>>>>> –
>>>>>>>>>>>>> Tim Roberts, xxxxx@probo.com
>>>>>>>>>>>>> Providenza & Boekelheide, Inc.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> —
>>>>>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>>>>>
>>>>>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars
>>>>>>>>>>>>> visit:
>>>>>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>>>>>
>>>>>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> —
>>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>>
>>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>>
>>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> —
>>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>>
>>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>>
>>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> —
>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>
>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>
>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> —
>>>>>>>>> WINDBG is sponsored by OSR
>>>>>>>>>
>>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>>> http://www.osr.com/seminars
>>>>>>>>>
>>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> —
>>>>>>> WINDBG is sponsored by OSR
>>>>>>>
>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>> http://www.osr.com/seminars
>>>>>>>
>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> —
>>>>>> WINDBG is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
></dbghelp.h></engextcpp.hpp></stdio.h></string.h>