Skip to content

Commit 3129e4b

Browse files
0vercl0k0vercl0k
authored
Add support for "Live Kernel Memory" dump type (0x6) (#7)
1 parent f8352f3 commit 3129e4b

File tree

4 files changed

+778
-24
lines changed

4 files changed

+778
-24
lines changed

src/parse.rs

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -403,9 +403,9 @@ impl KernelDumpParser {
403403
}
404404

405405
/// Read physical memory starting at `gpa` into a `buffer`.
406-
pub fn phys_read(&self, gpa: Gpa, buffer: &mut [u8]) -> Result<usize> {
406+
pub fn phys_read(&self, gpa: Gpa, buf: &mut [u8]) -> Result<usize> {
407407
// Amount of bytes left to read.
408-
let mut amount_left = buffer.len();
408+
let mut amount_left = buf.len();
409409
// Total amount of bytes that we have successfully read.
410410
let mut total_read = 0;
411411
// The current gpa we are reading from.
@@ -423,7 +423,7 @@ impl KernelDumpParser {
423423
let left_in_page = (Page::size() - gpa.offset()) as usize;
424424
let amount_wanted = min(amount_left, left_in_page);
425425
// Figure out where we should read into.
426-
let slice = &mut buffer[total_read..total_read + amount_wanted];
426+
let slice = &mut buf[total_read..total_read + amount_wanted];
427427
// Read the physical memory!
428428
let amount_read = self.read(slice)?;
429429
// Update the total amount of read bytes and how much work we have left.
@@ -444,12 +444,12 @@ impl KernelDumpParser {
444444

445445
/// Read an exact amount of physical memory starting at `gpa` into a
446446
/// `buffer`.
447-
pub fn phys_read_exact(&self, gpa: Gpa, buffer: &mut [u8]) -> Result<()> {
447+
pub fn phys_read_exact(&self, gpa: Gpa, buf: &mut [u8]) -> Result<()> {
448448
// Read physical memory.
449-
let len = self.phys_read(gpa, buffer)?;
449+
let len = self.phys_read(gpa, buf)?;
450450

451451
// If we read as many bytes as we wanted, then it's a win..
452-
if len == buffer.len() {
452+
if len == buf.len() {
453453
Ok(())
454454
}
455455
// ..otherwise, we call it quits.
@@ -525,9 +525,9 @@ impl KernelDumpParser {
525525
}
526526

527527
/// Read virtual memory starting at `gva` into a `buffer`.
528-
pub fn virt_read(&self, gva: Gva, buffer: &mut [u8]) -> Result<usize> {
528+
pub fn virt_read(&self, gva: Gva, buf: &mut [u8]) -> Result<usize> {
529529
// Amount of bytes left to read.
530-
let mut amount_left = buffer.len();
530+
let mut amount_left = buf.len();
531531
// Total amount of bytes that we have successfully read.
532532
let mut total_read = 0;
533533
// The current gva we are reading from.
@@ -541,7 +541,7 @@ impl KernelDumpParser {
541541
let left_in_page = (Page::size() - addr.offset()) as usize;
542542
let amount_wanted = min(amount_left, left_in_page);
543543
// Figure out where we should read into.
544-
let slice = &mut buffer[total_read..total_read + amount_wanted];
544+
let slice = &mut buf[total_read..total_read + amount_wanted];
545545
// Translate the gva into a gpa..
546546
let gpa = self.virt_translate(addr)?;
547547
// .. and read the physical memory!
@@ -565,17 +565,17 @@ impl KernelDumpParser {
565565
/// Try to read virtual memory starting at `gva` into a `buffer`. If a
566566
/// memory translation error occurs, it'll return `None` instead of an
567567
/// error.
568-
pub fn try_virt_read(&self, gva: Gva, buffer: &mut [u8]) -> Result<Option<usize>> {
569-
filter_addr_translation_err(self.virt_read(gva, buffer))
568+
pub fn try_virt_read(&self, gva: Gva, buf: &mut [u8]) -> Result<Option<usize>> {
569+
filter_addr_translation_err(self.virt_read(gva, buf))
570570
}
571571

572572
/// Read an exact amount of virtual memory starting at `gva`.
573-
pub fn virt_read_exact(&self, gva: Gva, buffer: &mut [u8]) -> Result<()> {
573+
pub fn virt_read_exact(&self, gva: Gva, buf: &mut [u8]) -> Result<()> {
574574
// Read virtual memory.
575-
let len = self.virt_read(gva, buffer)?;
575+
let len = self.virt_read(gva, buf)?;
576576

577577
// If we read as many bytes as we wanted, then it's a win..
578-
if len == buffer.len() {
578+
if len == buf.len() {
579579
Ok(())
580580
}
581581
// ..otherwise, we call it quits.
@@ -587,8 +587,8 @@ impl KernelDumpParser {
587587
/// Try to read an exact amount of virtual memory starting at `gva`. If a
588588
/// memory translation error occurs, it'll return `None` instead of an
589589
/// error.
590-
pub fn try_virt_read_exact(&self, gva: Gva, buffer: &mut [u8]) -> Result<Option<()>> {
591-
filter_addr_translation_err(self.virt_read_exact(gva, buffer))
590+
pub fn try_virt_read_exact(&self, gva: Gva, buf: &mut [u8]) -> Result<Option<()>> {
591+
filter_addr_translation_err(self.virt_read_exact(gva, buf))
592592
}
593593

594594
/// Read a `T` from virtual memory.
@@ -824,7 +824,7 @@ impl KernelDumpParser {
824824
use DumpType as D;
825825
match dump_type {
826826
D::Full => Self::full_physmem(headers, reader),
827-
D::Bmp => Self::bmp_physmem(reader),
827+
D::Bmp | D::LiveKernelMemory => Self::bmp_physmem(reader),
828828
D::KernelMemory | D::KernelAndUserMemory | D::CompleteMemory => {
829829
Self::kernel_physmem(dump_type, reader)
830830
}

src/structs.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@ pub enum DumpType {
2626
Bmp = 0x5,
2727
/// Produced by `.dump /m`.
2828
// Mini = 0x4,
29+
/// (22H2+) Produced by TaskMgr > System > Create live kernel Memory Dump.
30+
LiveKernelMemory = 0x6,
2931
/// Produced by `.dump /k`.
3032
KernelMemory = 0x8,
3133
/// Produced by `.dump /ka`.
@@ -47,6 +49,7 @@ impl TryFrom<u32> for DumpType {
4749
x if x == DumpType::KernelMemory as u32 => Ok(DumpType::KernelMemory),
4850
x if x == DumpType::KernelAndUserMemory as u32 => Ok(DumpType::KernelAndUserMemory),
4951
x if x == DumpType::CompleteMemory as u32 => Ok(DumpType::CompleteMemory),
52+
x if x == DumpType::LiveKernelMemory as u32 => Ok(DumpType::LiveKernelMemory),
5053
_ => Err(KdmpParserError::UnknownDumpType(value)),
5154
}
5255
}

0 commit comments

Comments
 (0)