Is your feature request related to a problem? Please describe.
Currently, radare has support for user-level minidumps, but nothing for loading the kernel dumps
Describe the solution you'd like
Something like MDMP loader, but for loading these
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
See:
Header structure (Notes: there are paddings in between properties)
https://github.com/volatilityfoundation/volatility/wiki/Crash-Address-Space
https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/overlays/windows/crashdump.py
How Physical Memory Runs work
https://computer.forensikblog.de/en/2006/03/dmp-file-structure.html
List of DumpType
https://crashdmp.wordpress.com/crash-mechanism/configuration/
https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/addrspaces/crash.py
PsLoadedModuleList - LDR_LOAD_TABLE_ENTRY
KdDebuggerDataBlock - _KDDEBUGGER_DATA64
Kernel Base address = ntoskrnl base address which is also the first entry in PsLoadedModuleList
@abcSup since you added some basic support, could you please describe what is missing?
@abcSup since you added some basic support, could you please describe what is missing?
There are a few more rich information we can extract:
PsLoadedModuleList which is a vaddr to LDR_LOAD_TABLE_ENTRY struct.PfnDataBase https://rayanfam.com/topics/inside-windows-page-frame-number-part1/, which is a vaddrKdDebuggerDataBlock, which is a vaddr to _KDDEBUGGER_DATA64 structPsActiveProcessHead, which is a vaddr to _EPROCESS.ActiveProcessLinksTo extract those information, we need a way to translate those vaddr to physical memory address based on memory paging. Currently, the phyiscal memory pages from the dump are mapped. We should map the virtual memory space of the kernel instead of the physical memory pages. Here are a few examples that emulate the address space:
It should support different memory paging format (amd64, x86). Most implementations can be found in the rekall.