//------------------------------------------------ //--- 010 Editor v2.0.2 Binary Template // // File: DMP.bt // Authors: A Schuster // E-mail: a.schuster@yendor.net // Version: 1.1 // Purpose: Template to parse the header of a // Microsoft memory dump file (DMP) // as produced by the debugger and // kernel crashdump facility. // Category: Operating System // File Mask: *.dmp // ID Bytes: 4D 44 4D 50, 50 41 47 45 // MDMP, PAGE // History: // 1.1 2016-01-29 SweetScape: Updated header for repository submission. // 1.0 2006-03-20 A Schuster: Initial release. // // This template merely serves as documentation of the // memory dump format used by Microsoft's debuggers and // the NT kernel crashdump facility. Detailed and // authorative information about a DMP file can be // obtained by processing the file with the "dumpchk" // utility which ships whith Microsoft's free debugging // tools package. //------------------------------------------------ typedef enum { FULL = 1, KERNEL, SMALL } e_DumpType; typedef struct { uint32 BasePage ; uint32 PageCount ; } _PHYSICAL_MEMORY_RUN32; typedef struct { uint32 NumberOfRuns; uint32 NumberOfPages ; _PHYSICAL_MEMORY_RUN32 Run[NumberOfRuns]; } _PHYSICAL_MEMORY_DESCRIPTOR32; typedef struct { int32 ExceptionCode ; uint32 ExceptionFlags; uint32 ExceptionRecord; uint32 ExceptionAddress ; uint32 NumberParameters; uint32 ExceptionInformation[15] ; } _EXCEPTION_RECORD32; FSeek(0); char Signature[4]; char ValidDump[4]; uint32 MajorVersion; uint32 MinorVersion; uint32 DirectoryTableBase ; uint32 PfnDataBase ; uint32 PsLoadedModuleList ; uint32 PsActiveProcessHead ; uint32 MachineImageType ; uint32 NumberProcessors; uint32 BugCheckCode ; uint32 BugCheckParameter[4] ; char VersionUser[32]; uchar PaeEnabled; uchar KdSecondaryVersion; uchar Spare3[2]; uint32 KdDebuggerDataBlock ; _PHYSICAL_MEMORY_DESCRIPTOR32 PhysicalMemoryBlock; FSeek(800); uchar ContextRecord[1200]; _EXCEPTION_RECORD32 Exception; char Comment[128]; uchar _reserved0[1768]; e_DumpType DumpType; uint32 MiniDumpFields; uint32 SecondaryDataState; uint32 ProductType; uint32 SuiteMask; uint32 WriterStatus; int64 RequiredDumpSpace; uchar _reserved2[16]; FILETIME SystemUpTime; FILETIME SystemTime; uchar _reserved3[56];