Giter Site home page Giter Site logo

Windows Server snapshot issue about wtf HOT 5 CLOSED

x9090 avatar x9090 commented on September 26, 2024
Windows Server snapshot issue

from wtf.

Comments (5)

0vercl0k avatar 0vercl0k commented on September 26, 2024

Bonsoir!

Kinda funny, with a regular windbg I can't even open the dump:

>"c:\program Files (x86)\windows kits\10\debuggers\x64\cdb.exe" -z state\mem.dmp

Microsoft (R) Windows Debugger Version 10.0.22621.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [testapps\state\mem.dmp]
Could not match Dump File signature - invalid file format
Could not open dump file [state\mem.dmp], Win32 error 0n87
    "The parameter is incorrect."
Debuggee initialization failed, Win32 error 0n87
The parameter is incorrect.

I can reproduce the above by using the DLLs off WinDbgX though, so I should have everything I need to investigate this. Will let you know when I made any progress!

Cheers

from wtf.

0vercl0k avatar 0vercl0k commented on September 26, 2024

This might be a https://github.com/0vercl0k/kdmp-parser bug - it triple faults because the bx backend attempts to map the PML4 but can't find it in the dump file:

bochshooks: GpaMissingHandler: Mapping GPA 0x42ce4000 (0x42ce47f8) ..
bochshooks: GpaMissingHandler: GPA 0x42ce4000 is not mapped in the dump.
bochshooks: PhyAccessHook: Access 8 bytes to GPA 0x42ce47f8.
bochshooks: ExceptionHook: Vector(0xe), ErrorCode(0x14)
bochshooks: InterruptHook: Vector(0xe)
bochshooks: PhyAccessHook: Access 8 bytes to GPA 0x42ce4f80.
bochshooks: ExceptionHook: Vector(0xe), ErrorCode(0x0)
bochshooks: ExceptionHook: Vector(0x8), ErrorCode(0x0)
bochshooks: InterruptHook: Vector(0x8)
bochshooks: PhyAccessHook: Access 8 bytes to GPA 0x42ce4f80.
bochshooks: ExceptionHook: Vector(0xe), ErrorCode(0x0)
The emulator ran into a triple-fault exception or hit a HLT instruction.
If this is not an HLT instruction, please report it as a bug!

Which matches @cr3:

kd> ? @cr3
Evaluate expression: 1120813056 = 00000000`42ce4000
kd> !db 42ce4000
#42ce4000 67 98 2f 53 00 00 00 0a-00 00 00 00 00 00 00 00 g./S............

But the KernelDumpParser instance doesn't seem to have found any physical memory ranges...:

0:000> dx -r1 (*((wtf!kdmpparser::KernelDumpParser *)0x1e384e64618))
(*((wtf!kdmpparser::KernelDumpParser *)0x1e384e64618))                 [Type: kdmpparser::KernelDumpParser]
    [+0x000] FileMap_         [Type: FileMap_t]
    [+0x018] DmpHdr_          : 0x1e3c5fb0000 [Type: kdmpparser::HEADER64 *]
    [+0x020] PathFile_        : 0xd67954dce8 : "" [Type: char *]
    [+0x028] Physmem_         : { size=0x0 } [Type: std::unordered_map<unsigned __int64,unsigned char const *,std::hash<unsigned __int64>,std::equal_to<unsigned __int64>,std::allocator<std::pair<unsigned __int64 const ,unsigned char const *> > >]

0:000> lsa .
    53:   if (DmpPage == nullptr) {
    54:     BochsHooksDebugPrint(
    55:         "GpaMissingHandler: GPA {:#x} is not mapped in the dump.\n",
    56:         AlignedGpa);
>   57:     __debugbreak();
    58:   }
    59: 
    60:   //
    61:   // Allocate a new page of memory. We allocate a new page because the dump
    62:   // memory is not writeable. Also, because we will be using the original page

from wtf.

0vercl0k avatar 0vercl0k commented on September 26, 2024 
kd> dx @$cursession
@$cursession                 : 64-bit Kernel range dump: testapps\state\mem.dmp

Kernel range dump might be a new thing - I don't think I've seen this before. If you want to unblock yourself, you can probably grab a kernel dump with an older version of WinDbgX or the windbg from the SDK.

Will continue investigate though.

Cheers

from wtf.

0vercl0k avatar 0vercl0k commented on September 26, 2024

Closing this as it's stale.

Cheers

from wtf.

0vercl0k avatar 0vercl0k commented on September 26, 2024

@x9090 just wanted to let you know that wtf should now handle that kind of dump file - support was added in kdmp-parser.

You probably didn't keep this dump around.. but you have; please give a shot to https://github.com/0vercl0k/wtf/releases/tag/v0.5.1 :)

If you are planning to do some fuzzing, please try out a dump acquired with WinDbg Preview and let me know :)

Cheers

from wtf.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.