//------------------------------------------------ //--- 010 Editor v7.0 Binary Template // // File: MiniDump.bt // Authors: darknesswind // Version: 1.0 // Purpose: Template parse struct in Windows MiniDump. // The struct define from windows header files. // Category: Operating System // File Mask: *.dmp // ID Bytes: 4D 44 4D 50 93 A7 // MDMP 42899 // History: // 1.0 2019-10-31 darknesswind: 1.0 The init version //------------------------------------------------ typedef unsigned int ULONG32; typedef unsigned __int64 ULONG64; typedef DWORD RVA ; typedef ULONG64 RVA64 ; typedef struct _MINIDUMP_TYPE { // ULONG64 Normal : 1;// = 0x00000000, ULONG64 WithDataSegs : 1;// = 0x00000001, ULONG64 WithFullMemory : 1;// = 0x00000002, ULONG64 WithHandleData : 1;// = 0x00000004, ULONG64 FilterMemory : 1;// = 0x00000008, ULONG64 ScanMemory : 1;// = 0x00000010, ULONG64 WithUnloadedModules : 1;// = 0x00000020, ULONG64 WithIndirectlyReferencedMemory : 1;// = 0x00000040, ULONG64 FilterModulePaths : 1;// = 0x00000080, ULONG64 WithProcessThreadData : 1;// = 0x00000100, ULONG64 WithPrivateReadWriteMemory : 1;// = 0x00000200, ULONG64 WithoutOptionalData : 1;// = 0x00000400, ULONG64 WithFullMemoryInfo : 1;// = 0x00000800, ULONG64 WithThreadInfo : 1;// = 0x00001000, ULONG64 WithCodeSegs : 1;// = 0x00002000, ULONG64 WithoutAuxiliaryState : 1;// = 0x00004000, ULONG64 WithFullAuxiliaryState : 1;// = 0x00008000, ULONG64 WithPrivateWriteCopyMemory : 1;// = 0x00010000, ULONG64 IgnoreInaccessibleMemory : 1;// = 0x00020000, ULONG64 WithTokenInformation : 1;// = 0x00040000, ULONG64 WithModuleHeaders : 1;// = 0x00080000, ULONG64 FilterTriage : 1;// = 0x00100000 } MINIDUMP_TYPE; typedef enum _MINIDUMP_STREAM_TYPE { UnusedStream = 0, ReservedStream0 = 1, ReservedStream1 = 2, ThreadListStream = 3, ModuleListStream = 4, MemoryListStream = 5, ExceptionStream = 6, SystemInfoStream = 7, ThreadExListStream = 8, Memory64ListStream = 9, CommentStreamA = 10, CommentStreamW = 11, HandleDataStream = 12, FunctionTableStream = 13, UnloadedModuleListStream = 14, MiscInfoStream = 15, MemoryInfoListStream = 16, ThreadInfoListStream = 17, HandleOperationListStream = 18, LastReservedStream = 0xffff } MINIDUMP_STREAM_TYPE; typedef struct _MINIDUMP_HEADER { char Signature[4]; struct Version { WORD version; WORD internal; } version; ULONG32 NumberOfStreams; RVA StreamDirectoryRva; ULONG32 CheckSum; time_t TimeDateStamp ; _MINIDUMP_TYPE Flags; } MINIDUMP_HEADER ; typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG32 DataSize; RVA Rva; } MINIDUMP_LOCATION_DESCRIPTOR ; typedef struct _MINIDUMP_DIRECTORY { MINIDUMP_STREAM_TYPE StreamType; MINIDUMP_LOCATION_DESCRIPTOR Location; } MINIDUMP_DIRECTORY ; typedef struct _MINIDUMP_MEMORY_DESCRIPTOR { ULONG64 StartOfMemoryRange; MINIDUMP_LOCATION_DESCRIPTOR Memory; } MINIDUMP_MEMORY_DESCRIPTOR; typedef struct _MINIDUMP_THREAD { ULONG32 ThreadId; ULONG32 SuspendCount; ULONG32 PriorityClass; ULONG32 Priority; ULONG64 Teb; MINIDUMP_MEMORY_DESCRIPTOR Stack; MINIDUMP_LOCATION_DESCRIPTOR ThreadContext; } MINIDUMP_THREAD ; typedef struct _MINIDUMP_THREAD_LIST { ULONG32 NumberOfThreads; MINIDUMP_THREAD Threads [NumberOfThreads]; } MINIDUMP_THREAD_LIST ; typedef struct tagVS_FIXEDFILEINFO { DWORD dwSignature; /* e.g. 0xfeef04bd */ DWORD dwStrucVersion; /* e.g. 0x00000042 = "0.42" */ DWORD dwFileVersionMS; /* e.g. 0x00030075 = "3.75" */ DWORD dwFileVersionLS; /* e.g. 0x00000031 = "0.31" */ DWORD dwProductVersionMS; /* e.g. 0x00030010 = "3.10" */ DWORD dwProductVersionLS; /* e.g. 0x00000031 = "0.31" */ DWORD dwFileFlagsMask; /* = 0x3F for version "0.42" */ DWORD dwFileFlags; /* e.g. VFF_DEBUG | VFF_PRERELEASE */ DWORD dwFileOS; /* e.g. VOS_DOS_WINDOWS16 */ DWORD dwFileType; /* e.g. VFT_DRIVER */ DWORD dwFileSubtype; /* e.g. VFT2_DRV_KEYBOARD */ DWORD dwFileDateMS; /* e.g. 0 */ DWORD dwFileDateLS; /* e.g. 0 */ } VS_FIXEDFILEINFO; typedef struct _MINIDUMP_MODULE { ULONG64 BaseOfImage ; ULONG32 SizeOfImage ; ULONG32 CheckSum ; time_t TimeDateStamp; RVA ModuleNameRva; VS_FIXEDFILEINFO VersionInfo; MINIDUMP_LOCATION_DESCRIPTOR CvRecord; MINIDUMP_LOCATION_DESCRIPTOR MiscRecord; ULONG64 Reserved0; // Reserved for future use. ULONG64 Reserved1; // Reserved for future use. } MINIDUMP_MODULE ; typedef struct _MINIDUMP_MODULE_LIST { ULONG32 NumberOfModules; MINIDUMP_MODULE Modules [ NumberOfModules ]; } MINIDUMP_MODULE_LIST ; typedef struct _MINIDUMP_MEMORY_LIST { ULONG32 NumberOfMemoryRanges; MINIDUMP_MEMORY_DESCRIPTOR MemoryRanges [NumberOfMemoryRanges]; } MINIDUMP_MEMORY_LIST ; typedef struct _MINIDUMP_EXCEPTION { ULONG32 ExceptionCode ; ULONG32 ExceptionFlags ; ULONG64 ExceptionRecord; ULONG64 ExceptionAddress ; ULONG32 NumberParameters; ULONG32 __unusedAlignment; ULONG64 ExceptionInformation [ 15 ]; // EXCEPTION_MAXIMUM_PARAMETERS } MINIDUMP_EXCEPTION; typedef struct MINIDUMP_EXCEPTION_STREAM { ULONG32 ThreadId; ULONG32 __alignment; MINIDUMP_EXCEPTION ExceptionRecord; MINIDUMP_LOCATION_DESCRIPTOR ThreadContext; } MINIDUMP_EXCEPTION_STREAM ; typedef union _CPU_INFORMATION { // X86 platforms use CPUID function to obtain processor information. struct { // CPUID Subfunction 0, register EAX (VendorId [0]), // EBX (VendorId [1]) and ECX (VendorId [2]). ULONG32 VendorId [ 3 ] ; // CPUID Subfunction 1, register EAX ULONG32 VersionInformation ; // CPUID Subfunction 1, register EDX ULONG32 FeatureInformation ; // CPUID, Subfunction 80000001, register EBX. This will only // be obtained if the vendor id is "AuthenticAMD". ULONG32 AMDExtendedCpuFeatures ; } X86CpuInfo; // Non-x86 platforms use processor feature flags. struct { ULONG64 ProcessorFeatures [ 2 ]; } OtherCpuInfo; } CPU_INFORMATION; typedef struct _MINIDUMP_SYSTEM_INFO { // by GetSystemInfo( ). USHORT ProcessorArchitecture; USHORT ProcessorLevel; USHORT ProcessorRevision; union { USHORT Reserved0; struct { UCHAR NumberOfProcessors; UCHAR ProductType; } info; } Reserved0; // returned by GetVersionEx( ). ULONG32 MajorVersion; ULONG32 MinorVersion; ULONG32 BuildNumber; ULONG32 PlatformId; RVA CSDVersionRva; // RVA to a CSDVersion string in the string table. union { ULONG32 Reserved1; struct { USHORT SuiteMask; USHORT Reserved2; } info; } Reserved1; CPU_INFORMATION Cpu; } MINIDUMP_SYSTEM_INFO ; typedef struct _MINIDUMP_THREAD_EX { ULONG32 ThreadId; ULONG32 SuspendCount; ULONG32 PriorityClass; ULONG32 Priority; ULONG64 Teb; MINIDUMP_MEMORY_DESCRIPTOR Stack; MINIDUMP_LOCATION_DESCRIPTOR ThreadContext; MINIDUMP_MEMORY_DESCRIPTOR BackingStore; } MINIDUMP_THREAD_EX ; typedef struct _MINIDUMP_THREAD_EX_LIST { ULONG32 NumberOfThreads; MINIDUMP_THREAD_EX Threads [NumberOfThreads]; } MINIDUMP_THREAD_EX_LIST ; struct RawData(ULONG64 size) { unsigned char dat[size]; }; typedef struct _MINIDUMP_MEMORY_DESCRIPTOR64 { ULONG64 StartOfMemoryRange ; ULONG64 DataSize ; } MINIDUMP_MEMORY_DESCRIPTOR64 ; typedef struct _MINIDUMP_MEMORY64_LIST { ULONG64 NumberOfMemoryRanges; RVA64 BaseRva; MINIDUMP_MEMORY_DESCRIPTOR64 MemoryRanges [NumberOfMemoryRanges]; if (FTell() != BaseRva) FSeek(BaseRva); typedef struct _RAW_MEMORY_DATA { local ULONG64 i = 0; for (i = 0; i < NumberOfMemoryRanges; ++i) { RawData memDat(MemoryRanges[i].DataSize); //Printf("%d\n",MemoryRanges[i].DataSize); } } RAW_MEMORY_DATA ; RAW_MEMORY_DATA memDat; } MINIDUMP_MEMORY64_LIST ; typedef struct _MINIDUMP_HANDLE_DESCRIPTOR { ULONG64 Handle; RVA TypeNameRva; RVA ObjectNameRva; ULONG32 Attributes; ULONG32 GrantedAccess; ULONG32 HandleCount; ULONG32 PointerCount; } MINIDUMP_HANDLE_DESCRIPTOR ; typedef struct _MINIDUMP_HANDLE_DESCRIPTOR_2 { ULONG64 Handle; RVA TypeNameRva; RVA ObjectNameRva; ULONG32 Attributes; ULONG32 GrantedAccess; ULONG32 HandleCount; ULONG32 PointerCount; RVA ObjectInfoRva; ULONG32 Reserved0; } MINIDUMP_HANDLE_DESCRIPTOR_2 ; typedef struct _MINIDUMP_HANDLE_DATA_STREAM { ULONG32 SizeOfHeader; ULONG32 SizeOfDescriptor; ULONG32 NumberOfDescriptors; ULONG32 Reserved; if (SizeOfDescriptor == sizeof(MINIDUMP_HANDLE_DESCRIPTOR)) MINIDUMP_HANDLE_DESCRIPTOR HandleDes[NumberOfDescriptors]; else if (SizeOfDescriptor == sizeof(MINIDUMP_HANDLE_DESCRIPTOR_2)) MINIDUMP_HANDLE_DESCRIPTOR_2 HandleDes[NumberOfDescriptors]; } MINIDUMP_HANDLE_DATA_STREAM ; typedef struct _MINIDUMP_FUNCTION_TABLE_DESCRIPTOR { ULONG64 MinimumAddress; ULONG64 MaximumAddress; ULONG64 BaseAddress; ULONG32 EntryCount; ULONG32 SizeOfAlignPad; } MINIDUMP_FUNCTION_TABLE_DESCRIPTOR ; typedef struct _MINIDUMP_FUNCTION_TABLE_STREAM { ULONG32 SizeOfHeader; ULONG32 SizeOfDescriptor; ULONG32 SizeOfNativeDescriptor; ULONG32 SizeOfFunctionEntry; ULONG32 NumberOfDescriptors; ULONG32 SizeOfAlignPad; MINIDUMP_FUNCTION_TABLE_DESCRIPTOR desc[NumberOfDescriptors]; } MINIDUMP_FUNCTION_TABLE_STREAM ; typedef struct _MINIDUMP_UNLOADED_MODULE { ULONG64 BaseOfImage ; ULONG32 SizeOfImage ; ULONG32 CheckSum ; ULONG32 TimeDateStamp; RVA ModuleNameRva; } MINIDUMP_UNLOADED_MODULE ; typedef struct _MINIDUMP_UNLOADED_MODULE_LIST { struct UnLoadedModuleHeader { ULONG32 SizeOfHeader; ULONG32 SizeOfEntry; ULONG32 NumberOfEntries; } header; if (header.SizeOfHeader > sizeof(UnLoadedModuleHeader)) char pad[header.SizeOfHeader - sizeof(UnLoadedModuleHeader)]; MINIDUMP_UNLOADED_MODULE Module[header.NumberOfEntries]; } MINIDUMP_UNLOADED_MODULE_LIST ; typedef struct _MINIDUMP_MISC_INFO_2 { struct _MINIDUMP_MISC_INFO { ULONG32 SizeOfInfo; ULONG32 Flags1; ULONG32 ProcessId; ULONG32 ProcessCreateTime; ULONG32 ProcessUserTime; ULONG32 ProcessKernelTime; } info; if (info.SizeOfInfo > sizeof(_MINIDUMP_MISC_INFO)) { ULONG32 ProcessorMaxMhz; ULONG32 ProcessorCurrentMhz; ULONG32 ProcessorMhzLimit; ULONG32 ProcessorMaxIdleState; ULONG32 ProcessorCurrentIdleState; } } MINIDUMP_MISC_INFO ; typedef struct _MINIDUMP_MEMORY_INFO { ULONG64 BaseAddress ; ULONG64 AllocationBase ; ULONG32 AllocationProtect; ULONG32 __alignment1; ULONG64 RegionSize ; ULONG32 State ; ULONG32 Protect; ULONG32 Type; ULONG32 __alignment2; } MINIDUMP_MEMORY_INFO ; typedef struct _MINIDUMP_MEMORY_INFO_LIST { struct MemInfoHeader { ULONG SizeOfHeader; ULONG SizeOfEntry; ULONG64 NumberOfEntries; } header; if (header.SizeOfHeader > sizeof(MemInfoHeader)) char pad[header.SizeOfHeader - sizeof(MemInfoHeader)]; MINIDUMP_MEMORY_INFO info[header.NumberOfEntries] ; } MINIDUMP_MEMORY_INFO_LIST ; typedef struct _MINIDUMP_THREAD_INFO { ULONG32 ThreadId; ULONG32 DumpFlags; ULONG32 DumpError; ULONG32 ExitStatus; ULONG64 CreateTime; ULONG64 ExitTime; ULONG64 KernelTime; ULONG64 UserTime; ULONG64 StartAddress; ULONG64 Affinity; } MINIDUMP_THREAD_INFO; typedef struct _MINIDUMP_THREAD_INFO_LIST { struct ThreadInfoHeader { ULONG SizeOfHeader; ULONG SizeOfEntry; ULONG NumberOfEntries; } header; if (header.SizeOfHeader > sizeof(ThreadInfoHeader)) char pad[header.SizeOfHeader - sizeof(ThreadInfoHeader)]; MINIDUMP_THREAD_INFO info[header.NumberOfEntries]; } MINIDUMP_THREAD_INFO_LIST ; typedef struct _MINIDUMP_HANDLE_OPERATION_LIST { ULONG32 SizeOfHeader; ULONG32 SizeOfEntry; ULONG32 NumberOfEntries; ULONG32 Reserved; } MINIDUMP_HANDLE_OPERATION_LIST ; // ===============Functions=============== string DirDisplay(MINIDUMP_DIRECTORY& dir) { return EnumToString(dir.StreamType); } string LocDisplay(MINIDUMP_LOCATION_DESCRIPTOR& loc) { string s; SPrintf( s, "%u @0x%X", loc.DataSize, loc.Rva); return s; } string Mem64Display(MINIDUMP_MEMORY_DESCRIPTOR64& mem) { string s; SPrintf( s, "%u @0x%X", mem.DataSize, mem.StartOfMemoryRange); return s; } string MemInfoDisplay(MINIDUMP_MEMORY_INFO& info) { string s; SPrintf( s, "@0x%X", info.BaseAddress); return s; } string RvaNameDisplay(RVA rva) { return ReadWString(rva + 4, ReadInt(rva)); } string ModuleDisplay(MINIDUMP_MODULE& module) { return RvaNameDisplay(module.ModuleNameRva); } string UnloadedModuleDisplay(MINIDUMP_UNLOADED_MODULE& module) { return RvaNameDisplay(module.ModuleNameRva); } // ================ Datas ================ MINIDUMP_HEADER header; MINIDUMP_DIRECTORY dir[header.NumberOfStreams]; local int i = 0; for (i = 0; i < header.NumberOfStreams; ++i) { FSeek(dir[i].Location.Rva); switch (dir[i].StreamType) { case UnusedStream: case ReservedStream0: case ReservedStream1: default: break; case ThreadListStream: MINIDUMP_THREAD_LIST ThreadList; break; case ModuleListStream: MINIDUMP_MODULE_LIST ModuleList; break; case MemoryListStream: MINIDUMP_MEMORY_LIST MemList; break; case ExceptionStream: MINIDUMP_EXCEPTION_STREAM ExceptionInfo; break; case SystemInfoStream: MINIDUMP_SYSTEM_INFO SystemInfo; break; case ThreadExListStream: MINIDUMP_THREAD_EX_LIST ThreadExList; break; case Memory64ListStream: MINIDUMP_MEMORY64_LIST Mem64List; break; case CommentStreamA: case CommentStreamW: break; case HandleDataStream: MINIDUMP_HANDLE_DATA_STREAM HandleData; break; case FunctionTableStream: MINIDUMP_FUNCTION_TABLE_STREAM FunctionTable; break; case UnloadedModuleListStream: MINIDUMP_UNLOADED_MODULE_LIST UnloadModuleList; break; case MiscInfoStream: MINIDUMP_MISC_INFO MiscInfo; break; case MemoryInfoListStream: MINIDUMP_MEMORY_INFO_LIST MemInfoList; break; case ThreadInfoListStream: MINIDUMP_THREAD_INFO_LIST ThreadInfoList; break; case HandleOperationListStream: MINIDUMP_HANDLE_OPERATION_LIST HandleOperList; break; case LastReservedStream: break; } }