Radare2: Windows kernel dumps loading support

Created on 25 Feb 2020  路  3Comments  路  Source: radareorg/radare2

Is your feature request related to a problem? Please describe.
Currently, radare has support for user-level minidumps, but nothing for loading the kernel dumps

Describe the solution you'd like

Something like MDMP loader, but for loading these

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
See:

New File-Format PE RDebug Windows hackaton

All 3 comments

File Structure

Header structure (Notes: there are paddings in between properties)
https://github.com/volatilityfoundation/volatility/wiki/Crash-Address-Space
https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/overlays/windows/crashdump.py

How Physical Memory Runs work
https://computer.forensikblog.de/en/2006/03/dmp-file-structure.html

List of DumpType
https://crashdmp.wordpress.com/crash-mechanism/configuration/

Address Space

https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/addrspaces/crash.py

Header

PsLoadedModuleList - LDR_LOAD_TABLE_ENTRY
KdDebuggerDataBlock - _KDDEBUGGER_DATA64
Kernel Base address = ntoskrnl base address which is also the first entry in PsLoadedModuleList

@abcSup since you added some basic support, could you please describe what is missing?

@abcSup since you added some basic support, could you please describe what is missing?

There are a few more rich information we can extract:

  • [ ] Loaded modules/drivers. PsLoadedModuleList which is a vaddr to LDR_LOAD_TABLE_ENTRY struct.
  • [ ] Permission data of each memory page from PfnDataBase https://rayanfam.com/topics/inside-windows-page-frame-number-part1/, which is a vaddr
  • [ ] Debugger data from KdDebuggerDataBlock, which is a vaddr to _KDDEBUGGER_DATA64 struct
  • [ ] Active processes from PsActiveProcessHead, which is a vaddr to _EPROCESS.ActiveProcessLinks

To extract those information, we need a way to translate those vaddr to physical memory address based on memory paging. Currently, the phyiscal memory pages from the dump are mapped. We should map the virtual memory space of the kernel instead of the physical memory pages. Here are a few examples that emulate the address space:

It should support different memory paging format (amd64, x86). Most implementations can be found in the rekall.

Was this page helpful?
0 / 5 - 0 ratings