├── .github ├── FUNDING.yml └── workflows │ └── kdmp-parser-rs.yml ├── .gitignore ├── Cargo.toml ├── LICENSE ├── README.md ├── examples └── parser.rs ├── pics ├── kdmp-parser.gif └── parser.gif ├── rustfmt.toml ├── src ├── bits.rs ├── error.rs ├── gxa.rs ├── lib.rs ├── map.rs ├── parse.rs ├── pxe.rs └── structs.rs └── tests ├── modules_1.json ├── modules_2.json ├── modules_3.json ├── modules_4.json ├── modules_5.json └── regression.rs /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: 0vercl0k 2 | -------------------------------------------------------------------------------- /.github/workflows/kdmp-parser-rs.yml: -------------------------------------------------------------------------------- 1 | name: Builds 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | testdatas: 7 | env: 8 | TESTDATA_URL: https://github.com/0vercl0k/kdmp-parser/releases/download/v0.1/testdatas.7z 9 | 10 | name: fetch testdatas 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Cache Artifacts 14 | id: cache-testdatas 15 | uses: actions/cache@v4 16 | with: 17 | key: kdmp-parser-testdatas-cache 18 | path: . 19 | - if: steps.cache-testdatas.outputs.cache-hit != 'true' 20 | run: | 21 | sudo apt-get -y update; sudo apt-get install -y p7zip-full; 22 | curl ${{ env.TESTDATA_URL }} -O -L 23 | 7z x testdatas.7z; rm testdatas.7z 24 | - name: Upload artifacts 25 | uses: actions/upload-artifact@v4 26 | with: 27 | if-no-files-found: error 28 | name: kdmp-parser-testdatas-cache 29 | path: . 30 | 31 | fmt: 32 | runs-on: ubuntu-latest 33 | name: fmt 34 | steps: 35 | - name: Checkout 36 | uses: actions/checkout@v4 37 | 38 | - name: Set up rust 39 | run: rustup default nightly 40 | 41 | - name: Install rustfmt 42 | run: rustup component add rustfmt 43 | 44 | - name: cargo fmt 45 | run: cargo +nightly fmt --check 46 | 47 | clippy: 48 | name: clippy 49 | runs-on: ubuntu-latest 50 | steps: 51 | - name: Checkout 52 | uses: actions/checkout@v4 53 | 54 | - name: Set up rust 55 | run: rustup default stable 56 | 57 | - name: cargo clippy 58 | env: 59 | RUSTFLAGS: "-Dwarnings" 60 | run: cargo clippy --workspace --tests --examples 61 | 62 | doc: 63 | name: doc 64 | runs-on: ubuntu-latest 65 | steps: 66 | - name: Checkout 67 | uses: actions/checkout@v4 68 | 69 | - name: Set up rust 70 | run: rustup default stable 71 | 72 | - name: cargo doc 73 | env: 74 | RUSTDOCFLAGS: "-Dwarnings" 75 | run: cargo doc 76 | 77 | build: 78 | strategy: 79 | fail-fast: false 80 | matrix: 81 | os: [ubuntu-latest, windows-latest, macos-latest] 82 | 83 | needs: testdatas 84 | runs-on: ${{ matrix.os }} 85 | name: build & test / ${{ matrix.os }} 86 | steps: 87 | - name: Checkout 88 | uses: actions/checkout@v4 89 | 90 | - name: Set up rust 91 | run: rustup default stable 92 | 93 | - name: Retrieve testdatas 94 | uses: actions/download-artifact@v4 95 | with: 96 | name: kdmp-parser-testdatas-cache 97 | path: . 98 | 99 | - name: cargo test 100 | env: 101 | TESTDATAS: "." 102 | run: cargo test --workspace 103 | 104 | - name: cargo test release 105 | env: 106 | TESTDATAS: "." 107 | run: cargo test --release --workspace 108 | 109 | - name: cargo check 110 | run: cargo check --workspace 111 | 112 | - name: cargo build 113 | run: cargo build --release --examples 114 | 115 | - name: Upload artifacts 116 | uses: actions/upload-artifact@v4 117 | with: 118 | name: parser-${{ matrix.os }} 119 | path: | 120 | target/release/examples/parser.exe 121 | target/release/examples/parser.pdb 122 | target/release/examples/parser 123 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | debug/ 4 | target/ 5 | 6 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 7 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 8 | Cargo.lock 9 | 10 | # These are backup files generated by rustfmt 11 | **/*.rs.bk 12 | 13 | # MSVC Windows builds of rustc generate these, which store debugging information 14 | *.pdb 15 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "kdmp-parser" 3 | version = "0.6.0" 4 | edition = "2021" 5 | authors = ["Axel '0vercl0k' Souchet"] 6 | categories = ["parser-implementations"] 7 | description = "A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger." 8 | include = ["/Cargo.toml", "/LICENSE", "/src/**", "/examples/**", "README.md"] 9 | keywords = ["windows", "kernel", "crashdump"] 10 | license = "MIT" 11 | repository = "https://github.com/0vercl0k/kdmp-parser-rs" 12 | rust-version = "1.75" 13 | 14 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 15 | [dependencies] 16 | bitflags = "2.5.0" 17 | thiserror = "1.0" 18 | 19 | [dev-dependencies] 20 | anyhow = "1.0.80" 21 | clap = { version = "4.5.1", features = ["derive"] } 22 | serde = { version = "1.0", features = ["derive"] } 23 | serde_json = "1.0" 24 | 25 | [[example]] 26 | name = "parser" 27 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Axel Souchet 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 |

kdmp-parser

3 |

4 | A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger. 5 |

6 |

7 | 8 | 9 | 10 |

11 |

12 | 13 |

14 |
15 | 16 | This is a cross-platform crate that parses Windows **kernel** crash-dumps that Windows / WinDbg generates. It exposes read-only access to the physical memory pages as well as the register / exception context. It can also read virtual memory addresses by walking the [page tables](https://en.wikipedia.org/wiki/Page_table). 17 | 18 | Compiled binaries are available in the [releases](https://github.com/0vercl0k/kdmp-parser-rs/releases) section. 19 | 20 | ## Parser 21 | The [parser](src/examples/parser.rs) application is a small utility to show-case how to use the library and demonstrate its features. You can use it to dump memory, etc. 22 | 23 | ![parser-usage](https://github.com/0vercl0k/kdmp-parser-rs/raw/main/pics/parser.gif) 24 | 25 | Here are the options supported: 26 | ```text 27 | A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger. 28 | 29 | Usage: parser.exe [OPTIONS] 30 | 31 | Arguments: 32 | 33 | The dump path 34 | 35 | Options: 36 | --dump-headers 37 | Dump the dump headers 38 | 39 | -c, --context-record 40 | Dump the context record 41 | 42 | -e, --exception-record 43 | Dump the exception record 44 | 45 | -m, --mem[=] 46 | Dump the first `len` bytes of every physical pages, unless an address is specified 47 | 48 | --virt 49 | The address specified is interpreted as a virtual address, not a physical address 50 | 51 | --len 52 | The number of bytes to dump out 53 | 54 | [default: 16] 55 | 56 | -r, --reader 57 | Reader mode 58 | 59 | [default: mmap] 60 | 61 | Possible values: 62 | - mmap: The crash-dump is memory-mapped 63 | - file: The crash-dump is read as a file on disk 64 | 65 | --modules 66 | Dump the list of kernel & user modules 67 | 68 | -h, --help 69 | Print help (see a summary with '-h') 70 | 71 | -V, --version 72 | Print version 73 | ``` 74 | 75 | # Authors 76 | 77 | * Axel '[@0vercl0k](https://twitter.com/0vercl0k)' Souchet 78 | 79 | # Contributors 80 | 81 | [ ![contributors-img](https://contrib.rocks/image?repo=0vercl0k/kdmp-parser-rs) ](https://github.com/0vercl0k/kdmp-parser-rs/graphs/contributors) 82 | -------------------------------------------------------------------------------- /examples/parser.rs: -------------------------------------------------------------------------------- 1 | // Axel '0vercl0k' Souchet - February 25 2024 2 | use core::default::Default; 3 | use std::collections::BTreeMap; 4 | use std::fs::File; 5 | use std::path::PathBuf; 6 | 7 | use anyhow::{Context, Result}; 8 | use clap::{Parser, ValueEnum}; 9 | use kdmp_parser::{Gpa, Gva, Gxa, KernelDumpParser, MappedFileReader}; 10 | 11 | #[derive(Debug, Default, Clone, Copy, ValueEnum)] 12 | enum ReaderMode { 13 | #[default] 14 | /// The crash-dump is memory-mapped. 15 | Mmap, 16 | /// The crash-dump is read as a file on disk. 17 | File, 18 | } 19 | 20 | #[derive(Parser, Debug)] 21 | #[command(version, about)] 22 | struct Args { 23 | /// The dump path. 24 | dump_path: PathBuf, 25 | /// Dump the dump headers. 26 | #[arg(long, default_value_t = false)] 27 | dump_headers: bool, 28 | /// Dump the context record. 29 | #[arg(short, long)] 30 | context_record: bool, 31 | /// Dump the exception record. 32 | #[arg(short, long)] 33 | exception_record: bool, 34 | /// Dump the first `len` bytes of every physical pages, unless an address is 35 | /// specified. 36 | #[arg(short, long, num_args = 0..=1, require_equals = true, default_missing_value = "0xffffffffffffffff")] 37 | mem: Option, 38 | /// The address specified is interpreted as a virtual address, not a 39 | /// physical address. 40 | #[arg(long, default_value_t = false)] 41 | virt: bool, 42 | /// The number of bytes to dump out. 43 | #[arg(long, default_value_t = 0x10)] 44 | len: usize, 45 | /// Reader mode. 46 | #[arg(short, long, value_enum, default_value_t = ReaderMode::Mmap)] 47 | reader: ReaderMode, 48 | /// Dump the list of kernel & user modules. 49 | #[arg(long, default_value_t = false)] 50 | modules: bool, 51 | } 52 | 53 | /// Print a hexdump of data that started at `address`. 54 | fn hexdump(address: u64, data: &[u8]) { 55 | let len = data.len(); 56 | let mut it = data.iter(); 57 | for i in (0..len).step_by(16) { 58 | print!("{:016x}: ", address + (i as u64 * 16)); 59 | let mut row = [None; 16]; 60 | for item in row.iter_mut() { 61 | if let Some(c) = it.next() { 62 | *item = Some(*c); 63 | print!("{:02x}", c); 64 | } else { 65 | print!(" "); 66 | } 67 | } 68 | print!(" |"); 69 | for item in &row { 70 | if let Some(c) = item { 71 | let c = char::from(*c); 72 | print!("{}", if c.is_ascii_graphic() { c } else { '.' }); 73 | } else { 74 | print!(" "); 75 | } 76 | } 77 | println!("|"); 78 | } 79 | } 80 | 81 | /// Convert an hexadecimal string to a `u64`. 82 | fn to_hex(s: &str) -> Result { 83 | u64::from_str_radix(s.trim_start_matches("0x"), 16).context("failed to convert string to u64") 84 | } 85 | 86 | fn main() -> Result<()> { 87 | let args = Args::parse(); 88 | let parser = match args.reader { 89 | ReaderMode::Mmap => { 90 | let mapped_file = MappedFileReader::new(args.dump_path)?; 91 | KernelDumpParser::with_reader(mapped_file) 92 | } 93 | ReaderMode::File => { 94 | let file = File::open(args.dump_path)?; 95 | KernelDumpParser::with_reader(file) 96 | } 97 | } 98 | .context("failed to parse the kernel dump")?; 99 | 100 | if args.dump_headers { 101 | println!("{:#?}", parser.headers()); 102 | } 103 | 104 | if args.context_record { 105 | println!("{:#x?}", parser.context_record()); 106 | } 107 | 108 | if args.exception_record { 109 | println!("{:#x?}", parser.exception_record()); 110 | } 111 | 112 | if args.modules { 113 | let modules = parser 114 | .user_modules() 115 | .chain(parser.kernel_modules()) 116 | .map(|(at, v)| (at.start, (v, at.end))) 117 | .collect::>(); 118 | 119 | for (start, (module, end)) in modules { 120 | println!("{:#018x}-{:#018x}: {module}", start.u64(), end.u64()); 121 | } 122 | } 123 | 124 | if let Some(addr) = args.mem { 125 | let mut buffer = vec![0; args.len]; 126 | let addr = to_hex(&addr)?; 127 | if addr == u64::MAX { 128 | for (gpa, _) in parser.physmem() { 129 | parser.phys_read_exact(gpa, &mut buffer)?; 130 | hexdump(gpa.u64(), &buffer) 131 | } 132 | } else { 133 | let amount = if args.virt { 134 | parser.virt_read(Gva::new(addr), &mut buffer) 135 | } else { 136 | parser.phys_read(Gpa::new(addr), &mut buffer) 137 | }; 138 | 139 | if let Ok(amount) = amount { 140 | hexdump(addr, &buffer[..amount]); 141 | } else { 142 | println!( 143 | "There is no {} memory available for {addr:#x}", 144 | if args.virt { "virtual" } else { "physical" } 145 | ); 146 | } 147 | } 148 | } 149 | 150 | Ok(()) 151 | } 152 | -------------------------------------------------------------------------------- /pics/kdmp-parser.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0vercl0k/kdmp-parser-rs/b594318026837235742ee9184c8ef7d71ad64982/pics/kdmp-parser.gif -------------------------------------------------------------------------------- /pics/parser.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0vercl0k/kdmp-parser-rs/b594318026837235742ee9184c8ef7d71ad64982/pics/parser.gif -------------------------------------------------------------------------------- /rustfmt.toml: -------------------------------------------------------------------------------- 1 | reorder_modules = true 2 | use_field_init_shorthand = true 3 | 4 | unstable_features = true 5 | indent_style = "Block" 6 | reorder_imports = true 7 | imports_granularity = "Module" 8 | normalize_comments = true 9 | normalize_doc_attributes = true 10 | overflow_delimited_expr = true 11 | reorder_impl_items = true 12 | group_imports = "StdExternalCrate" 13 | wrap_comments = true -------------------------------------------------------------------------------- /src/bits.rs: -------------------------------------------------------------------------------- 1 | // Axel '0vercl0k' Souchet - January 21 2024 2 | //! This defines and implements the [`Bits`] trait which allows user to extract 3 | //! bit / range of bits off regular integer. 4 | //! 5 | //! //! # Examples 6 | //! 7 | //! ``` 8 | //! # use kdmp_parser::Bits; 9 | //! let v = 0xAB_CD_EF_01_23_45_67_89u64; 10 | //! assert_eq!(v.bits(0..=63), v); 11 | //! assert_eq!(v.bits(0..=55), 0xCD_EF_01_23_45_67_89); 12 | //! ``` 13 | use std::mem; 14 | use std::ops::RangeInclusive; 15 | 16 | /// Utility trait to make it easier to extract ranges of bits. 17 | pub trait Bits: Sized { 18 | /// Get a range of bits. 19 | fn bits(&self, r: RangeInclusive) -> Self; 20 | 21 | /// Get a bit. 22 | fn bit(&self, n: usize) -> Self { 23 | self.bits(n..=n) 24 | } 25 | } 26 | 27 | impl Bits for T 28 | where 29 | T: Into + Copy + TryFrom, 30 | >::Error: std::fmt::Debug, 31 | { 32 | fn bits(&self, r: RangeInclusive) -> Self { 33 | let (start, end) = r.into_inner(); 34 | let capacity = mem::size_of_val(self) * 8; 35 | assert!(start <= end, "the range should have a start <= end"); 36 | assert!( 37 | end < capacity, 38 | "the end ({end}) of the range can't exceed the bits capacity ({capacity}) of Self" 39 | ); 40 | let value = (*self).into(); 41 | let base = value >> start; 42 | let n = end - start + 1; 43 | 44 | let mask = if n == capacity { 45 | // This prevents to overflow a u128 when doing `(1 << 128) - 1` 46 | !0 47 | } else { 48 | (1 << n) - 1 49 | }; 50 | 51 | // This cannot fail as we are zero extending `Self` into a `u128` and then the 52 | // `mask` cannot index outside the bit capacity of `Self`. 53 | T::try_from(base & mask).unwrap() 54 | } 55 | } 56 | 57 | #[cfg(test)] 58 | mod tests { 59 | use super::Bits; 60 | 61 | #[test] 62 | fn bits64() { 63 | let v = 0xAB_CD_EF_01_23_45_67_89u64; 64 | assert_eq!(v.bits(0..=63), v); 65 | assert_eq!(v.bits(0..=55), 0xCD_EF_01_23_45_67_89); 66 | assert_eq!(v.bits(0..=47), 0xEF_01_23_45_67_89); 67 | assert_eq!(v.bits(0..=39), 0x01_23_45_67_89); 68 | assert_eq!(v.bits(0..=31), 0x23_45_67_89); 69 | assert_eq!(v.bits(0..=23), 0x45_67_89); 70 | assert_eq!(v.bits(0..=15), 0x67_89); 71 | assert_eq!(v.bits(0..=7), 0x89); 72 | assert_eq!(v.bits(0..=3), 0x9); 73 | 74 | assert_eq!(v.bits(0..=7), 0x89); 75 | assert_eq!(v.bits(8..=15), 0x67); 76 | assert_eq!(v.bits(16..=23), 0x45); 77 | assert_eq!(v.bits(24..=31), 0x23); 78 | assert_eq!(v.bits(32..=39), 0x01); 79 | assert_eq!(v.bits(40..=47), 0xEF); 80 | assert_eq!(v.bits(48..=55), 0xCD); 81 | assert_eq!(v.bits(56..=63), 0xAB); 82 | assert_eq!(v.bit(0), 1); 83 | } 84 | 85 | #[test] 86 | fn bits128() { 87 | let v = 0xAB_CD_EF_01_23_45_67_89u128; 88 | assert_eq!(v.bits(0..=125), v); 89 | assert_eq!(v.bits(0..=55), 0xCD_EF_01_23_45_67_89); 90 | assert_eq!(v.bits(0..=47), 0xEF_01_23_45_67_89); 91 | assert_eq!(v.bits(0..=39), 0x01_23_45_67_89); 92 | assert_eq!(v.bits(0..=31), 0x23_45_67_89); 93 | assert_eq!(v.bits(0..=23), 0x45_67_89); 94 | assert_eq!(v.bits(0..=15), 0x67_89); 95 | assert_eq!(v.bits(0..=7), 0x89); 96 | assert_eq!(v.bits(0..=3), 0x9); 97 | 98 | assert_eq!(v.bits(0..=7), 0x89); 99 | assert_eq!(v.bits(8..=15), 0x67); 100 | assert_eq!(v.bits(16..=23), 0x45); 101 | assert_eq!(v.bits(24..=31), 0x23); 102 | assert_eq!(v.bits(32..=39), 0x01); 103 | assert_eq!(v.bits(40..=47), 0xEF); 104 | assert_eq!(v.bits(48..=55), 0xCD); 105 | assert_eq!(v.bits(56..=63), 0xAB); 106 | } 107 | 108 | #[test] 109 | #[allow(clippy::reversed_empty_ranges)] 110 | fn invalid_ranges() { 111 | assert!(std::panic::catch_unwind(|| 1u64.bits(10..=0)).is_err()); 112 | assert!(std::panic::catch_unwind(|| 1u128.bits(0..=128)).is_err()); 113 | assert!(std::panic::catch_unwind(|| 1u64.bits(0..=64)).is_err()); 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /src/error.rs: -------------------------------------------------------------------------------- 1 | // Axel '0vercl0k' Souchet - March 19 2024 2 | //! This is the error type used across the codebase. 3 | use std::fmt::Display; 4 | use std::{io, string}; 5 | 6 | use thiserror::Error; 7 | 8 | use crate::structs::{DUMP_HEADER64_EXPECTED_SIGNATURE, DUMP_HEADER64_EXPECTED_VALID_DUMP}; 9 | use crate::{Gpa, Gva}; 10 | pub type Result = std::result::Result; 11 | 12 | #[derive(Debug)] 13 | pub enum PxeNotPresent { 14 | Pml4e, 15 | Pdpte, 16 | Pde, 17 | Pte, 18 | } 19 | 20 | #[derive(Debug, Error)] 21 | pub enum AddrTranslationError { 22 | Virt(Gva, PxeNotPresent), 23 | Phys(Gpa), 24 | } 25 | 26 | impl Display for AddrTranslationError { 27 | fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 28 | match self { 29 | AddrTranslationError::Virt(gva, not_pres) => f.write_fmt(format_args!( 30 | "virt to phys translation of {gva}: {not_pres:?}" 31 | )), 32 | AddrTranslationError::Phys(gpa) => { 33 | f.write_fmt(format_args!("phys to offset translation of {gpa}")) 34 | } 35 | } 36 | } 37 | } 38 | 39 | #[derive(Error, Debug)] 40 | pub enum KdmpParserError { 41 | #[error("invalid UNICODE_STRING")] 42 | InvalidUnicodeString, 43 | #[error("utf16: {0}")] 44 | Utf16(#[from] string::FromUtf16Error), 45 | #[error("overflow: {0}")] 46 | Overflow(&'static str), 47 | #[error("io: {0}")] 48 | Io(#[from] io::Error), 49 | #[error("invalid data: {0}")] 50 | InvalidData(&'static str), 51 | #[error("unsupported dump type {0:#x}")] 52 | UnknownDumpType(u32), 53 | #[error("duplicate gpa found in physmem map for {0}")] 54 | DuplicateGpa(Gpa), 55 | #[error("header's signature looks wrong: {0:#x} vs {DUMP_HEADER64_EXPECTED_SIGNATURE:#x}")] 56 | InvalidSignature(u32), 57 | #[error("header's valid dump looks wrong: {0:#x} vs {DUMP_HEADER64_EXPECTED_VALID_DUMP:#x}")] 58 | InvalidValidDump(u32), 59 | #[error("overflow for phys addr w/ run {0} page {1}")] 60 | PhysAddrOverflow(u32, u64), 61 | #[error("overflow for page offset w/ run {0} page {1}")] 62 | PageOffsetOverflow(u32, u64), 63 | #[error("overflow for page offset w/ bitmap_idx {0} bit_idx {1}")] 64 | BitmapPageOffsetOverflow(u64, usize), 65 | #[error("partial physical memory read")] 66 | PartialPhysRead, 67 | #[error("partial virtual memory read")] 68 | PartialVirtRead, 69 | #[error("memory translation: {0}")] 70 | AddrTranslation(#[from] AddrTranslationError), 71 | } 72 | -------------------------------------------------------------------------------- /src/gxa.rs: -------------------------------------------------------------------------------- 1 | // Axel '0vercl0k' Souchet - May 30 2023 2 | //! This contains types that are useful to manipulate 3 | //! Guest Virtual Addresses ([`Gva`]) and Guest Physical Addresses ([`Gpa`]). 4 | //! Because ultimately they are both [`u64`] under the hood, a lot of operations 5 | //! apply to both [`Gva`] & [`Gpa`] ([`Gxa::page_align`], etc.) and those are 6 | //! implemented into the parent trait [`Gxa`]. 7 | //! 8 | //! # Examples 9 | //! 10 | //! ``` 11 | //! use kdmp_parser::{Gxa, Gva}; 12 | //! let gva = Gva::new(1337); 13 | //! let page_aligned_gva = gva.page_align(); 14 | //! let page_offset = gva.offset(); 15 | //! ``` 16 | use std::fmt::Display; 17 | use std::ops::AddAssign; 18 | 19 | use crate::pxe::Pfn; 20 | use crate::structs::Page; 21 | 22 | /// A bunch of useful methods to manipulate 64-bit addresses of 23 | /// any kind. 24 | pub trait Gxa: Sized + Default + Copy + From { 25 | /// Get the underlying [`u64`] out of it. 26 | fn u64(&self) -> u64; 27 | 28 | /// Get the page offset. 29 | fn offset(&self) -> u64 { 30 | self.u64() & 0xf_ff 31 | } 32 | 33 | /// Is it page aligned? 34 | fn page_aligned(&self) -> bool { 35 | self.offset() == 0 36 | } 37 | 38 | /// Page-align it. 39 | fn page_align(&self) -> Self { 40 | Self::from(self.u64() & !0xfff) 41 | } 42 | 43 | /// Get the next aligned page. 44 | fn next_aligned_page(self) -> Self { 45 | Self::from( 46 | self.page_align() 47 | .u64() 48 | .checked_add(Page::size()) 49 | .expect("Cannot overflow"), 50 | ) 51 | } 52 | } 53 | 54 | /// Strong type for Guest Physical Addresses. 55 | /// 56 | /// # Examples 57 | /// 58 | /// ``` 59 | /// # use kdmp_parser::{Gxa, Gpa}; 60 | /// # fn main() { 61 | /// let gpa = Gpa::new(0x1337_123); 62 | /// assert_eq!(gpa.offset(), 0x123); 63 | /// assert_eq!(gpa.page_aligned(), false); 64 | /// let aligned_gpa = gpa.page_align(); 65 | /// assert_eq!(aligned_gpa.u64(), 0x1337_000); 66 | /// assert_eq!(aligned_gpa.page_aligned(), true); 67 | /// let next_gpa = gpa.next_aligned_page(); 68 | /// assert_eq!(next_gpa.u64(), 0x1338_000); 69 | /// # } 70 | /// ``` 71 | #[derive(Debug, Clone, Copy, Eq, Hash, PartialEq, Default, PartialOrd, Ord)] 72 | pub struct Gpa(u64); 73 | 74 | impl Gpa { 75 | /// Create a new [`Gpa`]. 76 | /// 77 | /// # Examples 78 | /// 79 | /// ``` 80 | /// # use kdmp_parser::{Gxa, Gpa}; 81 | /// # fn main() { 82 | /// let gpa = Gpa::new(1337); 83 | /// # } 84 | /// ``` 85 | pub const fn new(addr: u64) -> Self { 86 | Self(addr) 87 | } 88 | 89 | /// Create a new [`Gpa`] from a Page Frame Number or PFN. 90 | /// 91 | /// # Examples 92 | /// 93 | /// ``` 94 | /// # use kdmp_parser::{Gxa, Gpa, Pfn}; 95 | /// # fn main() { 96 | /// let gpa = Gpa::from_pfn(Pfn::new(0x1337)); 97 | /// assert_eq!(gpa.u64(), 0x1337_000); 98 | /// # } 99 | /// ``` 100 | pub const fn from_pfn(pfn: Pfn) -> Self { 101 | Self(pfn.u64() << (4 * 3)) 102 | } 103 | 104 | /// Create a new [`Gpa`] from a Page Frame Number or PFN and an added 105 | /// offset. 106 | /// 107 | /// # Examples 108 | /// 109 | /// ``` 110 | /// # use kdmp_parser::{Gxa, Gpa, Pfn}; 111 | /// # fn main() { 112 | /// let gpa = Gpa::from_pfn_with_offset(Pfn::new(0x1337), 0x11); 113 | /// assert_eq!(gpa.u64(), 0x1337_011); 114 | /// # } 115 | /// ``` 116 | pub const fn from_pfn_with_offset(pfn: Pfn, offset: u64) -> Self { 117 | let base = pfn.u64() << (4 * 3); 118 | 119 | Self(base + offset) 120 | } 121 | 122 | /// Get the Page Frame Number from a [`Gpa`]. 123 | /// 124 | /// # Examples 125 | /// 126 | /// ``` 127 | /// # use kdmp_parser::{Gxa, Gpa}; 128 | /// # fn main() { 129 | /// let gpa = Gpa::new(0x1337_337); 130 | /// assert_eq!(gpa.pfn(), 0x1337); 131 | /// # } 132 | /// ``` 133 | pub const fn pfn(&self) -> u64 { 134 | self.0 >> (4 * 3) 135 | } 136 | } 137 | 138 | /// Operator += for [`Gpa`]. 139 | impl AddAssign for Gpa { 140 | fn add_assign(&mut self, rhs: Self) { 141 | self.0 += rhs.0 142 | } 143 | } 144 | 145 | impl Gxa for Gpa { 146 | /// Get the underlying [`u64`]. 147 | /// 148 | /// # Examples 149 | /// 150 | /// ``` 151 | /// # use kdmp_parser::{Gxa, Gpa}; 152 | /// # fn main() { 153 | /// let gpa = Gpa::new(1337); 154 | /// assert_eq!(gpa.u64(), 1337); 155 | /// # } 156 | /// ``` 157 | fn u64(&self) -> u64 { 158 | self.0 159 | } 160 | } 161 | 162 | /// Convert a [`u64`] into a [`Gpa`]. 163 | impl From for Gpa { 164 | /// Create a [`Gpa`] from a [`u64`]. 165 | /// 166 | /// # Examples 167 | /// 168 | /// ``` 169 | /// # use kdmp_parser::{Gxa, Gpa}; 170 | /// # fn main() { 171 | /// let gpa = Gpa::from(0xdeadbeef_baadc0de); 172 | /// assert_eq!(u64::from(gpa), 0xdeadbeef_baadc0de); 173 | /// # } 174 | /// ``` 175 | fn from(value: u64) -> Self { 176 | Gpa(value) 177 | } 178 | } 179 | 180 | /// Convert a [`Gpa`] into a [`u64`]. 181 | impl From for u64 { 182 | /// Create a [`u64`] from a [`Gpa`]. 183 | /// 184 | /// # Examples 185 | /// 186 | /// ``` 187 | /// # use kdmp_parser::{Gxa, Gpa}; 188 | /// # fn main() { 189 | /// let gpa = Gpa::new(0xdeadbeef_baadc0de); 190 | /// let gpa_u64: u64 = gpa.into(); 191 | /// assert_eq!(gpa_u64, 0xdeadbeef_baadc0de); 192 | /// assert_eq!(u64::from(gpa), 0xdeadbeef_baadc0de); 193 | /// # } 194 | /// ``` 195 | fn from(value: Gpa) -> Self { 196 | value.0 197 | } 198 | } 199 | 200 | /// Convert a [`&Gpa`][`Gpa`] into a [`u64`]. 201 | impl From<&Gpa> for u64 { 202 | /// Create a [`u64`] from a [`&Gpa`][`Gpa`]. 203 | /// 204 | /// # Examples 205 | /// 206 | /// ``` 207 | /// # use kdmp_parser::{Gxa, Gpa}; 208 | /// # fn main() { 209 | /// let gpa = Gpa::new(0xdeadbeef_baadc0de); 210 | /// let gpa_p = &gpa; 211 | /// let gpa_u64: u64 = gpa_p.into(); 212 | /// assert_eq!(gpa_u64, 0xdeadbeef_baadc0de); 213 | /// assert_eq!(u64::from(gpa_p), 0xdeadbeef_baadc0de); 214 | /// # } 215 | /// ``` 216 | fn from(value: &Gpa) -> Self { 217 | value.0 218 | } 219 | } 220 | 221 | /// Format a [`Gpa`] as a string. 222 | impl Display for Gpa { 223 | fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 224 | write!(f, "GPA:{:#x}", self.0) 225 | } 226 | } 227 | 228 | /// Strong type for Guest Virtual Addresses. 229 | /// 230 | /// # Examples 231 | /// 232 | /// ``` 233 | /// # use kdmp_parser::{Gxa, Gva}; 234 | /// # fn main() { 235 | /// let gva = Gva::new(0x1337_fff); 236 | /// assert_eq!(gva.offset(), 0xfff); 237 | /// assert_eq!(gva.page_aligned(), false); 238 | /// let aligned_gva = gva.page_align(); 239 | /// assert_eq!(aligned_gva.u64(), 0x1337_000); 240 | /// assert_eq!(aligned_gva.page_aligned(), true); 241 | /// let next_gva = gva.next_aligned_page(); 242 | /// assert_eq!(next_gva.u64(), 0x1338_000); 243 | /// # } 244 | /// ``` 245 | #[derive(Debug, Clone, Copy, Eq, Hash, PartialEq, Default, PartialOrd, Ord)] 246 | pub struct Gva(u64); 247 | 248 | impl Gva { 249 | /// Create a new [`Gva`]. 250 | /// 251 | /// # Examples 252 | /// 253 | /// ``` 254 | /// # use kdmp_parser::{Gxa, Gva}; 255 | /// # fn main() { 256 | /// let gva = Gva::new(0xdeadbeef); 257 | /// # } 258 | /// ``` 259 | pub const fn new(addr: u64) -> Self { 260 | Self(addr) 261 | } 262 | 263 | /// Get the PTE index of the [`Gva`]. 264 | /// 265 | /// # Examples 266 | /// 267 | /// ``` 268 | /// # use kdmp_parser::{Gxa, Gva}; 269 | /// # fn main() { 270 | /// let first = Gva::new(0xff_ff_b9_dc_ee_77_31_37); 271 | /// assert_eq!(first.pte_idx(), 371); 272 | /// let second = Gva::new(0xff_ff_11_22_33_44_55_66); 273 | /// assert_eq!(second.pte_idx(), 0x45); 274 | /// # } 275 | /// ``` 276 | #[allow(clippy::erasing_op, clippy::identity_op)] 277 | pub const fn pte_idx(&self) -> u64 { 278 | (self.0 >> (12 + (9 * 0))) & 0b1_1111_1111 279 | } 280 | 281 | /// Get the PDE index of the [`Gva`]. 282 | /// 283 | /// # Examples 284 | /// 285 | /// ``` 286 | /// # use kdmp_parser::{Gxa, Gva}; 287 | /// # fn main() { 288 | /// let first = Gva::new(0xff_ff_b9_dc_ee_77_31_37); 289 | /// assert_eq!(first.pde_idx(), 371); 290 | /// let second = Gva::new(0xff_ff_11_22_33_44_55_66); 291 | /// assert_eq!(second.pde_idx(), 0x19a); 292 | /// # } 293 | /// ``` 294 | #[allow(clippy::identity_op)] 295 | pub const fn pde_idx(&self) -> u64 { 296 | (self.0 >> (12 + (9 * 1))) & 0b1_1111_1111 297 | } 298 | 299 | /// Get the PDPE offset of the [`Gva`]. 300 | /// 301 | /// # Examples 302 | /// 303 | /// ``` 304 | /// # use kdmp_parser::{Gxa, Gva}; 305 | /// # fn main() { 306 | /// let first = Gva::new(0xff_ff_b9_dc_ee_77_31_37); 307 | /// assert_eq!(first.pdpe_idx(), 371); 308 | /// let second = Gva::new(0xff_ff_11_22_33_44_55_66); 309 | /// assert_eq!(second.pdpe_idx(), 0x88); 310 | /// # } 311 | /// ``` 312 | pub const fn pdpe_idx(&self) -> u64 { 313 | (self.0 >> (12 + (9 * 2))) & 0b1_1111_1111 314 | } 315 | 316 | /// Get the PML4 index of the [`Gva`]. 317 | /// 318 | /// # Examples 319 | /// 320 | /// ``` 321 | /// # use kdmp_parser::{Gxa, Gva}; 322 | /// # fn main() { 323 | /// let first = Gva::new(0xff_ff_b9_dc_ee_77_31_37); 324 | /// assert_eq!(first.pml4e_idx(), 371); 325 | /// let second = Gva::new(0xff_ff_11_22_33_44_55_66); 326 | /// assert_eq!(second.pml4e_idx(), 0x22); 327 | /// # } 328 | /// ``` 329 | pub fn pml4e_idx(&self) -> u64 { 330 | (self.0 >> (12 + (9 * 3))) & 0b1_1111_1111 331 | } 332 | } 333 | 334 | /// Operator += for [`Gva`]. 335 | impl AddAssign for Gva { 336 | fn add_assign(&mut self, rhs: Self) { 337 | self.0 += rhs.0 338 | } 339 | } 340 | 341 | impl Gxa for Gva { 342 | /// Get the underlying `u64`. 343 | /// 344 | /// # Examples 345 | /// 346 | /// ``` 347 | /// # use kdmp_parser::{Gxa, Gva}; 348 | /// # fn main() { 349 | /// let gva = Gva::new(0xdeadbeef); 350 | /// assert_eq!(gva.u64(), 0xdeadbeef); 351 | /// # } 352 | /// ``` 353 | fn u64(&self) -> u64 { 354 | self.0 355 | } 356 | } 357 | 358 | /// Convert a [`Gva`] into a [`u64`]. 359 | impl From for Gva { 360 | /// Create a [`Gva`] from a [`u64`]. 361 | /// 362 | /// # Examples 363 | /// 364 | /// ``` 365 | /// # use kdmp_parser::{Gxa, Gva}; 366 | /// # fn main() { 367 | /// let gva = Gva::from(0xbaadc0de_deadbeef); 368 | /// assert_eq!(u64::from(gva), 0xbaadc0de_deadbeef); 369 | /// # } 370 | /// ``` 371 | fn from(value: u64) -> Self { 372 | Gva(value) 373 | } 374 | } 375 | 376 | /// Convert a [`Gva`] into a [`u64`]. 377 | impl From for u64 { 378 | /// Create a [`u64`] from a [`Gva`]. 379 | /// 380 | /// # Examples 381 | /// 382 | /// ``` 383 | /// # use kdmp_parser::{Gxa, Gva}; 384 | /// # fn main() { 385 | /// let gva = Gva::new(0xbaadc0de_deadbeef); 386 | /// let gva_u64: u64 = gva.into(); 387 | /// assert_eq!(gva_u64, 0xbaadc0de_deadbeef); 388 | /// assert_eq!(u64::from(gva), 0xbaadc0de_deadbeef); 389 | /// # } 390 | /// ``` 391 | fn from(value: Gva) -> Self { 392 | value.0 393 | } 394 | } 395 | 396 | /// Convert a [`&Gva`][Gva] into a [`u64`]. 397 | impl From<&Gva> for u64 { 398 | /// Create a [`u64`] from a [&Gpa][`Gpa`]. 399 | /// 400 | /// # Examples 401 | /// 402 | /// ``` 403 | /// # use kdmp_parser::{Gxa, Gpa}; 404 | /// # fn main() { 405 | /// let gva = Gpa::new(0xbaadc0de_deadbeef); 406 | /// let gva_p = &gva; 407 | /// let gva_u64: u64 = gva_p.into(); 408 | /// assert_eq!(gva_u64, 0xbaadc0de_deadbeef); 409 | /// assert_eq!(u64::from(gva_p), 0xbaadc0de_deadbeef); 410 | /// # } 411 | /// ``` 412 | fn from(value: &Gva) -> Self { 413 | value.0 414 | } 415 | } 416 | 417 | /// Format [`Gva`] as a string. 418 | impl Display for Gva { 419 | fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 420 | write!(f, "Gva:{:#x}", self.0) 421 | } 422 | } 423 | -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- 1 | // Axel '0vercl0k' Souchet - February 25 2024 2 | #![doc = include_str!("../README.md")] 3 | mod bits; 4 | mod error; 5 | mod gxa; 6 | mod map; 7 | mod parse; 8 | mod pxe; 9 | mod structs; 10 | 11 | pub use bits::Bits; 12 | pub use error::{AddrTranslationError, KdmpParserError, PxeNotPresent, Result}; 13 | pub use gxa::{Gpa, Gva, Gxa}; 14 | pub use map::{MappedFileReader, Reader}; 15 | pub use parse::KernelDumpParser; 16 | pub use pxe::{Pfn, Pxe, PxeFlags}; 17 | pub use structs::{Context, DumpType, Header64}; 18 | -------------------------------------------------------------------------------- /src/map.rs: -------------------------------------------------------------------------------- 1 | // Axel '0vercl0k' Souchet - July 18 2023 2 | //! This implements logic that allows to memory map a file on both 3 | //! Unix and Windows (cf [`memory_map_file`] / [`unmap_memory_mapped_file`]). 4 | use std::fmt::Debug; 5 | use std::io::{Read, Seek}; 6 | use std::path::Path; 7 | use std::{fs, io, ptr, slice}; 8 | 9 | pub trait Reader: Read + Seek {} 10 | 11 | impl Reader for T where T: Read + Seek {} 12 | 13 | /// A memory mapped file reader is basically a slice of bytes over the memory 14 | /// mapping and a cursor to be able to access the region. 15 | pub struct MappedFileReader<'map> { 16 | mapped_file: &'map [u8], 17 | cursor: io::Cursor<&'map [u8]>, 18 | } 19 | 20 | impl Debug for MappedFileReader<'_> { 21 | fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 22 | f.debug_struct("MappedFileReader").finish() 23 | } 24 | } 25 | 26 | impl MappedFileReader<'_> { 27 | /// Create a new [`MappedFileReader`] from a path using a memory map. 28 | pub fn new(path: impl AsRef) -> io::Result { 29 | // Open the file.. 30 | let file = fs::File::open(path)?; 31 | 32 | // ..and memory map it using the underlying OS-provided APIs. 33 | let mapped_file = memory_map_file(file)?; 34 | 35 | Ok(Self { 36 | mapped_file, 37 | cursor: io::Cursor::new(mapped_file), 38 | }) 39 | } 40 | } 41 | 42 | impl Read for MappedFileReader<'_> { 43 | fn read(&mut self, buf: &mut [u8]) -> io::Result { 44 | self.cursor.read(buf) 45 | } 46 | } 47 | 48 | impl Seek for MappedFileReader<'_> { 49 | fn seek(&mut self, pos: io::SeekFrom) -> io::Result { 50 | self.cursor.seek(pos) 51 | } 52 | } 53 | 54 | /// Drop the [`MappedFileReader`]. In the case we memory mapped the file, we 55 | /// need to drop the mapping using OS-provided APIs. 56 | impl Drop for MappedFileReader<'_> { 57 | fn drop(&mut self) { 58 | unmap_memory_mapped_file(self.mapped_file).expect("failed to unmap") 59 | } 60 | } 61 | 62 | #[cfg(windows)] 63 | #[allow(non_camel_case_types, clippy::upper_case_acronyms)] 64 | /// Module that implements memory mapping on Windows using CreateFileMappingA / 65 | /// MapViewOfFile. 66 | mod windows { 67 | use std::os::windows::prelude::AsRawHandle; 68 | use std::os::windows::raw::HANDLE; 69 | 70 | use super::*; 71 | 72 | const PAGE_READONLY: DWORD = 2; 73 | const FILE_MAP_READ: DWORD = 4; 74 | 75 | type DWORD = u32; 76 | type BOOL = u32; 77 | type SIZE_T = usize; 78 | type LPCSTR = *mut u8; 79 | type LPVOID = *const u8; 80 | 81 | extern "system" { 82 | /// Creates or opens a named or unnamed file mapping object for a 83 | /// specified file. 84 | /// 85 | /// 86 | fn CreateFileMappingA( 87 | h: HANDLE, 88 | file_mapping_attrs: *const u8, 89 | protect: DWORD, 90 | max_size_high: DWORD, 91 | max_size_low: DWORD, 92 | name: LPCSTR, 93 | ) -> HANDLE; 94 | 95 | /// Maps a view of a file mapping into the address space of a calling 96 | /// process. 97 | /// 98 | /// 99 | fn MapViewOfFile( 100 | file_mapping_object: HANDLE, 101 | desired_access: DWORD, 102 | file_offset_high: DWORD, 103 | file_offset_low: DWORD, 104 | number_of_bytes_to_map: SIZE_T, 105 | ) -> LPVOID; 106 | 107 | /// Closes an open object handle. 108 | /// 109 | /// 110 | fn CloseHandle(h: HANDLE) -> BOOL; 111 | 112 | /// Unmaps a mapped view of a file from the calling process's address 113 | /// space. 114 | /// 115 | /// 116 | fn UnmapViewOfFile(base_address: LPVOID) -> BOOL; 117 | } 118 | 119 | /// Memory map a file into memory. 120 | pub fn memory_map_file<'map>(file: fs::File) -> Result<&'map [u8], io::Error> { 121 | // Grab the underlying HANDLE. 122 | let file_handle = file.as_raw_handle(); 123 | 124 | // Create the mapping. 125 | let mapping_handle = unsafe { 126 | CreateFileMappingA( 127 | file_handle, 128 | ptr::null_mut(), 129 | PAGE_READONLY, 130 | 0, 131 | 0, 132 | ptr::null_mut(), 133 | ) 134 | }; 135 | 136 | // If the mapping is NULL, it failed so let's bail. 137 | if mapping_handle.is_null() { 138 | return Err(io::Error::last_os_error()); 139 | } 140 | 141 | // Grab the size of the underlying file, this will be the size of the 142 | // view. 143 | let size = file.metadata()?.len().try_into().unwrap(); 144 | 145 | // Map the view in the address space. 146 | let base = unsafe { MapViewOfFile(mapping_handle, FILE_MAP_READ, 0, 0, size) }; 147 | 148 | // If the base address is NULL, it failed so let's bail. 149 | if base.is_null() { 150 | // Don't forget to close the HANDLE we created for the mapping. 151 | unsafe { 152 | CloseHandle(mapping_handle); 153 | } 154 | return Err(io::Error::last_os_error()); 155 | } 156 | 157 | // Now we materialized a view in the address space, we can get rid of 158 | // the mapping handle. 159 | unsafe { 160 | CloseHandle(mapping_handle); 161 | } 162 | 163 | // Make sure the size is not bigger than what [`slice::from_raw_parts`] wants. 164 | if size > isize::MAX.try_into().unwrap() { 165 | panic!("slice is too large"); 166 | } 167 | 168 | // Create the slice over the mapping. 169 | // SAFETY: This is safe because: 170 | // - It is a byte slice, so we don't need to care about the alignment. 171 | // - The base is not NULL as we've verified that it is the case above. 172 | // - The underlying is owned by the type and the lifetime. 173 | // - We asked the OS to map `size` bytes, so we have a guarantee that there's 174 | // `size` consecutive bytes. 175 | // - We never give a mutable reference to this slice, so it can't get mutated. 176 | // - The total len of the slice is guaranteed to be smaller than 177 | // [`isize::MAX`]. 178 | // - The underlying mapping, the type and the slice have the same lifetime 179 | // which guarantees that we can't access the underlying once it has been 180 | // unmapped (use-after-unmap). 181 | Ok(unsafe { slice::from_raw_parts(base, size) }) 182 | } 183 | 184 | /// Unmap the memory mapped file. 185 | pub fn unmap_memory_mapped_file(data: &[u8]) -> Result<(), io::Error> { 186 | match unsafe { UnmapViewOfFile(data.as_ptr()) } { 187 | 0 => Err(io::Error::last_os_error()), 188 | _ => Ok(()), 189 | } 190 | } 191 | } 192 | 193 | #[cfg(windows)] 194 | use windows::*; 195 | 196 | #[cfg(unix)] 197 | /// Module that implements memory mapping on Unix using the mmap syscall. 198 | mod unix { 199 | use std::os::fd::AsRawFd; 200 | 201 | use super::*; 202 | 203 | const PROT_READ: i32 = 1; 204 | const MAP_SHARED: i32 = 1; 205 | const MAP_FAILED: *const u8 = usize::MAX as _; 206 | 207 | extern "system" { 208 | fn mmap( 209 | addr: *const u8, 210 | length: usize, 211 | prot: i32, 212 | flags: i32, 213 | fd: i32, 214 | offset: i32, 215 | ) -> *const u8; 216 | 217 | fn munmap(addr: *const u8, length: usize) -> i32; 218 | } 219 | 220 | pub fn memory_map_file<'map>(file: fs::File) -> Result<&'map [u8], io::Error> { 221 | // Grab the underlying file descriptor. 222 | let file_fd = file.as_raw_fd(); 223 | 224 | // Grab the size of the underlying file. This will be the size of the 225 | // memory mapped region. 226 | let size = file.metadata()?.len().try_into().unwrap(); 227 | 228 | // Mmap the file. 229 | let ret = unsafe { mmap(ptr::null_mut(), size, PROT_READ, MAP_SHARED, file_fd, 0) }; 230 | 231 | // If the system call failed, bail. 232 | if ret == MAP_FAILED { 233 | return Err(io::Error::last_os_error()); 234 | } 235 | 236 | // Make sure the size is not bigger than what [`slice::from_raw_parts`] wants. 237 | if size > isize::MAX.try_into().unwrap() { 238 | panic!("slice is too large"); 239 | } 240 | 241 | // Create the slice over the mapping. 242 | // SAFETY: This is safe because: 243 | // - It is a byte slice, so we don't need to care about the alignment. 244 | // - The base is not NULL as we've verified that it is the case above. 245 | // - The underlying is owned by the type and the lifetime. 246 | // - We asked the OS to map `size` bytes, so we have a guarantee that there's 247 | // `size` consecutive bytes. 248 | // - We never give a mutable reference to this slice, so it can't get mutated. 249 | // - The total len of the slice is guaranteed to be smaller than 250 | // [`isize::MAX`]. 251 | // - The underlying mapping, the type and the slice have the same lifetime 252 | // which guarantees that we can't access the underlying once it has been 253 | // unmapped (use-after-unmap). 254 | Ok(unsafe { slice::from_raw_parts(ret, size) }) 255 | } 256 | 257 | // Unmap a memory mapped file. 258 | pub fn unmap_memory_mapped_file(data: &[u8]) -> Result<(), io::Error> { 259 | match unsafe { munmap(data.as_ptr(), data.len()) } { 260 | 0 => Ok(()), 261 | _ => Err(io::Error::last_os_error()), 262 | } 263 | } 264 | } 265 | 266 | #[cfg(unix)] 267 | use unix::*; 268 | 269 | #[cfg(not(any(windows, unix)))] 270 | /// Your system hasn't been implemented; if you do it, send a PR! 271 | fn unimplemented() -> u32 {} 272 | -------------------------------------------------------------------------------- /src/pxe.rs: -------------------------------------------------------------------------------- 1 | // Axel '0vercl0k' Souchet - June 5 2023 2 | //! This defines [`Pxe`] / [`Pfn`] types that makes it easier to manipulate PFNs 3 | //! and PXEs. 4 | //! 5 | //! # Examples 6 | //! 7 | //! ``` 8 | //! # use kdmp_parser::{Pxe, PxeFlags, Pfn}; 9 | //! let pxe = Pxe::new( 10 | //! Pfn::new(0x6d600), 11 | //! PxeFlags::UserAccessible | PxeFlags::Accessed | PxeFlags::Present 12 | //! ); 13 | //! let encoded = u64::from(pxe); 14 | //! let decoded = Pxe::from(encoded); 15 | //! ``` 16 | use bitflags::bitflags; 17 | 18 | use crate::Gpa; 19 | 20 | bitflags! { 21 | /// The various bits and flags that a [`Pxe`] has. 22 | #[derive(Debug, Clone, Copy, Eq, Hash, PartialEq, Default, PartialOrd, Ord)] 23 | pub struct PxeFlags : u64 { 24 | const Present = 1 << 0; 25 | const Writable = 1 << 1; 26 | const UserAccessible = 1 << 2; 27 | const WriteThrough = 1 << 3; 28 | const CacheDisabled = 1 << 4; 29 | const Accessed = 1 << 5; 30 | const Dirty = 1 << 6; 31 | const LargePage = 1 << 7; 32 | const Transition = 1 << 11; 33 | const NoExecute = 1 << 63; 34 | } 35 | } 36 | 37 | /// Strong type for a Page Frame Number. 38 | /// 39 | /// # Examples 40 | /// 41 | /// ``` 42 | /// # use kdmp_parser::{Pfn, Gpa}; 43 | /// # fn main() { 44 | /// let pfn = Pfn::new(0x1337); 45 | /// assert_eq!(pfn.gpa(), Gpa::new(0x1337000)); 46 | /// # } 47 | /// ``` 48 | #[derive(Debug, Clone, Copy, Eq, Hash, PartialEq, Default, PartialOrd, Ord)] 49 | pub struct Pfn(u64); 50 | 51 | impl Pfn { 52 | pub const fn new(pfn: u64) -> Self { 53 | Self(pfn) 54 | } 55 | 56 | pub const fn u64(&self) -> u64 { 57 | self.0 58 | } 59 | 60 | pub const fn gpa(&self) -> Gpa { 61 | Gpa::from_pfn(*self) 62 | } 63 | 64 | pub const fn gpa_with_offset(&self, offset: u64) -> Gpa { 65 | Gpa::from_pfn_with_offset(*self, offset) 66 | } 67 | } 68 | 69 | impl From for Pfn { 70 | fn from(value: u64) -> Self { 71 | Self(value) 72 | } 73 | } 74 | 75 | impl From for u64 { 76 | fn from(value: Pfn) -> Self { 77 | value.u64() 78 | } 79 | } 80 | 81 | /// A [`Pxe`] is a set of flags ([`PxeFlags`]) and a Page Frame Number (PFN). 82 | /// This representation takes more space than a regular `PXE` but it is more 83 | /// convenient to split the flags / the pfn as [`bitflags!`] doesn't seem to 84 | /// support bitfields. 85 | #[derive(Debug, Clone, Copy, Eq, Hash, PartialEq, Default, PartialOrd, Ord)] 86 | pub struct Pxe { 87 | /// The PFN of the next table or the final page. 88 | pub pfn: Pfn, 89 | /// PXE flags. 90 | pub flags: PxeFlags, 91 | } 92 | 93 | impl Pxe { 94 | /// Create a [`Pxe`] from a `pfn` and a set of `flags`. 95 | /// 96 | /// # Examples 97 | /// 98 | /// ``` 99 | /// # use kdmp_parser::{Pxe, PxeFlags, Pfn}; 100 | /// # fn main() { 101 | /// let pxe = Pxe::new( 102 | /// Pfn::new(0x6d600), 103 | /// PxeFlags::UserAccessible | PxeFlags::Accessed | PxeFlags::Present 104 | /// ); 105 | /// assert_eq!(pxe.pfn.u64(), 0x6d600); 106 | /// # } 107 | /// ``` 108 | pub fn new(pfn: Pfn, flags: PxeFlags) -> Self { 109 | Self { pfn, flags } 110 | } 111 | 112 | /// Is the bit Present/Valid turned on? 113 | /// 114 | /// # Examples 115 | /// 116 | /// ``` 117 | /// # use kdmp_parser::{Pxe, PxeFlags, Pfn}; 118 | /// # fn main() { 119 | /// let p = Pxe::new( 120 | /// Pfn::new(0x6d600), 121 | /// PxeFlags::Present 122 | /// ); 123 | /// assert_eq!(p.present(), true); 124 | /// let np = Pxe::new( 125 | /// Pfn::new(0x1337), 126 | /// PxeFlags::UserAccessible 127 | /// ); 128 | /// assert_eq!(np.present(), false); 129 | /// # } 130 | /// ``` 131 | pub fn present(&self) -> bool { 132 | self.flags.contains(PxeFlags::Present) 133 | } 134 | 135 | /// Is it a large page? 136 | /// 137 | /// # Examples 138 | /// 139 | /// ``` 140 | /// # use kdmp_parser::{Pxe, PxeFlags, Pfn}; 141 | /// # fn main() { 142 | /// let p = Pxe::new( 143 | /// Pfn::new(0x6d600), 144 | /// PxeFlags::LargePage 145 | /// ); 146 | /// assert_eq!(p.large_page(), true); 147 | /// let np = Pxe::new( 148 | /// Pfn::new(0x1337), 149 | /// PxeFlags::UserAccessible 150 | /// ); 151 | /// assert_eq!(np.large_page(), false); 152 | /// # } 153 | /// ``` 154 | pub fn large_page(&self) -> bool { 155 | self.flags.contains(PxeFlags::LargePage) 156 | } 157 | 158 | /// Is it a transition PTE? 159 | /// 160 | /// # Examples 161 | /// 162 | /// ``` 163 | /// # use kdmp_parser::{Pxe, PxeFlags, Pfn}; 164 | /// # fn main() { 165 | /// let p = Pxe::from(0x166B7880); 166 | /// let np = Pxe::from(0xA000000077AF867); 167 | /// assert_eq!(p.transition(), true); 168 | /// assert_eq!(np.transition(), false); 169 | /// # } 170 | /// ``` 171 | pub fn transition(&self) -> bool { 172 | !self.present() && self.flags.contains(PxeFlags::Transition) 173 | } 174 | } 175 | 176 | /// Convert a [`u64`] into a [`Pxe`]. 177 | impl From for Pxe { 178 | /// Create a [`u64`] from a [`Pxe`]. 179 | /// 180 | /// # Examples 181 | /// 182 | /// ``` 183 | /// # use kdmp_parser::{Pxe, PxeFlags, Pfn}; 184 | /// # fn main() { 185 | /// let pxe = Pxe::from(0x6D_60_00_25); 186 | /// assert_eq!(pxe.pfn.u64(), 0x6d600); 187 | /// assert_eq!(pxe.flags, PxeFlags::UserAccessible | PxeFlags::Accessed | PxeFlags::Present); 188 | /// # } 189 | /// ``` 190 | fn from(value: u64) -> Self { 191 | let pfn = Pfn::new((value >> 12) & 0xf_ffff_ffff); 192 | let flags = PxeFlags::from_bits(value & PxeFlags::all().bits()).expect("PxeFlags"); 193 | 194 | Self::new(pfn, flags) 195 | } 196 | } 197 | 198 | /// Convert a [`Pxe`] into a [`u64`]. 199 | impl From for u64 { 200 | /// Create a [`u64`] from a [`Pxe`]. 201 | /// 202 | /// # Examples 203 | /// 204 | /// ``` 205 | /// # use kdmp_parser::{Pxe, PxeFlags, Pfn}; 206 | /// # fn main() { 207 | /// let pxe = Pxe::new( 208 | /// Pfn::new(0x6d600), 209 | /// PxeFlags::UserAccessible | PxeFlags::Accessed | PxeFlags::Present, 210 | /// ); 211 | /// assert_eq!(u64::from(pxe), 0x6D_60_00_25); 212 | /// # } 213 | /// ``` 214 | fn from(pxe: Pxe) -> Self { 215 | debug_assert!(pxe.pfn.u64() <= 0xf_ffff_ffffu64); 216 | 217 | pxe.flags.bits() | (pxe.pfn.u64() << 12u64) 218 | } 219 | } 220 | -------------------------------------------------------------------------------- /src/structs.rs: -------------------------------------------------------------------------------- 1 | // Axel '0vercl0k' Souchet - February 25 2024 2 | //! This has all the raw structures that makes up Windows kernel crash-dumps. 3 | use std::collections::BTreeMap; 4 | use std::fmt::Debug; 5 | use std::{io, mem, slice}; 6 | 7 | use crate::error::Result; 8 | use crate::{Gpa, KdmpParserError, Reader}; 9 | 10 | /// A page. 11 | pub struct Page; 12 | 13 | impl Page { 14 | /// Get the size of a memory page. 15 | pub const fn size() -> u64 { 16 | 0x1_000 17 | } 18 | } 19 | 20 | /// Types of kernel crash dump. 21 | #[derive(Debug, Clone, Copy, PartialEq)] 22 | #[repr(u32)] 23 | pub enum DumpType { 24 | // Old dump types from dbgeng.dll 25 | Full = 0x1, 26 | Bmp = 0x5, 27 | /// Produced by `.dump /m`. 28 | // Mini = 0x4, 29 | /// (22H2+) Produced by TaskMgr > System > Create live kernel Memory Dump. 30 | LiveKernelMemory = 0x6, 31 | /// Produced by `.dump /k`. 32 | KernelMemory = 0x8, 33 | /// Produced by `.dump /ka`. 34 | KernelAndUserMemory = 0x9, 35 | /// Produced by `.dump /f`. 36 | CompleteMemory = 0xa, 37 | } 38 | 39 | /// The physical memory map maps a physical address to a file offset. 40 | pub type PhysmemMap = BTreeMap; 41 | 42 | impl TryFrom for DumpType { 43 | type Error = KdmpParserError; 44 | 45 | fn try_from(value: u32) -> Result { 46 | match value { 47 | x if x == DumpType::Full as u32 => Ok(DumpType::Full), 48 | x if x == DumpType::Bmp as u32 => Ok(DumpType::Bmp), 49 | x if x == DumpType::KernelMemory as u32 => Ok(DumpType::KernelMemory), 50 | x if x == DumpType::KernelAndUserMemory as u32 => Ok(DumpType::KernelAndUserMemory), 51 | x if x == DumpType::CompleteMemory as u32 => Ok(DumpType::CompleteMemory), 52 | x if x == DumpType::LiveKernelMemory as u32 => Ok(DumpType::LiveKernelMemory), 53 | _ => Err(KdmpParserError::UnknownDumpType(value)), 54 | } 55 | } 56 | } 57 | 58 | #[repr(C)] 59 | #[derive(Debug, Default)] 60 | pub struct ExceptionRecord64 { 61 | pub exception_code: u32, 62 | pub exception_flags: u32, 63 | pub exception_record: u64, 64 | pub exception_address: u64, 65 | pub number_parameters: u32, 66 | unused_alignment1: u32, 67 | pub exception_information: [u64; 15], 68 | } 69 | 70 | pub const DUMP_HEADER64_EXPECTED_SIGNATURE: u32 = 0x45_47_41_50; // 'EGAP' 71 | pub const DUMP_HEADER64_EXPECTED_VALID_DUMP: u32 = 0x34_36_55_44; // '46UD' 72 | 73 | /// Adjusted C struct for `DUMP_HEADERS64` from MS Rust docs. Padding 74 | /// adjustment added from reversing `nt!IoFillDumpHeader`. 75 | // https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/System/Diagnostics/Debug/struct.DUMP_HEADER64.html#structfield.DumpType 76 | #[repr(C)] 77 | pub struct Header64 { 78 | pub signature: u32, 79 | pub valid_dump: u32, 80 | pub major_version: u32, 81 | pub minor_version: u32, 82 | pub directory_table_base: u64, 83 | pub pfn_database: u64, 84 | pub ps_loaded_module_list: u64, 85 | pub ps_active_process_head: u64, 86 | pub machine_image_type: u32, 87 | pub number_processors: u32, 88 | pub bug_check_code: u32, 89 | padding1: u32, 90 | pub bug_check_code_parameters: [u64; 4], 91 | pub version_user: [u8; 32], 92 | pub kd_debugger_data_block: u64, 93 | pub physical_memory_block_buffer: [u8; 700], 94 | padding2: u32, 95 | pub context_record_buffer: [u8; 3_000], 96 | pub exception: ExceptionRecord64, 97 | pub dump_type: u32, 98 | padding3: u32, 99 | pub required_dump_space: i64, 100 | pub system_time: i64, 101 | pub comment: [u8; 128], 102 | pub system_up_time: i64, 103 | pub minidump_fields: u32, 104 | pub secondary_data_state: u32, 105 | pub product_type: u32, 106 | pub suite_mask: u32, 107 | pub writer_status: u32, 108 | unused1: u8, 109 | pub kd_secondary_version: u8, 110 | unused2: [u8; 2], 111 | pub attributes: u32, 112 | pub boot_id: u32, 113 | reserved1: [u8; 4008], 114 | } 115 | 116 | impl Debug for Header64 { 117 | fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 118 | f.debug_struct("Header64") 119 | .field("signature", &self.signature) 120 | .field("valid_dump", &self.valid_dump) 121 | .field("major_version", &self.major_version) 122 | .field("minor_version", &self.minor_version) 123 | .field("directory_table_base", &self.directory_table_base) 124 | .field("pfn_database", &self.pfn_database) 125 | .field("ps_loaded_module_list", &self.ps_loaded_module_list) 126 | .field("ps_active_process_head", &self.ps_active_process_head) 127 | .field("machine_image_type", &self.machine_image_type) 128 | .field("number_processors", &self.number_processors) 129 | .field("bug_check_code", &self.bug_check_code) 130 | .field("bug_check_code_parameters", &self.bug_check_code_parameters) 131 | .field("version_user", &self.version_user) 132 | .field("kd_debugger_data_block", &self.kd_debugger_data_block) 133 | .field("exception", &self.exception) 134 | .field("dump_type", &self.dump_type) 135 | .field("required_dump_space", &self.required_dump_space) 136 | .field("system_time", &self.system_time) 137 | .field("comment", &self.comment) 138 | .field("system_up_time", &self.system_up_time) 139 | .field("minidump_fields", &self.minidump_fields) 140 | .field("secondary_data_state", &self.secondary_data_state) 141 | .field("product_type", &self.product_type) 142 | .field("suite_mask", &self.suite_mask) 143 | .field("writer_status", &self.writer_status) 144 | .field("kd_secondary_version", &self.kd_secondary_version) 145 | .field("attributes", &self.attributes) 146 | .field("boot_id", &self.boot_id) 147 | .finish() 148 | } 149 | } 150 | 151 | const BMPHEADER64_EXPECTED_SIGNATURE: u32 = 0x50_4D_44_53; // 'PMDS' 152 | const BMPHEADER64_EXPECTED_SIGNATURE2: u32 = 0x50_4D_44_46; // 'PMDF' 153 | const BMPHEADER64_EXPECTED_VALID_DUMP: u32 = 0x50_4D_55_44; // 'PMUD' 154 | 155 | #[derive(Debug, Default)] 156 | #[repr(C)] 157 | pub struct BmpHeader64 { 158 | pub signature: u32, 159 | pub valid_dump: u32, 160 | // According to rekall there's a gap there: 161 | // 'ValidDump': [0x4, ['String', dict( 162 | // length=4, 163 | // term=None, 164 | // )]], 165 | // # The offset of the first page in the file. 166 | // 'FirstPage': [0x20, ['unsigned long long']], 167 | padding1: [u8; 0x20 - (0x4 + mem::size_of::())], 168 | /// The offset of the first page in the file. 169 | pub first_page: u64, 170 | /// Total number of pages present in the bitmap. 171 | pub total_present_pages: u64, 172 | /// Total number of pages in image. This dictates the total size of the 173 | /// bitmap.This is not the same as the TotalPresentPages which is only 174 | /// the sum of the bits set to 1. 175 | pub pages: u64, 176 | // Bitmap follows 177 | } 178 | 179 | impl BmpHeader64 { 180 | pub fn looks_good(&self) -> bool { 181 | (self.signature == BMPHEADER64_EXPECTED_SIGNATURE 182 | || self.signature == BMPHEADER64_EXPECTED_SIGNATURE2) 183 | && self.valid_dump == BMPHEADER64_EXPECTED_VALID_DUMP 184 | } 185 | } 186 | 187 | #[derive(Debug, Default)] 188 | #[repr(C)] 189 | pub struct PhysmemRun { 190 | pub base_page: u64, 191 | pub page_count: u64, 192 | } 193 | 194 | impl PhysmemRun { 195 | /// Calculate a physical address from a run and an index. 196 | /// 197 | /// The formulae is: (`base_page` + `page_idx`) * `Page::size()`. 198 | pub fn phys_addr(&self, page_idx: u64) -> Option { 199 | debug_assert!(page_idx < self.page_count); 200 | 201 | self.base_page 202 | .checked_add(page_idx)? 203 | .checked_mul(Page::size()) 204 | .map(Gpa::new) 205 | } 206 | } 207 | 208 | #[derive(Debug, Default)] 209 | #[repr(C)] 210 | pub struct PhysmemDesc { 211 | pub number_of_runs: u32, 212 | padding1: u32, 213 | pub number_of_pages: u64, 214 | // PHYSMEM_RUN Run[1]; follows 215 | } 216 | 217 | impl TryFrom<&[u8]> for PhysmemDesc { 218 | type Error = KdmpParserError; 219 | 220 | fn try_from(slice: &[u8]) -> Result { 221 | let expected_len = mem::size_of::(); 222 | if slice.len() < expected_len { 223 | return Err(KdmpParserError::InvalidData("physmem desc is too small")); 224 | } 225 | 226 | let number_of_runs = u32::from_le_bytes((&slice[0..4]).try_into().unwrap()); 227 | let number_of_pages = u64::from_le_bytes((&slice[4..12]).try_into().unwrap()); 228 | 229 | Ok(Self { 230 | number_of_runs, 231 | number_of_pages, 232 | ..Default::default() 233 | }) 234 | } 235 | } 236 | 237 | #[derive(PartialEq)] 238 | #[repr(C)] 239 | pub struct Context { 240 | pub p1_home: u64, 241 | pub p2_home: u64, 242 | pub p3_home: u64, 243 | pub p4_home: u64, 244 | pub p5_home: u64, 245 | pub p6_home: u64, 246 | pub context_flags: u32, 247 | pub mxcsr: u32, 248 | pub seg_cs: u16, 249 | pub seg_ds: u16, 250 | pub seg_es: u16, 251 | pub seg_fs: u16, 252 | pub seg_gs: u16, 253 | pub seg_ss: u16, 254 | pub eflags: u32, 255 | pub dr0: u64, 256 | pub dr1: u64, 257 | pub dr2: u64, 258 | pub dr3: u64, 259 | pub dr6: u64, 260 | pub dr7: u64, 261 | pub rax: u64, 262 | pub rcx: u64, 263 | pub rdx: u64, 264 | pub rbx: u64, 265 | pub rsp: u64, 266 | pub rbp: u64, 267 | pub rsi: u64, 268 | pub rdi: u64, 269 | pub r8: u64, 270 | pub r9: u64, 271 | pub r10: u64, 272 | pub r11: u64, 273 | pub r12: u64, 274 | pub r13: u64, 275 | pub r14: u64, 276 | pub r15: u64, 277 | pub rip: u64, 278 | pub control_word: u16, 279 | pub status_word: u16, 280 | pub tag_word: u8, 281 | reserved1: u8, 282 | pub error_opcode: u16, 283 | pub error_offset: u32, 284 | pub error_selector: u16, 285 | reserved2: u16, 286 | pub data_offset: u32, 287 | pub data_selector: u16, 288 | reserved3: u16, 289 | pub mxcsr2: u32, 290 | pub mxcsr_mask: u32, 291 | pub float_registers: [u128; 8], 292 | pub xmm_registers: [u128; 16], 293 | reserved4: [u8; 96], 294 | pub vector_register: [u128; 26], 295 | pub vector_control: u64, 296 | pub debug_control: u64, 297 | pub last_branch_to_rip: u64, 298 | pub last_branch_from_rip: u64, 299 | pub last_exception_to_rip: u64, 300 | pub last_exception_from_rip: u64, 301 | } 302 | 303 | impl Debug for Context { 304 | fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 305 | f.debug_struct("Context") 306 | .field("p1_home", &self.p1_home) 307 | .field("p2_home", &self.p2_home) 308 | .field("p3_home", &self.p3_home) 309 | .field("p4_home", &self.p4_home) 310 | .field("p5_home", &self.p5_home) 311 | .field("p6_home", &self.p6_home) 312 | .field("context_flags", &self.context_flags) 313 | .field("mxcsr", &self.mxcsr) 314 | .field("seg_cs", &self.seg_cs) 315 | .field("seg_ds", &self.seg_ds) 316 | .field("seg_es", &self.seg_es) 317 | .field("seg_fs", &self.seg_fs) 318 | .field("seg_gs", &self.seg_gs) 319 | .field("seg_ss", &self.seg_ss) 320 | .field("eflags", &self.eflags) 321 | .field("dr0", &self.dr0) 322 | .field("dr1", &self.dr1) 323 | .field("dr2", &self.dr2) 324 | .field("dr3", &self.dr3) 325 | .field("dr6", &self.dr6) 326 | .field("dr7", &self.dr7) 327 | .field("rax", &self.rax) 328 | .field("rcx", &self.rcx) 329 | .field("rdx", &self.rdx) 330 | .field("rbx", &self.rbx) 331 | .field("rsp", &self.rsp) 332 | .field("rbp", &self.rbp) 333 | .field("rsi", &self.rsi) 334 | .field("rdi", &self.rdi) 335 | .field("r8", &self.r8) 336 | .field("r9", &self.r9) 337 | .field("r10", &self.r10) 338 | .field("r11", &self.r11) 339 | .field("r12", &self.r12) 340 | .field("r13", &self.r13) 341 | .field("r14", &self.r14) 342 | .field("r15", &self.r15) 343 | .field("rip", &self.rip) 344 | .field("control_word", &self.control_word) 345 | .field("status_word", &self.status_word) 346 | .field("tag_word", &self.tag_word) 347 | .field("error_opcode", &self.error_opcode) 348 | .field("error_offset", &self.error_offset) 349 | .field("error_selector", &self.error_selector) 350 | .field("data_offset", &self.data_offset) 351 | .field("data_selector", &self.data_selector) 352 | .field("mxcsr2", &self.mxcsr2) 353 | .field("mxcsr_mask", &self.mxcsr_mask) 354 | .field("float_registers", &self.float_registers) 355 | .field("xmm_registers", &self.xmm_registers) 356 | .field("vector_register", &self.vector_register) 357 | .field("vector_control", &self.vector_control) 358 | .field("debug_control", &self.debug_control) 359 | .field("last_branch_to_rip", &self.last_branch_to_rip) 360 | .field("last_branch_from_rip", &self.last_branch_from_rip) 361 | .field("last_exception_to_rip", &self.last_exception_to_rip) 362 | .field("last_exception_from_rip", &self.last_exception_from_rip) 363 | .finish() 364 | } 365 | } 366 | 367 | /// Peek for a `T` from the cursor. 368 | pub fn peek_struct(reader: &mut impl Reader) -> Result { 369 | let mut s = mem::MaybeUninit::uninit(); 370 | let size_of_s = mem::size_of_val(&s); 371 | let slice_over_s = unsafe { slice::from_raw_parts_mut(s.as_mut_ptr() as *mut u8, size_of_s) }; 372 | 373 | let pos = reader.stream_position()?; 374 | reader.read_exact(slice_over_s)?; 375 | reader.seek(io::SeekFrom::Start(pos))?; 376 | 377 | Ok(unsafe { s.assume_init() }) 378 | } 379 | 380 | /// Read a `T` from the cursor. 381 | pub fn read_struct(reader: &mut impl Reader) -> Result { 382 | let s = peek_struct(reader)?; 383 | let size_of_s = mem::size_of_val(&s); 384 | 385 | reader.seek(io::SeekFrom::Current(size_of_s.try_into().unwrap()))?; 386 | 387 | Ok(s) 388 | } 389 | 390 | const RDMP_HEADER64_EXPECTED_MARKER: u32 = 0x40; 391 | const RDMP_HEADER64_EXPECTED_SIGNATURE: u32 = 0x50_4D_44_52; // 'PMDR' 392 | const RDMP_HEADER64_EXPECTED_VALID_DUMP: u32 = 0x50_4D_55_44; // 'PMUD' 393 | 394 | #[repr(C)] 395 | #[derive(Debug, Default)] 396 | pub struct RdmpHeader64 { 397 | pub marker: u32, 398 | pub signature: u32, 399 | pub valid_dump: u32, 400 | reserved1: u32, 401 | pub metadata_size: u64, 402 | pub first_page_offset: u64, 403 | // Bitmap follows 404 | } 405 | 406 | impl RdmpHeader64 { 407 | pub fn looks_good(&self) -> bool { 408 | if self.marker != RDMP_HEADER64_EXPECTED_MARKER { 409 | return false; 410 | } 411 | 412 | if self.signature != RDMP_HEADER64_EXPECTED_SIGNATURE { 413 | return false; 414 | } 415 | 416 | if self.valid_dump != RDMP_HEADER64_EXPECTED_VALID_DUMP { 417 | return false; 418 | } 419 | 420 | if self.metadata_size - 0x20 != self.first_page_offset - 0x20_40 { 421 | return false; 422 | } 423 | 424 | true 425 | } 426 | } 427 | 428 | #[repr(C)] 429 | #[derive(Debug, Default)] 430 | pub struct KernelRdmpHeader64 { 431 | pub hdr: RdmpHeader64, 432 | unknown1: u64, 433 | unknown2: u64, 434 | // Bitmap follows 435 | } 436 | 437 | #[repr(C)] 438 | #[derive(Debug, Default)] 439 | pub struct FullRdmpHeader64 { 440 | pub hdr: RdmpHeader64, 441 | pub number_of_ranges: u32, 442 | reserved1: u16, 443 | reserved2: u16, 444 | pub total_number_of_pages: u64, 445 | // Bitmap follows 446 | } 447 | 448 | #[repr(C)] 449 | #[derive(Debug, Default)] 450 | pub struct PfnRange { 451 | pub page_file_number: u64, 452 | pub number_of_pages: u64, 453 | } 454 | 455 | #[repr(C)] 456 | #[derive(Debug, Default)] 457 | pub struct ListEntry

{ 458 | pub flink: P, 459 | pub blink: P, 460 | } 461 | 462 | #[repr(C)] 463 | #[derive(Debug, Default)] 464 | pub struct UnicodeString

{ 465 | pub length: u16, 466 | pub maximum_length: u16, 467 | pub buffer: P, 468 | } 469 | 470 | #[derive(Debug, Default)] 471 | #[repr(C)] 472 | pub struct LdrDataTableEntry

{ 473 | pub in_load_order_links: ListEntry

, 474 | pub in_memory_order_links: ListEntry

, 475 | pub in_initialization_order_links: ListEntry

, 476 | pub dll_base: P, 477 | pub entry_point: P, 478 | pub size_of_image: u32, 479 | pub full_dll_name: UnicodeString

, 480 | pub base_dll_name: UnicodeString

, 481 | } 482 | 483 | // Copied from `WDBGEXTS.H`. 484 | #[repr(C)] 485 | #[derive(Debug, Default)] 486 | pub struct DbgKdDebugDataHeader64 { 487 | /// Link to other blocks 488 | pub list: ListEntry, 489 | /// This is a unique tag to identify the owner of the block. 490 | /// If your component only uses one pool tag, use it for this, too. 491 | pub owner_tag: u32, 492 | /// This must be initialized to the size of the data block, 493 | /// including this structure. 494 | pub size: u32, 495 | } 496 | 497 | // https://github.com/tpn/winsdk-10/blob/9b69fd26ac0c7d0b83d378dba01080e93349c2ed/Include/10.0.14393.0/um/WDBGEXTS.H#L1206C16-L1206C34 498 | #[repr(C)] 499 | #[derive(Debug, Default)] 500 | pub struct KdDebuggerData64 { 501 | pub header: DbgKdDebugDataHeader64, 502 | /// Base address of kernel image 503 | pub kern_base: u64, 504 | /// DbgBreakPointWithStatus is a function which takes an argument 505 | /// and hits a breakpoint. This field contains the address of the 506 | /// breakpoint instruction. When the debugger sees a breakpoint 507 | /// at this address, it may retrieve the argument from the first 508 | /// argument register, or on x86 the eax register. 509 | pub breakpoint_with_status: u64, 510 | /// Address of the saved context record during a bugcheck 511 | /// N.B. This is an automatic in KeBugcheckEx's frame, and 512 | /// is only valid after a bugcheck. 513 | pub saved_context: u64, 514 | /// The address of the thread structure is provided in the 515 | /// WAIT_STATE_CHANGE packet. This is the offset from the base of 516 | /// the thread structure to the pointer to the kernel stack frame 517 | /// for the currently active usermode callback. 518 | pub th_callback_stack: u16, 519 | //// saved pointer to next callback frame 520 | pub next_callback: u16, 521 | /// saved frame pointer 522 | pub frame_pointer: u16, 523 | /// pad to a quad boundary 524 | pub pae_enabled: u16, 525 | /// Address of the kernel callout routine. 526 | pub ki_call_user_mode: u64, 527 | /// Address of the usermode entry point for callbacks (in ntdll). 528 | pub ke_user_callback_dispatcher: u64, 529 | pub ps_loaded_module_list: u64, 530 | pub ps_active_process_head: u64, 531 | pub psp_cid_table: u64, 532 | pub exp_system_resources_list: u64, 533 | pub exp_paged_pool_descriptor: u64, 534 | pub exp_number_of_paged_pools: u64, 535 | pub ke_time_increment: u64, 536 | pub ke_bug_check_callback_list_head: u64, 537 | pub ki_bugcheck_data: u64, 538 | pub iop_error_log_list_head: u64, 539 | pub obp_root_directory_object: u64, 540 | pub obp_type_object_type: u64, 541 | pub mm_system_cache_start: u64, 542 | pub mm_system_cache_end: u64, 543 | pub mm_system_cache_ws: u64, 544 | pub mm_pfn_database: u64, 545 | pub mm_system_ptes_start: u64, 546 | pub mm_system_ptes_end: u64, 547 | pub mm_subsection_base: u64, 548 | pub mm_number_of_paging_files: u64, 549 | pub mm_lowest_physical_page: u64, 550 | pub mm_highest_physical_page: u64, 551 | pub mm_number_of_physical_pages: u64, 552 | pub mm_maximum_non_paged_pool_in_bytes: u64, 553 | pub mm_non_paged_system_start: u64, 554 | pub mm_non_paged_pool_start: u64, 555 | pub mm_non_paged_pool_end: u64, 556 | pub mm_paged_pool_start: u64, 557 | pub mm_paged_pool_end: u64, 558 | pub mm_paged_pool_information: u64, 559 | pub mm_page_size: u64, 560 | pub mm_size_of_paged_pool_in_bytes: u64, 561 | pub mm_total_commit_limit: u64, 562 | pub mm_total_committed_pages: u64, 563 | pub mm_shared_commit: u64, 564 | pub mm_driver_commit: u64, 565 | pub mm_process_commit: u64, 566 | pub mm_paged_pool_commit: u64, 567 | pub mm_extended_commit: u64, 568 | pub mm_zeroed_page_list_head: u64, 569 | pub mm_free_page_list_head: u64, 570 | pub mm_standby_page_list_head: u64, 571 | pub mm_modified_page_list_head: u64, 572 | pub mm_modified_no_write_page_list_head: u64, 573 | pub mm_available_pages: u64, 574 | pub mm_resident_available_pages: u64, 575 | pub pool_track_table: u64, 576 | pub non_paged_pool_descriptor: u64, 577 | pub mm_highest_user_address: u64, 578 | pub mm_system_range_start: u64, 579 | pub mm_user_probe_address: u64, 580 | pub kd_print_circular_buffer: u64, 581 | pub kd_print_circular_buffer_end: u64, 582 | pub kd_print_write_pointer: u64, 583 | pub kd_print_rollover_count: u64, 584 | pub mm_loaded_user_image_list: u64, 585 | // NT 5.1 Addition 586 | pub nt_build_lab: u64, 587 | pub ki_normal_system_call: u64, 588 | // NT 5.0 hotfix addition 589 | pub ki_processor_block: u64, 590 | pub mm_unloaded_drivers: u64, 591 | pub mm_last_unloaded_driver: u64, 592 | pub mm_triage_action_taken: u64, 593 | pub mm_special_pool_tag: u64, 594 | pub kernel_verifier: u64, 595 | pub mm_verifier_data: u64, 596 | pub mm_allocated_non_paged_pool: u64, 597 | pub mm_peak_commitment: u64, 598 | pub mm_total_commit_limit_maximum: u64, 599 | pub cm_nt_csd_version: u64, 600 | // NT 5.1 Addition 601 | pub mm_physical_memory_block: u64, 602 | pub mm_session_base: u64, 603 | pub mm_session_size: u64, 604 | pub mm_system_parent_table_page: u64, 605 | // Server 2003 addition 606 | pub mm_virtual_translation_base: u64, 607 | pub offset_kthread_next_processor: u16, 608 | pub offset_kthread_teb: u16, 609 | pub offset_kthread_kernel_stack: u16, 610 | pub offset_kthread_initial_stack: u16, 611 | pub offset_kthread_apc_process: u16, 612 | pub offset_kthread_state: u16, 613 | pub offset_kthread_b_store: u16, 614 | pub offset_kthread_b_store_limit: u16, 615 | pub size_eprocess: u16, 616 | pub offset_eprocess_peb: u16, 617 | pub offset_eprocess_parent_cid: u16, 618 | pub offset_eprocess_directory_table_base: u16, 619 | pub size_prcb: u16, 620 | pub offset_prcb_dpc_routine: u16, 621 | pub offset_prcb_current_thread: u16, 622 | pub offset_prcb_mhz: u16, 623 | pub offset_prcb_cpu_type: u16, 624 | pub offset_prcb_vendor_string: u16, 625 | pub offset_prcb_proc_state_context: u16, 626 | pub offset_prcb_number: u16, 627 | pub size_ethread: u16, 628 | pub kd_print_circular_buffer_ptr: u64, 629 | pub kd_print_buffer_size: u64, 630 | pub ke_loader_block: u64, 631 | pub size_pcr: u16, 632 | pub offset_pcr_self_pcr: u16, 633 | pub offset_pcr_current_prcb: u16, 634 | pub offset_pcr_contained_prcb: u16, 635 | pub offset_pcr_initial_b_store: u16, 636 | pub offset_pcr_b_store_limit: u16, 637 | pub offset_pcr_initial_stack: u16, 638 | pub offset_pcr_stack_limit: u16, 639 | pub offset_prcb_pcr_page: u16, 640 | pub offset_prcb_proc_state_special_reg: u16, 641 | pub gdt_r0_code: u16, 642 | pub gdt_r0_data: u16, 643 | pub gdt_r0_pcr: u16, 644 | pub gdt_r3_code: u16, 645 | pub gdt_r3_data: u16, 646 | pub gdt_r3_teb: u16, 647 | pub gdt_ldt: u16, 648 | pub gdt_tss: u16, 649 | pub gdt64_r3_cm_code: u16, 650 | pub gdt64_r3_cm_teb: u16, 651 | pub iop_num_triage_dump_data_blocks: u64, 652 | pub iop_triage_dump_data_blocks: u64, 653 | // Longhorn addition 654 | pub vf_crash_data_block: u64, 655 | pub mm_bad_pages_detected: u64, 656 | pub mm_zeroed_page_single_bit_errors_detected: u64, 657 | // Windows 7 addition 658 | pub etwp_debugger_data: u64, 659 | pub offset_prcb_context: u16, 660 | // ... 661 | } 662 | 663 | #[cfg(test)] 664 | mod tests { 665 | use std::mem; 666 | 667 | use crate::structs::{Context, Header64, PhysmemDesc, PhysmemRun}; 668 | 669 | /// Ensure that the sizes of key structures are right. 670 | #[test] 671 | fn layout() { 672 | assert_eq!(mem::size_of::(), 0x10); 673 | assert_eq!(mem::size_of::(), 0x10); 674 | assert_eq!(mem::size_of::(), 0x2_000); 675 | assert_eq!(mem::size_of::(), 0x4d0); 676 | } 677 | } 678 | -------------------------------------------------------------------------------- /tests/modules_1.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "start": "0xfffff80510610000", 4 | "end": "0xfffff805106b3000", 5 | "name": "hal.dll" 6 | }, 7 | { 8 | "start": "0xfffff805106b3000", 9 | "end": "0xfffff80511165000", 10 | "name": "nt" 11 | }, 12 | { 13 | "start": "0xfffff80511200000", 14 | "end": "0xfffff8051120c000", 15 | "name": "kdstub.dll" 16 | }, 17 | { 18 | "start": "0xfffff80511210000", 19 | "end": "0xfffff80511259000", 20 | "name": "kdnet.dll" 21 | }, 22 | { 23 | "start": "0xfffff80511260000", 24 | "end": "0xfffff80511461000", 25 | "name": "mcupdate_GenuineIntel.dll" 26 | }, 27 | { 28 | "start": "0xfffff80511470000", 29 | "end": "0xfffff80511481000", 30 | "name": "werkernel.sys" 31 | }, 32 | { 33 | "start": "0xfffff80511490000", 34 | "end": "0xfffff805114ba000", 35 | "name": "ksecdd.sys" 36 | }, 37 | { 38 | "start": "0xfffff805114c0000", 39 | "end": "0xfffff80511520000", 40 | "name": "msrpc.sys" 41 | }, 42 | { 43 | "start": "0xfffff80511530000", 44 | "end": "0xfffff80511557000", 45 | "name": "tm.sys" 46 | }, 47 | { 48 | "start": "0xfffff80511560000", 49 | "end": "0xfffff805115c8000", 50 | "name": "CLFS.sys" 51 | }, 52 | { 53 | "start": "0xfffff805115d0000", 54 | "end": "0xfffff805115ea000", 55 | "name": "PSHED.dll" 56 | }, 57 | { 58 | "start": "0xfffff805115f0000", 59 | "end": "0xfffff805115fb000", 60 | "name": "BOOTVID.dll" 61 | }, 62 | { 63 | "start": "0xfffff80511900000", 64 | "end": "0xfffff80511a05000", 65 | "name": "clipsp.sys" 66 | }, 67 | { 68 | "start": "0xfffff80511a10000", 69 | "end": "0xfffff80511a81000", 70 | "name": "FLTMGR.sys" 71 | }, 72 | { 73 | "start": "0xfffff80511a90000", 74 | "end": "0xfffff80511a9e000", 75 | "name": "cmimcext.sys" 76 | }, 77 | { 78 | "start": "0xfffff80511aa0000", 79 | "end": "0xfffff80511aac000", 80 | "name": "ntosext.sys" 81 | }, 82 | { 83 | "start": "0xfffff80511ab0000", 84 | "end": "0xfffff80511b8c000", 85 | "name": "CI.dll" 86 | }, 87 | { 88 | "start": "0xfffff80511b90000", 89 | "end": "0xfffff80511c4c000", 90 | "name": "cng.sys" 91 | }, 92 | { 93 | "start": "0xfffff80511c50000", 94 | "end": "0xfffff80511cea000", 95 | "name": "VerifierExt.sys" 96 | }, 97 | { 98 | "start": "0xfffff80511cf0000", 99 | "end": "0xfffff80511cff000", 100 | "name": "SleepStudyHelper.sys" 101 | }, 102 | { 103 | "start": "0xfffff80511d00000", 104 | "end": "0xfffff80511dd5000", 105 | "name": "Wdf01000.sys" 106 | }, 107 | { 108 | "start": "0xfffff80511de0000", 109 | "end": "0xfffff80511df3000", 110 | "name": "WDFLDR.sys" 111 | }, 112 | { 113 | "start": "0xfffff80511e00000", 114 | "end": "0xfffff80511e10000", 115 | "name": "WppRecorder.sys" 116 | }, 117 | { 118 | "start": "0xfffff80511e20000", 119 | "end": "0xfffff80511e45000", 120 | "name": "acpiex.sys" 121 | }, 122 | { 123 | "start": "0xfffff80511e50000", 124 | "end": "0xfffff80511e99000", 125 | "name": "mssecflt.sys" 126 | }, 127 | { 128 | "start": "0xfffff80511ea0000", 129 | "end": "0xfffff80511eba000", 130 | "name": "SgrmAgent.sys" 131 | }, 132 | { 133 | "start": "0xfffff80511ec0000", 134 | "end": "0xfffff80511f8c000", 135 | "name": "ACPI.sys" 136 | }, 137 | { 138 | "start": "0xfffff80511f90000", 139 | "end": "0xfffff80511f9c000", 140 | "name": "WMILIB.sys" 141 | }, 142 | { 143 | "start": "0xfffff80511fa0000", 144 | "end": "0xfffff80511fb0000", 145 | "name": "WdBoot.sys" 146 | }, 147 | { 148 | "start": "0xfffff80511fc0000", 149 | "end": "0xfffff80512009000", 150 | "name": "intelpep.sys" 151 | }, 152 | { 153 | "start": "0xfffff80512010000", 154 | "end": "0xfffff80512027000", 155 | "name": "WindowsTrustedRT.sys" 156 | }, 157 | { 158 | "start": "0xfffff80512030000", 159 | "end": "0xfffff8051203b000", 160 | "name": "WindowsTrustedRTProxy.sys" 161 | }, 162 | { 163 | "start": "0xfffff80512040000", 164 | "end": "0xfffff80512055000", 165 | "name": "pcw.sys" 166 | }, 167 | { 168 | "start": "0xfffff80512060000", 169 | "end": "0xfffff80512073000", 170 | "name": "vdrvroot.sys" 171 | }, 172 | { 173 | "start": "0xfffff80512080000", 174 | "end": "0xfffff805120c1000", 175 | "name": "ucx01000.sys" 176 | }, 177 | { 178 | "start": "0xfffff805120d0000", 179 | "end": "0xfffff80512103000", 180 | "name": "pdc.sys" 181 | }, 182 | { 183 | "start": "0xfffff80512110000", 184 | "end": "0xfffff80512129000", 185 | "name": "CEA.sys" 186 | }, 187 | { 188 | "start": "0xfffff80512130000", 189 | "end": "0xfffff80512160000", 190 | "name": "partmgr.sys" 191 | }, 192 | { 193 | "start": "0xfffff80512170000", 194 | "end": "0xfffff80512215000", 195 | "name": "spaceport.sys" 196 | }, 197 | { 198 | "start": "0xfffff80512220000", 199 | "end": "0xfffff8051223a000", 200 | "name": "volmgr.sys" 201 | }, 202 | { 203 | "start": "0xfffff80512240000", 204 | "end": "0xfffff8051228e000", 205 | "name": "sdbus.sys" 206 | }, 207 | { 208 | "start": "0xfffff80512290000", 209 | "end": "0xfffff805122f3000", 210 | "name": "volmgrx.sys" 211 | }, 212 | { 213 | "start": "0xfffff80512300000", 214 | "end": "0xfffff8051232c000", 215 | "name": "vmbus.sys" 216 | }, 217 | { 218 | "start": "0xfffff80512330000", 219 | "end": "0xfffff80512358000", 220 | "name": "hvsocket.sys" 221 | }, 222 | { 223 | "start": "0xfffff80512360000", 224 | "end": "0xfffff805123f4000", 225 | "name": "NETIO.sys" 226 | }, 227 | { 228 | "start": "0xfffff80512400000", 229 | "end": "0xfffff80512572000", 230 | "name": "NDIS.sys" 231 | }, 232 | { 233 | "start": "0xfffff80512580000", 234 | "end": "0xfffff8051259d000", 235 | "name": "vmbkmcl.sys" 236 | }, 237 | { 238 | "start": "0xfffff805125a0000", 239 | "end": "0xfffff805125b2000", 240 | "name": "winhv.sys" 241 | }, 242 | { 243 | "start": "0xfffff805125c0000", 244 | "end": "0xfffff805125d8000", 245 | "name": "urscx01000.sys" 246 | }, 247 | { 248 | "start": "0xfffff805125e0000", 249 | "end": "0xfffff805125ff000", 250 | "name": "mountmgr.sys" 251 | }, 252 | { 253 | "start": "0xfffff80512600000", 254 | "end": "0xfffff8051261b000", 255 | "name": "EhStorClass.sys" 256 | }, 257 | { 258 | "start": "0xfffff80512620000", 259 | "end": "0xfffff8051263a000", 260 | "name": "fileinfo.sys" 261 | }, 262 | { 263 | "start": "0xfffff80512640000", 264 | "end": "0xfffff8051267d000", 265 | "name": "Wof.sys" 266 | }, 267 | { 268 | "start": "0xfffff80512680000", 269 | "end": "0xfffff805126d4000", 270 | "name": "WdFilter.sys" 271 | }, 272 | { 273 | "start": "0xfffff805126e0000", 274 | "end": "0xfffff80512713000", 275 | "name": "usbccgp.sys" 276 | }, 277 | { 278 | "start": "0xfffff80512720000", 279 | "end": "0xfffff8051272e000", 280 | "name": "USBD.sys" 281 | }, 282 | { 283 | "start": "0xfffff80512730000", 284 | "end": "0xfffff8051273d000", 285 | "name": "urschipidea.sys" 286 | }, 287 | { 288 | "start": "0xfffff80512740000", 289 | "end": "0xfffff8051274f000", 290 | "name": "storvsc.sys" 291 | }, 292 | { 293 | "start": "0xfffff80512750000", 294 | "end": "0xfffff805127f2000", 295 | "name": "storport.sys" 296 | }, 297 | { 298 | "start": "0xfffff80512800000", 299 | "end": "0xfffff8051281d000", 300 | "name": "usbehci.sys" 301 | }, 302 | { 303 | "start": "0xfffff80512820000", 304 | "end": "0xfffff8051289a000", 305 | "name": "USBPORT.sys" 306 | }, 307 | { 308 | "start": "0xfffff805128a0000", 309 | "end": "0xfffff805128ad000", 310 | "name": "Fs_Rec.sys" 311 | }, 312 | { 313 | "start": "0xfffff805128b0000", 314 | "end": "0xfffff805128e2000", 315 | "name": "ksecpkg.sys" 316 | }, 317 | { 318 | "start": "0xfffff805128f0000", 319 | "end": "0xfffff805128fb000", 320 | "name": "volume.sys" 321 | }, 322 | { 323 | "start": "0xfffff80512900000", 324 | "end": "0xfffff80512b9e000", 325 | "name": "Ntfs.sys" 326 | }, 327 | { 328 | "start": "0xfffff80512ba0000", 329 | "end": "0xfffff80512c2a000", 330 | "name": "usbhub.sys" 331 | }, 332 | { 333 | "start": "0xfffff80512c30000", 334 | "end": "0xfffff80512ccc000", 335 | "name": "UsbHub3.sys" 336 | }, 337 | { 338 | "start": "0xfffff80512cd0000", 339 | "end": "0xfffff80512fba000", 340 | "name": "tcpip.sys" 341 | }, 342 | { 343 | "start": "0xfffff80512fc0000", 344 | "end": "0xfffff8051303a000", 345 | "name": "fwpkclnt.sys" 346 | }, 347 | { 348 | "start": "0xfffff80513040000", 349 | "end": "0xfffff80513070000", 350 | "name": "wfplwfs.sys" 351 | }, 352 | { 353 | "start": "0xfffff80513080000", 354 | "end": "0xfffff80513149000", 355 | "name": "fvevol.sys" 356 | }, 357 | { 358 | "start": "0xfffff80513150000", 359 | "end": "0xfffff805131bd000", 360 | "name": "volsnap.sys" 361 | }, 362 | { 363 | "start": "0xfffff805131c0000", 364 | "end": "0xfffff80513249000", 365 | "name": "USBXHCI.sys" 366 | }, 367 | { 368 | "start": "0xfffff80513250000", 369 | "end": "0xfffff80513275000", 370 | "name": "USBSTOR.sys" 371 | }, 372 | { 373 | "start": "0xfffff80513280000", 374 | "end": "0xfffff80513298000", 375 | "name": "uaspstor.sys" 376 | }, 377 | { 378 | "start": "0xfffff805132a0000", 379 | "end": "0xfffff805132be000", 380 | "name": "sdstor.sys" 381 | }, 382 | { 383 | "start": "0xfffff805132c0000", 384 | "end": "0xfffff8051330e000", 385 | "name": "rdyboost.sys" 386 | }, 387 | { 388 | "start": "0xfffff80513310000", 389 | "end": "0xfffff80513335000", 390 | "name": "mup.sys" 391 | }, 392 | { 393 | "start": "0xfffff80513340000", 394 | "end": "0xfffff80513352000", 395 | "name": "iorate.sys" 396 | }, 397 | { 398 | "start": "0xfffff80513360000", 399 | "end": "0xfffff8051336f000", 400 | "name": "hwpolicy.sys" 401 | }, 402 | { 403 | "start": "0xfffff80513370000", 404 | "end": "0xfffff8051338c000", 405 | "name": "disk.sys" 406 | }, 407 | { 408 | "start": "0xfffff80513390000", 409 | "end": "0xfffff805133fb000", 410 | "name": "CLASSPNP.sys" 411 | } 412 | ] -------------------------------------------------------------------------------- /tests/modules_2.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "start": "0xfffff3eb6ff80000", 4 | "end": "0xfffff3eb6fffc000", 5 | "name": "win32k.sys" 6 | }, 7 | { 8 | "start": "0xfffff3eb70000000", 9 | "end": "0xfffff3eb70234000", 10 | "name": "win32kbase.sys" 11 | }, 12 | { 13 | "start": "0xfffff3eb70240000", 14 | "end": "0xfffff3eb7027f000", 15 | "name": "cdd.dll" 16 | }, 17 | { 18 | "start": "0xfffff3eb704e0000", 19 | "end": "0xfffff3eb70872000", 20 | "name": "win32kfull.sys" 21 | }, 22 | { 23 | "start": "0xfffff803f2a09000", 24 | "end": "0xfffff803f2a95000", 25 | "name": "hal.dll" 26 | }, 27 | { 28 | "start": "0xfffff803f2a95000", 29 | "end": "0xfffff803f33fa000", 30 | "name": "nt" 31 | }, 32 | { 33 | "start": "0xfffff803f3600000", 34 | "end": "0xfffff803f360c000", 35 | "name": "kdstub.dll" 36 | }, 37 | { 38 | "start": "0xfffff803f360c000", 39 | "end": "0xfffff803f363a000", 40 | "name": "kdnet.dll" 41 | }, 42 | { 43 | "start": "0xfffff80d24000000", 44 | "end": "0xfffff80d24060000", 45 | "name": "msrpc.sys" 46 | }, 47 | { 48 | "start": "0xfffff80d24060000", 49 | "end": "0xfffff80d2408a000", 50 | "name": "ksecdd.sys" 51 | }, 52 | { 53 | "start": "0xfffff80d24090000", 54 | "end": "0xfffff80d240a1000", 55 | "name": "werkernel.sys" 56 | }, 57 | { 58 | "start": "0xfffff80d240b0000", 59 | "end": "0xfffff80d24114000", 60 | "name": "CLFS.sys" 61 | }, 62 | { 63 | "start": "0xfffff80d24120000", 64 | "end": "0xfffff80d24144000", 65 | "name": "tm.sys" 66 | }, 67 | { 68 | "start": "0xfffff80d24150000", 69 | "end": "0xfffff80d24167000", 70 | "name": "PSHED.dll" 71 | }, 72 | { 73 | "start": "0xfffff80d24170000", 74 | "end": "0xfffff80d2417b000", 75 | "name": "BOOTVID.dll" 76 | }, 77 | { 78 | "start": "0xfffff80d24180000", 79 | "end": "0xfffff80d241e9000", 80 | "name": "FLTMGR.sys" 81 | }, 82 | { 83 | "start": "0xfffff80d241f0000", 84 | "end": "0xfffff80d242f2000", 85 | "name": "clipsp.sys" 86 | }, 87 | { 88 | "start": "0xfffff80d24300000", 89 | "end": "0xfffff80d2430e000", 90 | "name": "cmimcext.sys" 91 | }, 92 | { 93 | "start": "0xfffff80d24310000", 94 | "end": "0xfffff80d2431c000", 95 | "name": "ntosext.sys" 96 | }, 97 | { 98 | "start": "0xfffff80d24320000", 99 | "end": "0xfffff80d243d5000", 100 | "name": "CI.dll" 101 | }, 102 | { 103 | "start": "0xfffff80d243e0000", 104 | "end": "0xfffff80d24492000", 105 | "name": "cng.sys" 106 | }, 107 | { 108 | "start": "0xfffff80d244a0000", 109 | "end": "0xfffff80d24584000", 110 | "name": "Wdf01000.sys" 111 | }, 112 | { 113 | "start": "0xfffff80d24590000", 114 | "end": "0xfffff80d245a3000", 115 | "name": "WDFLDR.sys" 116 | }, 117 | { 118 | "start": "0xfffff80d245b0000", 119 | "end": "0xfffff80d245be000", 120 | "name": "WppRecorder.sys" 121 | }, 122 | { 123 | "start": "0xfffff80d245c0000", 124 | "end": "0xfffff80d245cf000", 125 | "name": "SleepStudyHelper.sys" 126 | }, 127 | { 128 | "start": "0xfffff80d245d0000", 129 | "end": "0xfffff80d245f3000", 130 | "name": "acpiex.sys" 131 | }, 132 | { 133 | "start": "0xfffff80d24600000", 134 | "end": "0xfffff80d2464f000", 135 | "name": "mssecflt.sys" 136 | }, 137 | { 138 | "start": "0xfffff80d24650000", 139 | "end": "0xfffff80d24665000", 140 | "name": "SgrmAgent.sys" 141 | }, 142 | { 143 | "start": "0xfffff80d24670000", 144 | "end": "0xfffff80d24715000", 145 | "name": "ACPI.sys" 146 | }, 147 | { 148 | "start": "0xfffff80d24720000", 149 | "end": "0xfffff80d2472c000", 150 | "name": "WMILIB.sys" 151 | }, 152 | { 153 | "start": "0xfffff80d24740000", 154 | "end": "0xfffff80d2476f000", 155 | "name": "intelpep.sys" 156 | }, 157 | { 158 | "start": "0xfffff80d24770000", 159 | "end": "0xfffff80d24786000", 160 | "name": "WindowsTrustedRT.sys" 161 | }, 162 | { 163 | "start": "0xfffff80d24790000", 164 | "end": "0xfffff80d2479b000", 165 | "name": "WindowsTrustedRTProxy.sys" 166 | }, 167 | { 168 | "start": "0xfffff80d247a0000", 169 | "end": "0xfffff80d247b4000", 170 | "name": "pcw.sys" 171 | }, 172 | { 173 | "start": "0xfffff80d247c0000", 174 | "end": "0xfffff80d247d2000", 175 | "name": "vdrvroot.sys" 176 | }, 177 | { 178 | "start": "0xfffff80d247e0000", 179 | "end": "0xfffff80d24808000", 180 | "name": "pdc.sys" 181 | }, 182 | { 183 | "start": "0xfffff80d24810000", 184 | "end": "0xfffff80d24829000", 185 | "name": "CEA.sys" 186 | }, 187 | { 188 | "start": "0xfffff80d24830000", 189 | "end": "0xfffff80d2485d000", 190 | "name": "partmgr.sys" 191 | }, 192 | { 193 | "start": "0xfffff80d248a0000", 194 | "end": "0xfffff80d249f9000", 195 | "name": "mcupdate_GenuineIntel.dll" 196 | }, 197 | { 198 | "start": "0xfffff80d24a00000", 199 | "end": "0xfffff80d24a89000", 200 | "name": "NETIO.sys" 201 | }, 202 | { 203 | "start": "0xfffff80d24a90000", 204 | "end": "0xfffff80d24ab6000", 205 | "name": "hvsocket.sys" 206 | }, 207 | { 208 | "start": "0xfffff80d24ac0000", 209 | "end": "0xfffff80d24ad9000", 210 | "name": "vmbkmcl.sys" 211 | }, 212 | { 213 | "start": "0xfffff80d24ae0000", 214 | "end": "0xfffff80d24af0000", 215 | "name": "winhv.sys" 216 | }, 217 | { 218 | "start": "0xfffff80d24af0000", 219 | "end": "0xfffff80d24b4e000", 220 | "name": "volmgrx.sys" 221 | }, 222 | { 223 | "start": "0xfffff80d24b50000", 224 | "end": "0xfffff80d24b6e000", 225 | "name": "mountmgr.sys" 226 | }, 227 | { 228 | "start": "0xfffff80d24b70000", 229 | "end": "0xfffff80d24b8c000", 230 | "name": "EhStorClass.sys" 231 | }, 232 | { 233 | "start": "0xfffff80d24b90000", 234 | "end": "0xfffff80d24baa000", 235 | "name": "fileinfo.sys" 236 | }, 237 | { 238 | "start": "0xfffff80d24bb0000", 239 | "end": "0xfffff80d24beb000", 240 | "name": "Wof.sys" 241 | }, 242 | { 243 | "start": "0xfffff80d24bf0000", 244 | "end": "0xfffff80d24c47000", 245 | "name": "WdFilter.sys" 246 | }, 247 | { 248 | "start": "0xfffff80d24c50000", 249 | "end": "0xfffff80d24eab000", 250 | "name": "Ntfs.sys" 251 | }, 252 | { 253 | "start": "0xfffff80d24eb0000", 254 | "end": "0xfffff80d24ebf000", 255 | "name": "storvsc.sys" 256 | }, 257 | { 258 | "start": "0xfffff80d24ec0000", 259 | "end": "0xfffff80d24f4f000", 260 | "name": "storport.sys" 261 | }, 262 | { 263 | "start": "0xfffff80d24f50000", 264 | "end": "0xfffff80d24f5d000", 265 | "name": "Fs_Rec.sys" 266 | }, 267 | { 268 | "start": "0xfffff80d24f60000", 269 | "end": "0xfffff80d24f90000", 270 | "name": "ksecpkg.sys" 271 | }, 272 | { 273 | "start": "0xfffff80d24f90000", 274 | "end": "0xfffff80d2502e000", 275 | "name": "afd.sys" 276 | }, 277 | { 278 | "start": "0xfffff80d25030000", 279 | "end": "0xfffff80d250a6000", 280 | "name": "rdbss.sys" 281 | }, 282 | { 283 | "start": "0xfffff80d250b0000", 284 | "end": "0xfffff80d25140000", 285 | "name": "csc.sys" 286 | }, 287 | { 288 | "start": "0xfffff80d25140000", 289 | "end": "0xfffff80d2514a000", 290 | "name": "gpuenergydrv.sys" 291 | }, 292 | { 293 | "start": "0xfffff80d25150000", 294 | "end": "0xfffff80d25179000", 295 | "name": "dfsc.sys" 296 | }, 297 | { 298 | "start": "0xfffff80d25190000", 299 | "end": "0xfffff80d25229000", 300 | "name": "spaceport.sys" 301 | }, 302 | { 303 | "start": "0xfffff80d25230000", 304 | "end": "0xfffff80d25249000", 305 | "name": "volmgr.sys" 306 | }, 307 | { 308 | "start": "0xfffff80d25250000", 309 | "end": "0xfffff80d25274000", 310 | "name": "vmbus.sys" 311 | }, 312 | { 313 | "start": "0xfffff80d25280000", 314 | "end": "0xfffff80d253c1000", 315 | "name": "NDIS.sys" 316 | }, 317 | { 318 | "start": "0xfffff80d25400000", 319 | "end": "0xfffff80d254bc000", 320 | "name": "fvevol.sys" 321 | }, 322 | { 323 | "start": "0xfffff80d254c0000", 324 | "end": "0xfffff80d254cb000", 325 | "name": "volume.sys" 326 | }, 327 | { 328 | "start": "0xfffff80d254d0000", 329 | "end": "0xfffff80d25537000", 330 | "name": "volsnap.sys" 331 | }, 332 | { 333 | "start": "0xfffff80d25540000", 334 | "end": "0xfffff80d2558c000", 335 | "name": "rdyboost.sys" 336 | }, 337 | { 338 | "start": "0xfffff80d25590000", 339 | "end": "0xfffff80d255b4000", 340 | "name": "mup.sys" 341 | }, 342 | { 343 | "start": "0xfffff80d255c0000", 344 | "end": "0xfffff80d255d1000", 345 | "name": "iorate.sys" 346 | }, 347 | { 348 | "start": "0xfffff80d255e0000", 349 | "end": "0xfffff80d255ef000", 350 | "name": "mssmbios.sys" 351 | }, 352 | { 353 | "start": "0xfffff80d255f0000", 354 | "end": "0xfffff80d2560c000", 355 | "name": "disk.sys" 356 | }, 357 | { 358 | "start": "0xfffff80d25610000", 359 | "end": "0xfffff80d2567b000", 360 | "name": "CLASSPNP.sys" 361 | }, 362 | { 363 | "start": "0xfffff80d256a0000", 364 | "end": "0xfffff80d256bc000", 365 | "name": "crashdmp.sys" 366 | }, 367 | { 368 | "start": "0xfffff80d25760000", 369 | "end": "0xfffff80d2578e000", 370 | "name": "cdrom.sys" 371 | }, 372 | { 373 | "start": "0xfffff80d25790000", 374 | "end": "0xfffff80d257a4000", 375 | "name": "filecrypt.sys" 376 | }, 377 | { 378 | "start": "0xfffff80d257b0000", 379 | "end": "0xfffff80d257bd000", 380 | "name": "tbs.sys" 381 | }, 382 | { 383 | "start": "0xfffff80d257c0000", 384 | "end": "0xfffff80d257ca000", 385 | "name": "Null.sys" 386 | }, 387 | { 388 | "start": "0xfffff80d257d0000", 389 | "end": "0xfffff80d257da000", 390 | "name": "Beep.sys" 391 | }, 392 | { 393 | "start": "0xfffff80d257e0000", 394 | "end": "0xfffff80d25a99000", 395 | "name": "dxgkrnl.sys" 396 | }, 397 | { 398 | "start": "0xfffff80d25aa0000", 399 | "end": "0xfffff80d25ab4000", 400 | "name": "watchdog.sys" 401 | }, 402 | { 403 | "start": "0xfffff80d25ac0000", 404 | "end": "0xfffff80d25ada000", 405 | "name": "vmbkmclr.sys" 406 | }, 407 | { 408 | "start": "0xfffff80d25ae0000", 409 | "end": "0xfffff80d25af6000", 410 | "name": "BasicDisplay.sys" 411 | }, 412 | { 413 | "start": "0xfffff80d25b00000", 414 | "end": "0xfffff80d25b10000", 415 | "name": "BasicRender.sys" 416 | }, 417 | { 418 | "start": "0xfffff80d25b10000", 419 | "end": "0xfffff80d25b2b000", 420 | "name": "Npfs.sys" 421 | }, 422 | { 423 | "start": "0xfffff80d25b30000", 424 | "end": "0xfffff80d25b40000", 425 | "name": "Msfs.sys" 426 | }, 427 | { 428 | "start": "0xfffff80d25b40000", 429 | "end": "0xfffff80d25b63000", 430 | "name": "tdx.sys" 431 | }, 432 | { 433 | "start": "0xfffff80d25b70000", 434 | "end": "0xfffff80d25b80000", 435 | "name": "TDI.sys" 436 | }, 437 | { 438 | "start": "0xfffff80d25b80000", 439 | "end": "0xfffff80d25bd4000", 440 | "name": "netbt.sys" 441 | }, 442 | { 443 | "start": "0xfffff80d25be0000", 444 | "end": "0xfffff80d25bf3000", 445 | "name": "afunix.sys" 446 | }, 447 | { 448 | "start": "0xfffff80d25c00000", 449 | "end": "0xfffff80d25c1a000", 450 | "name": "vwififlt.sys" 451 | }, 452 | { 453 | "start": "0xfffff80d25c20000", 454 | "end": "0xfffff80d25c49000", 455 | "name": "pacer.sys" 456 | }, 457 | { 458 | "start": "0xfffff80d25c50000", 459 | "end": "0xfffff80d25c62000", 460 | "name": "netbios.sys" 461 | }, 462 | { 463 | "start": "0xfffff80d25c70000", 464 | "end": "0xfffff80d25f14000", 465 | "name": "tcpip.sys" 466 | }, 467 | { 468 | "start": "0xfffff80d25f20000", 469 | "end": "0xfffff80d25f96000", 470 | "name": "fwpkclnt.sys" 471 | }, 472 | { 473 | "start": "0xfffff80d25fa0000", 474 | "end": "0xfffff80d25fcd000", 475 | "name": "wfplwfs.sys" 476 | }, 477 | { 478 | "start": "0xfffff80d25fd0000", 479 | "end": "0xfffff80d25fe2000", 480 | "name": "nsiproxy.sys" 481 | }, 482 | { 483 | "start": "0xfffff80d25ff0000", 484 | "end": "0xfffff80d25ffd000", 485 | "name": "npsvctrig.sys" 486 | }, 487 | { 488 | "start": "0xfffff80d26200000", 489 | "end": "0xfffff80d26245000", 490 | "name": "ahcache.sys" 491 | }, 492 | { 493 | "start": "0xfffff80d26250000", 494 | "end": "0xfffff80d26261000", 495 | "name": "CompositeBus.sys" 496 | }, 497 | { 498 | "start": "0xfffff80d26270000", 499 | "end": "0xfffff80d2627d000", 500 | "name": "kdnic.sys" 501 | }, 502 | { 503 | "start": "0xfffff80d26280000", 504 | "end": "0xfffff80d26295000", 505 | "name": "umbus.sys" 506 | }, 507 | { 508 | "start": "0xfffff80d262a0000", 509 | "end": "0xfffff80d262b3000", 510 | "name": "dmvsc.sys" 511 | }, 512 | { 513 | "start": "0xfffff80d262c0000", 514 | "end": "0xfffff80d262ce000", 515 | "name": "VMBusHID.sys" 516 | }, 517 | { 518 | "start": "0xfffff80d262d0000", 519 | "end": "0xfffff80d26303000", 520 | "name": "HIDCLASS.sys" 521 | }, 522 | { 523 | "start": "0xfffff80d26310000", 524 | "end": "0xfffff80d26323000", 525 | "name": "HIDPARSE.sys" 526 | }, 527 | { 528 | "start": "0xfffff80d26330000", 529 | "end": "0xfffff80d2633c000", 530 | "name": "hyperkbd.sys" 531 | }, 532 | { 533 | "start": "0xfffff80d26340000", 534 | "end": "0xfffff80d26353000", 535 | "name": "kbdclass.sys" 536 | }, 537 | { 538 | "start": "0xfffff80d26360000", 539 | "end": "0xfffff80d2636f000", 540 | "name": "HyperVideo.sys" 541 | }, 542 | { 543 | "start": "0xfffff80d26370000", 544 | "end": "0xfffff80d2637b000", 545 | "name": "vmgencounter.sys" 546 | }, 547 | { 548 | "start": "0xfffff80d26380000", 549 | "end": "0xfffff80d263bd000", 550 | "name": "intelppm.sys" 551 | }, 552 | { 553 | "start": "0xfffff80d263c0000", 554 | "end": "0xfffff80d263cd000", 555 | "name": "NdisVirtualBus.sys" 556 | }, 557 | { 558 | "start": "0xfffff80d263d0000", 559 | "end": "0xfffff80d263dc000", 560 | "name": "swenum.sys" 561 | }, 562 | { 563 | "start": "0xfffff80d263e0000", 564 | "end": "0xfffff80d2644b000", 565 | "name": "ks.sys" 566 | }, 567 | { 568 | "start": "0xfffff80d26450000", 569 | "end": "0xfffff80d2645e000", 570 | "name": "rdpbus.sys" 571 | }, 572 | { 573 | "start": "0xfffff80d26460000", 574 | "end": "0xfffff80d2646f000", 575 | "name": "mouhid.sys" 576 | }, 577 | { 578 | "start": "0xfffff80d26470000", 579 | "end": "0xfffff80d26481000", 580 | "name": "mouclass.sys" 581 | }, 582 | { 583 | "start": "0xfffff80d26490000", 584 | "end": "0xfffff80d264e6000", 585 | "name": "udfs.sys" 586 | }, 587 | { 588 | "start": "0xfffff80d26500000", 589 | "end": "0xfffff80d2650f000", 590 | "name": "dump_diskdump.sys" 591 | }, 592 | { 593 | "start": "0xfffff80d26520000", 594 | "end": "0xfffff80d2652f000", 595 | "name": "dump_storvsc.sys" 596 | }, 597 | { 598 | "start": "0xfffff80d26530000", 599 | "end": "0xfffff80d26549000", 600 | "name": "dump_vmbkmcl.sys" 601 | }, 602 | { 603 | "start": "0xfffff80d26570000", 604 | "end": "0xfffff80d2658d000", 605 | "name": "dump_dumpfve.sys" 606 | }, 607 | { 608 | "start": "0xfffff80d26590000", 609 | "end": "0xfffff80d265a1000", 610 | "name": "monitor.sys" 611 | }, 612 | { 613 | "start": "0xfffff80d265b0000", 614 | "end": "0xfffff80d26676000", 615 | "name": "dxgmms2.sys" 616 | }, 617 | { 618 | "start": "0xfffff80d26680000", 619 | "end": "0xfffff80d2668d000", 620 | "name": "rdpvideominiport.sys" 621 | }, 622 | { 623 | "start": "0xfffff80d26690000", 624 | "end": "0xfffff80d266c2000", 625 | "name": "rdpdr.sys" 626 | }, 627 | { 628 | "start": "0xfffff80d266d0000", 629 | "end": "0xfffff80d266f5000", 630 | "name": "tsusbhub.sys" 631 | }, 632 | { 633 | "start": "0xfffff80d26700000", 634 | "end": "0xfffff80d26727000", 635 | "name": "luafv.sys" 636 | }, 637 | { 638 | "start": "0xfffff80d26730000", 639 | "end": "0xfffff80d26758000", 640 | "name": "wcifs.sys" 641 | }, 642 | { 643 | "start": "0xfffff80d26760000", 644 | "end": "0xfffff80d267ce000", 645 | "name": "cldflt.sys" 646 | }, 647 | { 648 | "start": "0xfffff80d267d0000", 649 | "end": "0xfffff80d267e9000", 650 | "name": "storqosflt.sys" 651 | }, 652 | { 653 | "start": "0xfffff80d267f0000", 654 | "end": "0xfffff80d26811000", 655 | "name": "bowser.sys" 656 | }, 657 | { 658 | "start": "0xfffff80d26820000", 659 | "end": "0xfffff80d268a2000", 660 | "name": "mrxsmb.sys" 661 | }, 662 | { 663 | "start": "0xfffff80d268b0000", 664 | "end": "0xfffff80d268ed000", 665 | "name": "mrxsmb20.sys" 666 | }, 667 | { 668 | "start": "0xfffff80d268f0000", 669 | "end": "0xfffff80d26906000", 670 | "name": "lltdio.sys" 671 | }, 672 | { 673 | "start": "0xfffff80d26910000", 674 | "end": "0xfffff80d2692a000", 675 | "name": "mslldp.sys" 676 | }, 677 | { 678 | "start": "0xfffff80d26930000", 679 | "end": "0xfffff80d2694a000", 680 | "name": "rspndr.sys" 681 | }, 682 | { 683 | "start": "0xfffff80d26950000", 684 | "end": "0xfffff80d2696b000", 685 | "name": "wanarp.sys" 686 | }, 687 | { 688 | "start": "0xfffff80d26970000", 689 | "end": "0xfffff80d26a72000", 690 | "name": "HTTP.sys" 691 | }, 692 | { 693 | "start": "0xfffff80d26a80000", 694 | "end": "0xfffff80d26a99000", 695 | "name": "mpsdrv.sys" 696 | }, 697 | { 698 | "start": "0xfffff80d26aa0000", 699 | "end": "0xfffff80d26ab3000", 700 | "name": "mmcss.sys" 701 | }, 702 | { 703 | "start": "0xfffff80d26ac0000", 704 | "end": "0xfffff80d26ae7000", 705 | "name": "Ndu.sys" 706 | }, 707 | { 708 | "start": "0xfffff80d26af0000", 709 | "end": "0xfffff80d26b38000", 710 | "name": "srvnet.sys" 711 | }, 712 | { 713 | "start": "0xfffff80d26b80000", 714 | "end": "0xfffff80d26be0000", 715 | "name": "fastfat.sys" 716 | }, 717 | { 718 | "start": "0xfffff80d26be0000", 719 | "end": "0xfffff80d26bf4000", 720 | "name": "bam.sys" 721 | }, 722 | { 723 | "start": "0xfffff80d26e00000", 724 | "end": "0xfffff80d26ec0000", 725 | "name": "peauth.sys" 726 | }, 727 | { 728 | "start": "0xfffff80d26ec0000", 729 | "end": "0xfffff80d26ed3000", 730 | "name": "tcpipreg.sys" 731 | }, 732 | { 733 | "start": "0xfffff80d26ee0000", 734 | "end": "0xfffff80d26efb000", 735 | "name": "rassstp.sys" 736 | }, 737 | { 738 | "start": "0xfffff80d26f00000", 739 | "end": "0xfffff80d26f16000", 740 | "name": "NDProxy.sys" 741 | }, 742 | { 743 | "start": "0xfffff80d26f20000", 744 | "end": "0xfffff80d26f47000", 745 | "name": "AgileVpn.sys" 746 | }, 747 | { 748 | "start": "0xfffff80d26f50000", 749 | "end": "0xfffff80d26f70000", 750 | "name": "rasl2tp.sys" 751 | }, 752 | { 753 | "start": "0xfffff80d26f70000", 754 | "end": "0xfffff80d26f8f000", 755 | "name": "raspptp.sys" 756 | }, 757 | { 758 | "start": "0xfffff80d26f90000", 759 | "end": "0xfffff80d26fab000", 760 | "name": "raspppoe.sys" 761 | }, 762 | { 763 | "start": "0xfffff80d26fb0000", 764 | "end": "0xfffff80d26fbf000", 765 | "name": "ndistapi.sys" 766 | }, 767 | { 768 | "start": "0xfffff80d26fc0000", 769 | "end": "0xfffff80d26ff7000", 770 | "name": "ndiswan.sys" 771 | }, 772 | { 773 | "start": "0xfffff80d27000000", 774 | "end": "0xfffff80d27011000", 775 | "name": "WdNisDrv.sys" 776 | }, 777 | { 778 | "start": "0xfffff80d27940000", 779 | "end": "0xfffff80d279fc000", 780 | "name": "srv2.sys" 781 | } 782 | ] -------------------------------------------------------------------------------- /tests/modules_3.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "start": "0x0007ff602ce0000", 4 | "end": "0x0007ff603075000", 5 | "name": "LockApp.exe" 6 | }, 7 | { 8 | "start": "0x0007ffa922e0000", 9 | "end": "0x0007ffa9230b000", 10 | "name": "MtcModel.dll" 11 | }, 12 | { 13 | "start": "0x0007ffa92310000", 14 | "end": "0x0007ffa9241c000", 15 | "name": "Windows.Services.TargetedContent.dll" 16 | }, 17 | { 18 | "start": "0x0007ffa92530000", 19 | "end": "0x0007ffa925a0000", 20 | "name": "lockappbroker.dll" 21 | }, 22 | { 23 | "start": "0x0007ffa925a0000", 24 | "end": "0x0007ffa9261f000", 25 | "name": "Windows.ApplicationModel.LockScreen.dll" 26 | }, 27 | { 28 | "start": "0x0007ffa984f0000", 29 | "end": "0x0007ffa98571000", 30 | "name": "Windows.Graphics.dll" 31 | }, 32 | { 33 | "start": "0x0007ffa996d0000", 34 | "end": "0x0007ffa998d0000", 35 | "name": "uiautomationcore.dll" 36 | }, 37 | { 38 | "start": "0x0007ffa998d0000", 39 | "end": "0x0007ffa9992a000", 40 | "name": "Windows.Storage.ApplicationData.dll" 41 | }, 42 | { 43 | "start": "0x0007ffa9a830000", 44 | "end": "0x0007ffa9a8ed000", 45 | "name": "windows.ui.core.textinput.dll" 46 | }, 47 | { 48 | "start": "0x0007ffa9a8f0000", 49 | "end": "0x0007ffa9a99d000", 50 | "name": "LockController.dll" 51 | }, 52 | { 53 | "start": "0x0007ffa9c370000", 54 | "end": "0x0007ffa9c3c8000", 55 | "name": "DataExchange.dll" 56 | }, 57 | { 58 | "start": "0x0007ffa9cf40000", 59 | "end": "0x0007ffa9cff7000", 60 | "name": "Windows.ApplicationModel.dll" 61 | }, 62 | { 63 | "start": "0x0007ffa9ddf0000", 64 | "end": "0x0007ffa9df89000", 65 | "name": "ContentDeliveryManager.Utilities.dll" 66 | }, 67 | { 68 | "start": "0x0007ffa9eb90000", 69 | "end": "0x0007ffa9eba4000", 70 | "name": "threadpoolwinrt.dll" 71 | }, 72 | { 73 | "start": "0x0007ffa9f5e0000", 74 | "end": "0x0007ffa9f693000", 75 | "name": "UiaManager.dll" 76 | }, 77 | { 78 | "start": "0x0007ffaa2150000", 79 | "end": "0x0007ffaa246c000", 80 | "name": "dwrite.dll" 81 | }, 82 | { 83 | "start": "0x0007ffaa2ea0000", 84 | "end": "0x0007ffaa2f3a000", 85 | "name": "directmanipulation.dll" 86 | }, 87 | { 88 | "start": "0x0007ffaa2f40000", 89 | "end": "0x0007ffaa30c9000", 90 | "name": "Windows.Globalization.dll" 91 | }, 92 | { 93 | "start": "0x0007ffaa3ab0000", 94 | "end": "0x0007ffaa3c5c000", 95 | "name": "Windows.UI.Immersive.dll" 96 | }, 97 | { 98 | "start": "0x0007ffaa4c50000", 99 | "end": "0x0007ffaa5c2c000", 100 | "name": "Windows.UI.Xaml.dll" 101 | }, 102 | { 103 | "start": "0x0007ffaa5d50000", 104 | "end": "0x0007ffaa5d79000", 105 | "name": "bcp47mrm.dll" 106 | }, 107 | { 108 | "start": "0x0007ffaa5d80000", 109 | "end": "0x0007ffaa5d97000", 110 | "name": "languageoverlayutil.dll" 111 | }, 112 | { 113 | "start": "0x0007ffaa5ea0000", 114 | "end": "0x0007ffaa5f19000", 115 | "name": "InputHost.dll" 116 | }, 117 | { 118 | "start": "0x0007ffaa5f20000", 119 | "end": "0x0007ffaa5fb8000", 120 | "name": "TextInputFramework.dll" 121 | }, 122 | { 123 | "start": "0x0007ffaa5fc0000", 124 | "end": "0x0007ffaa60d4000", 125 | "name": "Windows.UI.dll" 126 | }, 127 | { 128 | "start": "0x0007ffaa6110000", 129 | "end": "0x0007ffaa6160000", 130 | "name": "Bcp47Langs.dll" 131 | }, 132 | { 133 | "start": "0x0007ffaa6160000", 134 | "end": "0x0007ffaa61cd000", 135 | "name": "wincorlib.dll" 136 | }, 137 | { 138 | "start": "0x0007ffaa6ea0000", 139 | "end": "0x0007ffaa6fbf000", 140 | "name": "MrmCoreR.dll" 141 | }, 142 | { 143 | "start": "0x0007ffaa6fc0000", 144 | "end": "0x0007ffaa7262000", 145 | "name": "iertutil.dll" 146 | }, 147 | { 148 | "start": "0x0007ffaa7270000", 149 | "end": "0x0007ffaa76f1000", 150 | "name": "cdp.dll" 151 | }, 152 | { 153 | "start": "0x0007ffaa7700000", 154 | "end": "0x0007ffaa78cc000", 155 | "name": "urlmon.dll" 156 | }, 157 | { 158 | "start": "0x0007ffaabc90000", 159 | "end": "0x0007ffaabd6d000", 160 | "name": "WINHTTP.dll" 161 | }, 162 | { 163 | "start": "0x0007ffaac920000", 164 | "end": "0x0007ffaacfbb000", 165 | "name": "OneCoreUAPCommonProxyStub.dll" 166 | }, 167 | { 168 | "start": "0x0007ffaad180000", 169 | "end": "0x0007ffaad8fe000", 170 | "name": "d3d10warp.dll" 171 | }, 172 | { 173 | "start": "0x0007ffaada80000", 174 | "end": "0x0007ffaadbcd000", 175 | "name": "WinTypes.dll" 176 | }, 177 | { 178 | "start": "0x0007ffaadc40000", 179 | "end": "0x0007ffaadf5e000", 180 | "name": "CoreUIComponents.dll" 181 | }, 182 | { 183 | "start": "0x0007ffaae7c0000", 184 | "end": "0x0007ffaae851000", 185 | "name": "msvcp110_win.dll" 186 | }, 187 | { 188 | "start": "0x0007ffaaef30000", 189 | "end": "0x0007ffaaf23b000", 190 | "name": "d3d11.dll" 191 | }, 192 | { 193 | "start": "0x0007ffaaf240000", 194 | "end": "0x0007ffaaf807000", 195 | "name": "d2d1.dll" 196 | }, 197 | { 198 | "start": "0x0007ffaaf810000", 199 | "end": "0x0007ffaaf9ac000", 200 | "name": "dcomp.dll" 201 | }, 202 | { 203 | "start": "0x0007ffaaf9b0000", 204 | "end": "0x0007ffaafa8a000", 205 | "name": "CoreMessaging.dll" 206 | }, 207 | { 208 | "start": "0x0007ffab0170000", 209 | "end": "0x0007ffab0208000", 210 | "name": "uxtheme.dll" 211 | }, 212 | { 213 | "start": "0x0007ffab0240000", 214 | "end": "0x0007ffab0269000", 215 | "name": "dwmapi.dll" 216 | }, 217 | { 218 | "start": "0x0007ffab0320000", 219 | "end": "0x0007ffab0341000", 220 | "name": "RMCLIENT.dll" 221 | }, 222 | { 223 | "start": "0x0007ffab03d0000", 224 | "end": "0x0007ffab0588000", 225 | "name": "twinapi.appcore.dll" 226 | }, 227 | { 228 | "start": "0x0007ffab0870000", 229 | "end": "0x0007ffab092b000", 230 | "name": "dxgi.dll" 231 | }, 232 | { 233 | "start": "0x0007ffab0a20000", 234 | "end": "0x0007ffab0a45000", 235 | "name": "sppc.dll" 236 | }, 237 | { 238 | "start": "0x0007ffab0a50000", 239 | "end": "0x0007ffab0a77000", 240 | "name": "slc.dll" 241 | }, 242 | { 243 | "start": "0x0007ffab0ba0000", 244 | "end": "0x0007ffab0bd1000", 245 | "name": "ntmarta.dll" 246 | }, 247 | { 248 | "start": "0x0007ffab1050000", 249 | "end": "0x0007ffab1088000", 250 | "name": "IPHLPAPI.dll" 251 | }, 252 | { 253 | "start": "0x0007ffab14a0000", 254 | "end": "0x0007ffab14ab000", 255 | "name": "CRYPTBASE.dll" 256 | }, 257 | { 258 | "start": "0x0007ffab1540000", 259 | "end": "0x0007ffab1576000", 260 | "name": "NTASN1.dll" 261 | }, 262 | { 263 | "start": "0x0007ffab1580000", 264 | "end": "0x0007ffab15a6000", 265 | "name": "ncrypt.dll" 266 | }, 267 | { 268 | "start": "0x0007ffab15b0000", 269 | "end": "0x0007ffab15d5000", 270 | "name": "bcrypt.dll" 271 | }, 272 | { 273 | "start": "0x0007ffab19e0000", 274 | "end": "0x0007ffab1a10000", 275 | "name": "SspiCli.dll" 276 | }, 277 | { 278 | "start": "0x0007ffab1ab0000", 279 | "end": "0x0007ffab1afc000", 280 | "name": "powrprof.dll" 281 | }, 282 | { 283 | "start": "0x0007ffab1b00000", 284 | "end": "0x0007ffab1b1f000", 285 | "name": "profapi.dll" 286 | }, 287 | { 288 | "start": "0x0007ffab1b20000", 289 | "end": "0x0007ffab1b2a000", 290 | "name": "FLTLIB.dll" 291 | }, 292 | { 293 | "start": "0x0007ffab1b30000", 294 | "end": "0x0007ffab1b42000", 295 | "name": "MSASN1.dll" 296 | }, 297 | { 298 | "start": "0x0007ffab1b50000", 299 | "end": "0x0007ffab1b61000", 300 | "name": "kernel.appcore.dll" 301 | }, 302 | { 303 | "start": "0x0007ffab1b70000", 304 | "end": "0x0007ffab1de3000", 305 | "name": "KERNELBASE.dll" 306 | }, 307 | { 308 | "start": "0x0007ffab1df0000", 309 | "end": "0x0007ffab1e6a000", 310 | "name": "bcryptPrimitives.dll" 311 | }, 312 | { 313 | "start": "0x0007ffab1e70000", 314 | "end": "0x0007ffab1f0f000", 315 | "name": "msvcp_win.dll" 316 | }, 317 | { 318 | "start": "0x0007ffab1f10000", 319 | "end": "0x0007ffab261d000", 320 | "name": "windows.storage.dll" 321 | }, 322 | { 323 | "start": "0x0007ffab2620000", 324 | "end": "0x0007ffab2669000", 325 | "name": "cfgmgr32.dll" 326 | }, 327 | { 328 | "start": "0x0007ffab2670000", 329 | "end": "0x0007ffab276a000", 330 | "name": "ucrtbase.dll" 331 | }, 332 | { 333 | "start": "0x0007ffab27d0000", 334 | "end": "0x0007ffab29b2000", 335 | "name": "CRYPT32.dll" 336 | }, 337 | { 338 | "start": "0x0007ffab2a70000", 339 | "end": "0x0007ffab2a90000", 340 | "name": "win32u.dll" 341 | }, 342 | { 343 | "start": "0x0007ffab2a90000", 344 | "end": "0x0007ffab2c22000", 345 | "name": "gdi32full.dll" 346 | }, 347 | { 348 | "start": "0x0007ffab2c30000", 349 | "end": "0x0007ffab2ce2000", 350 | "name": "KERNEL32.dll" 351 | }, 352 | { 353 | "start": "0x0007ffab2cf0000", 354 | "end": "0x0007ffab2e14000", 355 | "name": "RPCRT4.dll" 356 | }, 357 | { 358 | "start": "0x0007ffab2e20000", 359 | "end": "0x0007ffab2fb0000", 360 | "name": "user32.dll" 361 | }, 362 | { 363 | "start": "0x0007ffab3160000", 364 | "end": "0x0007ffab3483000", 365 | "name": "combase.dll" 366 | }, 367 | { 368 | "start": "0x0007ffab34b0000", 369 | "end": "0x0007ffab34dd000", 370 | "name": "IMM32.dll" 371 | }, 372 | { 373 | "start": "0x0007ffab3a50000", 374 | "end": "0x0007ffab3a78000", 375 | "name": "GDI32.dll" 376 | }, 377 | { 378 | "start": "0x0007ffab3a80000", 379 | "end": "0x0007ffab3b42000", 380 | "name": "OLEAUT32.dll" 381 | }, 382 | { 383 | "start": "0x0007ffab3c10000", 384 | "end": "0x0007ffab3d85000", 385 | "name": "MSCTF.dll" 386 | }, 387 | { 388 | "start": "0x0007ffab3d90000", 389 | "end": "0x0007ffab3deb000", 390 | "name": "sechost.dll" 391 | }, 392 | { 393 | "start": "0x0007ffab3ee0000", 394 | "end": "0x0007ffab4031000", 395 | "name": "ole32.dll" 396 | }, 397 | { 398 | "start": "0x0007ffab4040000", 399 | "end": "0x0007ffab4091000", 400 | "name": "shlwapi.dll" 401 | }, 402 | { 403 | "start": "0x0007ffab40a0000", 404 | "end": "0x0007ffab4141000", 405 | "name": "advapi32.dll" 406 | }, 407 | { 408 | "start": "0x0007ffab4150000", 409 | "end": "0x0007ffab41f9000", 410 | "name": "shcore.dll" 411 | }, 412 | { 413 | "start": "0x0007ffab4220000", 414 | "end": "0x0007ffab428c000", 415 | "name": "WS2_32.dll" 416 | }, 417 | { 418 | "start": "0x0007ffab4290000", 419 | "end": "0x0007ffab432e000", 420 | "name": "msvcrt.dll" 421 | }, 422 | { 423 | "start": "0x0007ffab4330000", 424 | "end": "0x0007ffab5770000", 425 | "name": "SHELL32.dll" 426 | }, 427 | { 428 | "start": "0x0007ffab57a0000", 429 | "end": "0x0007ffab5981000", 430 | "name": "ntdll.dll" 431 | }, 432 | { 433 | "start": "0xfffff3eb6ff80000", 434 | "end": "0xfffff3eb6fffc000", 435 | "name": "win32k.sys" 436 | }, 437 | { 438 | "start": "0xfffff3eb70000000", 439 | "end": "0xfffff3eb70234000", 440 | "name": "win32kbase.sys" 441 | }, 442 | { 443 | "start": "0xfffff3eb70240000", 444 | "end": "0xfffff3eb7027f000", 445 | "name": "cdd.dll" 446 | }, 447 | { 448 | "start": "0xfffff3eb704e0000", 449 | "end": "0xfffff3eb70872000", 450 | "name": "win32kfull.sys" 451 | }, 452 | { 453 | "start": "0xfffff803f2a09000", 454 | "end": "0xfffff803f2a95000", 455 | "name": "hal.dll" 456 | }, 457 | { 458 | "start": "0xfffff803f2a95000", 459 | "end": "0xfffff803f33fa000", 460 | "name": "nt" 461 | }, 462 | { 463 | "start": "0xfffff803f3600000", 464 | "end": "0xfffff803f360c000", 465 | "name": "kdstub.dll" 466 | }, 467 | { 468 | "start": "0xfffff803f360c000", 469 | "end": "0xfffff803f363a000", 470 | "name": "kdnet.dll" 471 | }, 472 | { 473 | "start": "0xfffff80d24000000", 474 | "end": "0xfffff80d24060000", 475 | "name": "msrpc.sys" 476 | }, 477 | { 478 | "start": "0xfffff80d24060000", 479 | "end": "0xfffff80d2408a000", 480 | "name": "ksecdd.sys" 481 | }, 482 | { 483 | "start": "0xfffff80d24090000", 484 | "end": "0xfffff80d240a1000", 485 | "name": "werkernel.sys" 486 | }, 487 | { 488 | "start": "0xfffff80d240b0000", 489 | "end": "0xfffff80d24114000", 490 | "name": "CLFS.sys" 491 | }, 492 | { 493 | "start": "0xfffff80d24120000", 494 | "end": "0xfffff80d24144000", 495 | "name": "tm.sys" 496 | }, 497 | { 498 | "start": "0xfffff80d24150000", 499 | "end": "0xfffff80d24167000", 500 | "name": "PSHED.dll" 501 | }, 502 | { 503 | "start": "0xfffff80d24170000", 504 | "end": "0xfffff80d2417b000", 505 | "name": "BOOTVID.dll" 506 | }, 507 | { 508 | "start": "0xfffff80d24180000", 509 | "end": "0xfffff80d241e9000", 510 | "name": "FLTMGR.sys" 511 | }, 512 | { 513 | "start": "0xfffff80d241f0000", 514 | "end": "0xfffff80d242f2000", 515 | "name": "clipsp.sys" 516 | }, 517 | { 518 | "start": "0xfffff80d24300000", 519 | "end": "0xfffff80d2430e000", 520 | "name": "cmimcext.sys" 521 | }, 522 | { 523 | "start": "0xfffff80d24310000", 524 | "end": "0xfffff80d2431c000", 525 | "name": "ntosext.sys" 526 | }, 527 | { 528 | "start": "0xfffff80d24320000", 529 | "end": "0xfffff80d243d5000", 530 | "name": "CI.dll" 531 | }, 532 | { 533 | "start": "0xfffff80d243e0000", 534 | "end": "0xfffff80d24492000", 535 | "name": "cng.sys" 536 | }, 537 | { 538 | "start": "0xfffff80d244a0000", 539 | "end": "0xfffff80d24584000", 540 | "name": "Wdf01000.sys" 541 | }, 542 | { 543 | "start": "0xfffff80d24590000", 544 | "end": "0xfffff80d245a3000", 545 | "name": "WDFLDR.sys" 546 | }, 547 | { 548 | "start": "0xfffff80d245b0000", 549 | "end": "0xfffff80d245be000", 550 | "name": "WppRecorder.sys" 551 | }, 552 | { 553 | "start": "0xfffff80d245c0000", 554 | "end": "0xfffff80d245cf000", 555 | "name": "SleepStudyHelper.sys" 556 | }, 557 | { 558 | "start": "0xfffff80d245d0000", 559 | "end": "0xfffff80d245f3000", 560 | "name": "acpiex.sys" 561 | }, 562 | { 563 | "start": "0xfffff80d24600000", 564 | "end": "0xfffff80d2464f000", 565 | "name": "mssecflt.sys" 566 | }, 567 | { 568 | "start": "0xfffff80d24650000", 569 | "end": "0xfffff80d24665000", 570 | "name": "SgrmAgent.sys" 571 | }, 572 | { 573 | "start": "0xfffff80d24670000", 574 | "end": "0xfffff80d24715000", 575 | "name": "ACPI.sys" 576 | }, 577 | { 578 | "start": "0xfffff80d24720000", 579 | "end": "0xfffff80d2472c000", 580 | "name": "WMILIB.sys" 581 | }, 582 | { 583 | "start": "0xfffff80d24740000", 584 | "end": "0xfffff80d2476f000", 585 | "name": "intelpep.sys" 586 | }, 587 | { 588 | "start": "0xfffff80d24770000", 589 | "end": "0xfffff80d24786000", 590 | "name": "WindowsTrustedRT.sys" 591 | }, 592 | { 593 | "start": "0xfffff80d24790000", 594 | "end": "0xfffff80d2479b000", 595 | "name": "WindowsTrustedRTProxy.sys" 596 | }, 597 | { 598 | "start": "0xfffff80d247a0000", 599 | "end": "0xfffff80d247b4000", 600 | "name": "pcw.sys" 601 | }, 602 | { 603 | "start": "0xfffff80d247c0000", 604 | "end": "0xfffff80d247d2000", 605 | "name": "vdrvroot.sys" 606 | }, 607 | { 608 | "start": "0xfffff80d247e0000", 609 | "end": "0xfffff80d24808000", 610 | "name": "pdc.sys" 611 | }, 612 | { 613 | "start": "0xfffff80d24810000", 614 | "end": "0xfffff80d24829000", 615 | "name": "CEA.sys" 616 | }, 617 | { 618 | "start": "0xfffff80d24830000", 619 | "end": "0xfffff80d2485d000", 620 | "name": "partmgr.sys" 621 | }, 622 | { 623 | "start": "0xfffff80d248a0000", 624 | "end": "0xfffff80d249f9000", 625 | "name": "mcupdate_GenuineIntel.dll" 626 | }, 627 | { 628 | "start": "0xfffff80d24a00000", 629 | "end": "0xfffff80d24a89000", 630 | "name": "NETIO.sys" 631 | }, 632 | { 633 | "start": "0xfffff80d24a90000", 634 | "end": "0xfffff80d24ab6000", 635 | "name": "hvsocket.sys" 636 | }, 637 | { 638 | "start": "0xfffff80d24ac0000", 639 | "end": "0xfffff80d24ad9000", 640 | "name": "vmbkmcl.sys" 641 | }, 642 | { 643 | "start": "0xfffff80d24ae0000", 644 | "end": "0xfffff80d24af0000", 645 | "name": "winhv.sys" 646 | }, 647 | { 648 | "start": "0xfffff80d24af0000", 649 | "end": "0xfffff80d24b4e000", 650 | "name": "volmgrx.sys" 651 | }, 652 | { 653 | "start": "0xfffff80d24b50000", 654 | "end": "0xfffff80d24b6e000", 655 | "name": "mountmgr.sys" 656 | }, 657 | { 658 | "start": "0xfffff80d24b70000", 659 | "end": "0xfffff80d24b8c000", 660 | "name": "EhStorClass.sys" 661 | }, 662 | { 663 | "start": "0xfffff80d24b90000", 664 | "end": "0xfffff80d24baa000", 665 | "name": "fileinfo.sys" 666 | }, 667 | { 668 | "start": "0xfffff80d24bb0000", 669 | "end": "0xfffff80d24beb000", 670 | "name": "Wof.sys" 671 | }, 672 | { 673 | "start": "0xfffff80d24bf0000", 674 | "end": "0xfffff80d24c47000", 675 | "name": "WdFilter.sys" 676 | }, 677 | { 678 | "start": "0xfffff80d24c50000", 679 | "end": "0xfffff80d24eab000", 680 | "name": "Ntfs.sys" 681 | }, 682 | { 683 | "start": "0xfffff80d24eb0000", 684 | "end": "0xfffff80d24ebf000", 685 | "name": "storvsc.sys" 686 | }, 687 | { 688 | "start": "0xfffff80d24ec0000", 689 | "end": "0xfffff80d24f4f000", 690 | "name": "storport.sys" 691 | }, 692 | { 693 | "start": "0xfffff80d24f50000", 694 | "end": "0xfffff80d24f5d000", 695 | "name": "Fs_Rec.sys" 696 | }, 697 | { 698 | "start": "0xfffff80d24f60000", 699 | "end": "0xfffff80d24f90000", 700 | "name": "ksecpkg.sys" 701 | }, 702 | { 703 | "start": "0xfffff80d24f90000", 704 | "end": "0xfffff80d2502e000", 705 | "name": "afd.sys" 706 | }, 707 | { 708 | "start": "0xfffff80d25030000", 709 | "end": "0xfffff80d250a6000", 710 | "name": "rdbss.sys" 711 | }, 712 | { 713 | "start": "0xfffff80d250b0000", 714 | "end": "0xfffff80d25140000", 715 | "name": "csc.sys" 716 | }, 717 | { 718 | "start": "0xfffff80d25140000", 719 | "end": "0xfffff80d2514a000", 720 | "name": "gpuenergydrv.sys" 721 | }, 722 | { 723 | "start": "0xfffff80d25150000", 724 | "end": "0xfffff80d25179000", 725 | "name": "dfsc.sys" 726 | }, 727 | { 728 | "start": "0xfffff80d25190000", 729 | "end": "0xfffff80d25229000", 730 | "name": "spaceport.sys" 731 | }, 732 | { 733 | "start": "0xfffff80d25230000", 734 | "end": "0xfffff80d25249000", 735 | "name": "volmgr.sys" 736 | }, 737 | { 738 | "start": "0xfffff80d25250000", 739 | "end": "0xfffff80d25274000", 740 | "name": "vmbus.sys" 741 | }, 742 | { 743 | "start": "0xfffff80d25280000", 744 | "end": "0xfffff80d253c1000", 745 | "name": "NDIS.sys" 746 | }, 747 | { 748 | "start": "0xfffff80d25400000", 749 | "end": "0xfffff80d254bc000", 750 | "name": "fvevol.sys" 751 | }, 752 | { 753 | "start": "0xfffff80d254c0000", 754 | "end": "0xfffff80d254cb000", 755 | "name": "volume.sys" 756 | }, 757 | { 758 | "start": "0xfffff80d254d0000", 759 | "end": "0xfffff80d25537000", 760 | "name": "volsnap.sys" 761 | }, 762 | { 763 | "start": "0xfffff80d25540000", 764 | "end": "0xfffff80d2558c000", 765 | "name": "rdyboost.sys" 766 | }, 767 | { 768 | "start": "0xfffff80d25590000", 769 | "end": "0xfffff80d255b4000", 770 | "name": "mup.sys" 771 | }, 772 | { 773 | "start": "0xfffff80d255c0000", 774 | "end": "0xfffff80d255d1000", 775 | "name": "iorate.sys" 776 | }, 777 | { 778 | "start": "0xfffff80d255e0000", 779 | "end": "0xfffff80d255ef000", 780 | "name": "mssmbios.sys" 781 | }, 782 | { 783 | "start": "0xfffff80d255f0000", 784 | "end": "0xfffff80d2560c000", 785 | "name": "disk.sys" 786 | }, 787 | { 788 | "start": "0xfffff80d25610000", 789 | "end": "0xfffff80d2567b000", 790 | "name": "CLASSPNP.sys" 791 | }, 792 | { 793 | "start": "0xfffff80d256a0000", 794 | "end": "0xfffff80d256bc000", 795 | "name": "crashdmp.sys" 796 | }, 797 | { 798 | "start": "0xfffff80d25760000", 799 | "end": "0xfffff80d2578e000", 800 | "name": "cdrom.sys" 801 | }, 802 | { 803 | "start": "0xfffff80d25790000", 804 | "end": "0xfffff80d257a4000", 805 | "name": "filecrypt.sys" 806 | }, 807 | { 808 | "start": "0xfffff80d257b0000", 809 | "end": "0xfffff80d257bd000", 810 | "name": "tbs.sys" 811 | }, 812 | { 813 | "start": "0xfffff80d257c0000", 814 | "end": "0xfffff80d257ca000", 815 | "name": "Null.sys" 816 | }, 817 | { 818 | "start": "0xfffff80d257d0000", 819 | "end": "0xfffff80d257da000", 820 | "name": "Beep.sys" 821 | }, 822 | { 823 | "start": "0xfffff80d257e0000", 824 | "end": "0xfffff80d25a99000", 825 | "name": "dxgkrnl.sys" 826 | }, 827 | { 828 | "start": "0xfffff80d25aa0000", 829 | "end": "0xfffff80d25ab4000", 830 | "name": "watchdog.sys" 831 | }, 832 | { 833 | "start": "0xfffff80d25ac0000", 834 | "end": "0xfffff80d25ada000", 835 | "name": "vmbkmclr.sys" 836 | }, 837 | { 838 | "start": "0xfffff80d25ae0000", 839 | "end": "0xfffff80d25af6000", 840 | "name": "BasicDisplay.sys" 841 | }, 842 | { 843 | "start": "0xfffff80d25b00000", 844 | "end": "0xfffff80d25b10000", 845 | "name": "BasicRender.sys" 846 | }, 847 | { 848 | "start": "0xfffff80d25b10000", 849 | "end": "0xfffff80d25b2b000", 850 | "name": "Npfs.sys" 851 | }, 852 | { 853 | "start": "0xfffff80d25b30000", 854 | "end": "0xfffff80d25b40000", 855 | "name": "Msfs.sys" 856 | }, 857 | { 858 | "start": "0xfffff80d25b40000", 859 | "end": "0xfffff80d25b63000", 860 | "name": "tdx.sys" 861 | }, 862 | { 863 | "start": "0xfffff80d25b70000", 864 | "end": "0xfffff80d25b80000", 865 | "name": "TDI.sys" 866 | }, 867 | { 868 | "start": "0xfffff80d25b80000", 869 | "end": "0xfffff80d25bd4000", 870 | "name": "netbt.sys" 871 | }, 872 | { 873 | "start": "0xfffff80d25be0000", 874 | "end": "0xfffff80d25bf3000", 875 | "name": "afunix.sys" 876 | }, 877 | { 878 | "start": "0xfffff80d25c00000", 879 | "end": "0xfffff80d25c1a000", 880 | "name": "vwififlt.sys" 881 | }, 882 | { 883 | "start": "0xfffff80d25c20000", 884 | "end": "0xfffff80d25c49000", 885 | "name": "pacer.sys" 886 | }, 887 | { 888 | "start": "0xfffff80d25c50000", 889 | "end": "0xfffff80d25c62000", 890 | "name": "netbios.sys" 891 | }, 892 | { 893 | "start": "0xfffff80d25c70000", 894 | "end": "0xfffff80d25f14000", 895 | "name": "tcpip.sys" 896 | }, 897 | { 898 | "start": "0xfffff80d25f20000", 899 | "end": "0xfffff80d25f96000", 900 | "name": "fwpkclnt.sys" 901 | }, 902 | { 903 | "start": "0xfffff80d25fa0000", 904 | "end": "0xfffff80d25fcd000", 905 | "name": "wfplwfs.sys" 906 | }, 907 | { 908 | "start": "0xfffff80d25fd0000", 909 | "end": "0xfffff80d25fe2000", 910 | "name": "nsiproxy.sys" 911 | }, 912 | { 913 | "start": "0xfffff80d25ff0000", 914 | "end": "0xfffff80d25ffd000", 915 | "name": "npsvctrig.sys" 916 | }, 917 | { 918 | "start": "0xfffff80d26200000", 919 | "end": "0xfffff80d26245000", 920 | "name": "ahcache.sys" 921 | }, 922 | { 923 | "start": "0xfffff80d26250000", 924 | "end": "0xfffff80d26261000", 925 | "name": "CompositeBus.sys" 926 | }, 927 | { 928 | "start": "0xfffff80d26270000", 929 | "end": "0xfffff80d2627d000", 930 | "name": "kdnic.sys" 931 | }, 932 | { 933 | "start": "0xfffff80d26280000", 934 | "end": "0xfffff80d26295000", 935 | "name": "umbus.sys" 936 | }, 937 | { 938 | "start": "0xfffff80d262a0000", 939 | "end": "0xfffff80d262b3000", 940 | "name": "dmvsc.sys" 941 | }, 942 | { 943 | "start": "0xfffff80d262c0000", 944 | "end": "0xfffff80d262ce000", 945 | "name": "VMBusHID.sys" 946 | }, 947 | { 948 | "start": "0xfffff80d262d0000", 949 | "end": "0xfffff80d26303000", 950 | "name": "HIDCLASS.sys" 951 | }, 952 | { 953 | "start": "0xfffff80d26310000", 954 | "end": "0xfffff80d26323000", 955 | "name": "HIDPARSE.sys" 956 | }, 957 | { 958 | "start": "0xfffff80d26330000", 959 | "end": "0xfffff80d2633c000", 960 | "name": "hyperkbd.sys" 961 | }, 962 | { 963 | "start": "0xfffff80d26340000", 964 | "end": "0xfffff80d26353000", 965 | "name": "kbdclass.sys" 966 | }, 967 | { 968 | "start": "0xfffff80d26360000", 969 | "end": "0xfffff80d2636f000", 970 | "name": "HyperVideo.sys" 971 | }, 972 | { 973 | "start": "0xfffff80d26370000", 974 | "end": "0xfffff80d2637b000", 975 | "name": "vmgencounter.sys" 976 | }, 977 | { 978 | "start": "0xfffff80d26380000", 979 | "end": "0xfffff80d263bd000", 980 | "name": "intelppm.sys" 981 | }, 982 | { 983 | "start": "0xfffff80d263c0000", 984 | "end": "0xfffff80d263cd000", 985 | "name": "NdisVirtualBus.sys" 986 | }, 987 | { 988 | "start": "0xfffff80d263d0000", 989 | "end": "0xfffff80d263dc000", 990 | "name": "swenum.sys" 991 | }, 992 | { 993 | "start": "0xfffff80d263e0000", 994 | "end": "0xfffff80d2644b000", 995 | "name": "ks.sys" 996 | }, 997 | { 998 | "start": "0xfffff80d26450000", 999 | "end": "0xfffff80d2645e000", 1000 | "name": "rdpbus.sys" 1001 | }, 1002 | { 1003 | "start": "0xfffff80d26460000", 1004 | "end": "0xfffff80d2646f000", 1005 | "name": "mouhid.sys" 1006 | }, 1007 | { 1008 | "start": "0xfffff80d26470000", 1009 | "end": "0xfffff80d26481000", 1010 | "name": "mouclass.sys" 1011 | }, 1012 | { 1013 | "start": "0xfffff80d26490000", 1014 | "end": "0xfffff80d264e6000", 1015 | "name": "udfs.sys" 1016 | }, 1017 | { 1018 | "start": "0xfffff80d26500000", 1019 | "end": "0xfffff80d2650f000", 1020 | "name": "dump_diskdump.sys" 1021 | }, 1022 | { 1023 | "start": "0xfffff80d26520000", 1024 | "end": "0xfffff80d2652f000", 1025 | "name": "dump_storvsc.sys" 1026 | }, 1027 | { 1028 | "start": "0xfffff80d26530000", 1029 | "end": "0xfffff80d26549000", 1030 | "name": "dump_vmbkmcl.sys" 1031 | }, 1032 | { 1033 | "start": "0xfffff80d26570000", 1034 | "end": "0xfffff80d2658d000", 1035 | "name": "dump_dumpfve.sys" 1036 | }, 1037 | { 1038 | "start": "0xfffff80d26590000", 1039 | "end": "0xfffff80d265a1000", 1040 | "name": "monitor.sys" 1041 | }, 1042 | { 1043 | "start": "0xfffff80d265b0000", 1044 | "end": "0xfffff80d26676000", 1045 | "name": "dxgmms2.sys" 1046 | }, 1047 | { 1048 | "start": "0xfffff80d26680000", 1049 | "end": "0xfffff80d2668d000", 1050 | "name": "rdpvideominiport.sys" 1051 | }, 1052 | { 1053 | "start": "0xfffff80d26690000", 1054 | "end": "0xfffff80d266c2000", 1055 | "name": "rdpdr.sys" 1056 | }, 1057 | { 1058 | "start": "0xfffff80d266d0000", 1059 | "end": "0xfffff80d266f5000", 1060 | "name": "tsusbhub.sys" 1061 | }, 1062 | { 1063 | "start": "0xfffff80d26700000", 1064 | "end": "0xfffff80d26727000", 1065 | "name": "luafv.sys" 1066 | }, 1067 | { 1068 | "start": "0xfffff80d26730000", 1069 | "end": "0xfffff80d26758000", 1070 | "name": "wcifs.sys" 1071 | }, 1072 | { 1073 | "start": "0xfffff80d26760000", 1074 | "end": "0xfffff80d267ce000", 1075 | "name": "cldflt.sys" 1076 | }, 1077 | { 1078 | "start": "0xfffff80d267d0000", 1079 | "end": "0xfffff80d267e9000", 1080 | "name": "storqosflt.sys" 1081 | }, 1082 | { 1083 | "start": "0xfffff80d267f0000", 1084 | "end": "0xfffff80d26811000", 1085 | "name": "bowser.sys" 1086 | }, 1087 | { 1088 | "start": "0xfffff80d26820000", 1089 | "end": "0xfffff80d268a2000", 1090 | "name": "mrxsmb.sys" 1091 | }, 1092 | { 1093 | "start": "0xfffff80d268b0000", 1094 | "end": "0xfffff80d268ed000", 1095 | "name": "mrxsmb20.sys" 1096 | }, 1097 | { 1098 | "start": "0xfffff80d268f0000", 1099 | "end": "0xfffff80d26906000", 1100 | "name": "lltdio.sys" 1101 | }, 1102 | { 1103 | "start": "0xfffff80d26910000", 1104 | "end": "0xfffff80d2692a000", 1105 | "name": "mslldp.sys" 1106 | }, 1107 | { 1108 | "start": "0xfffff80d26930000", 1109 | "end": "0xfffff80d2694a000", 1110 | "name": "rspndr.sys" 1111 | }, 1112 | { 1113 | "start": "0xfffff80d26950000", 1114 | "end": "0xfffff80d2696b000", 1115 | "name": "wanarp.sys" 1116 | }, 1117 | { 1118 | "start": "0xfffff80d26970000", 1119 | "end": "0xfffff80d26a72000", 1120 | "name": "HTTP.sys" 1121 | }, 1122 | { 1123 | "start": "0xfffff80d26a80000", 1124 | "end": "0xfffff80d26a99000", 1125 | "name": "mpsdrv.sys" 1126 | }, 1127 | { 1128 | "start": "0xfffff80d26aa0000", 1129 | "end": "0xfffff80d26ab3000", 1130 | "name": "mmcss.sys" 1131 | }, 1132 | { 1133 | "start": "0xfffff80d26ac0000", 1134 | "end": "0xfffff80d26ae7000", 1135 | "name": "Ndu.sys" 1136 | }, 1137 | { 1138 | "start": "0xfffff80d26af0000", 1139 | "end": "0xfffff80d26b38000", 1140 | "name": "srvnet.sys" 1141 | }, 1142 | { 1143 | "start": "0xfffff80d26b80000", 1144 | "end": "0xfffff80d26be0000", 1145 | "name": "fastfat.sys" 1146 | }, 1147 | { 1148 | "start": "0xfffff80d26be0000", 1149 | "end": "0xfffff80d26bf4000", 1150 | "name": "bam.sys" 1151 | }, 1152 | { 1153 | "start": "0xfffff80d26e00000", 1154 | "end": "0xfffff80d26ec0000", 1155 | "name": "peauth.sys" 1156 | }, 1157 | { 1158 | "start": "0xfffff80d26ec0000", 1159 | "end": "0xfffff80d26ed3000", 1160 | "name": "tcpipreg.sys" 1161 | }, 1162 | { 1163 | "start": "0xfffff80d26ee0000", 1164 | "end": "0xfffff80d26efb000", 1165 | "name": "rassstp.sys" 1166 | }, 1167 | { 1168 | "start": "0xfffff80d26f00000", 1169 | "end": "0xfffff80d26f16000", 1170 | "name": "NDProxy.sys" 1171 | }, 1172 | { 1173 | "start": "0xfffff80d26f20000", 1174 | "end": "0xfffff80d26f47000", 1175 | "name": "AgileVpn.sys" 1176 | }, 1177 | { 1178 | "start": "0xfffff80d26f50000", 1179 | "end": "0xfffff80d26f70000", 1180 | "name": "rasl2tp.sys" 1181 | }, 1182 | { 1183 | "start": "0xfffff80d26f70000", 1184 | "end": "0xfffff80d26f8f000", 1185 | "name": "raspptp.sys" 1186 | }, 1187 | { 1188 | "start": "0xfffff80d26f90000", 1189 | "end": "0xfffff80d26fab000", 1190 | "name": "raspppoe.sys" 1191 | }, 1192 | { 1193 | "start": "0xfffff80d26fb0000", 1194 | "end": "0xfffff80d26fbf000", 1195 | "name": "ndistapi.sys" 1196 | }, 1197 | { 1198 | "start": "0xfffff80d26fc0000", 1199 | "end": "0xfffff80d26ff7000", 1200 | "name": "ndiswan.sys" 1201 | }, 1202 | { 1203 | "start": "0xfffff80d27000000", 1204 | "end": "0xfffff80d27011000", 1205 | "name": "WdNisDrv.sys" 1206 | }, 1207 | { 1208 | "start": "0xfffff80d27940000", 1209 | "end": "0xfffff80d279fc000", 1210 | "name": "srv2.sys" 1211 | } 1212 | ] -------------------------------------------------------------------------------- /tests/modules_4.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "start": "0xfffff4a614000000", 4 | "end": "0xfffff4a61435b000", 5 | "name": "win32kbase.sys" 6 | }, 7 | { 8 | "start": "0xfffff4a614360000", 9 | "end": "0xfffff4a61473a000", 10 | "name": "win32kfull.sys" 11 | }, 12 | { 13 | "start": "0xfffff4a614740000", 14 | "end": "0xfffff4a614787000", 15 | "name": "cdd.dll" 16 | }, 17 | { 18 | "start": "0xfffff4a614c60000", 19 | "end": "0xfffff4a614d0b000", 20 | "name": "win32k.sys" 21 | }, 22 | { 23 | "start": "0xfffff8074fc70000", 24 | "end": "0xfffff8074fff3000", 25 | "name": "mcupdate_GenuineIntel.dll" 26 | }, 27 | { 28 | "start": "0xfffff80750001000", 29 | "end": "0xfffff80751048000", 30 | "name": "nt" 31 | }, 32 | { 33 | "start": "0xfffff80751200000", 34 | "end": "0xfffff80751206000", 35 | "name": "hal.dll" 36 | }, 37 | { 38 | "start": "0xfffff80751210000", 39 | "end": "0xfffff8075121b000", 40 | "name": "kd.dll" 41 | }, 42 | { 43 | "start": "0xfffff80751220000", 44 | "end": "0xfffff80751249000", 45 | "name": "tm.sys" 46 | }, 47 | { 48 | "start": "0xfffff80751250000", 49 | "end": "0xfffff807512bf000", 50 | "name": "CLFS.sys" 51 | }, 52 | { 53 | "start": "0xfffff807512c0000", 54 | "end": "0xfffff807512db000", 55 | "name": "PSHED.dll" 56 | }, 57 | { 58 | "start": "0xfffff807512e0000", 59 | "end": "0xfffff807512ed000", 60 | "name": "BOOTVID.dll" 61 | }, 62 | { 63 | "start": "0xfffff807512f0000", 64 | "end": "0xfffff80751405000", 65 | "name": "clipsp.sys" 66 | }, 67 | { 68 | "start": "0xfffff80751410000", 69 | "end": "0xfffff8075148a000", 70 | "name": "FLTMGR.sys" 71 | }, 72 | { 73 | "start": "0xfffff80751490000", 74 | "end": "0xfffff807514bc000", 75 | "name": "ksecdd.sys" 76 | }, 77 | { 78 | "start": "0xfffff807514c0000", 79 | "end": "0xfffff80751522000", 80 | "name": "msrpc.sys" 81 | }, 82 | { 83 | "start": "0xfffff80751530000", 84 | "end": "0xfffff8075153f000", 85 | "name": "cmimcext.sys" 86 | }, 87 | { 88 | "start": "0xfffff80751540000", 89 | "end": "0xfffff80751556000", 90 | "name": "werkernel.sys" 91 | }, 92 | { 93 | "start": "0xfffff80751560000", 94 | "end": "0xfffff80751657000", 95 | "name": "CI.dll" 96 | }, 97 | { 98 | "start": "0xfffff80751660000", 99 | "end": "0xfffff8075171e000", 100 | "name": "cng.sys" 101 | }, 102 | { 103 | "start": "0xfffff80751720000", 104 | "end": "0xfffff807517e7000", 105 | "name": "Wdf01000.sys" 106 | }, 107 | { 108 | "start": "0xfffff807517f0000", 109 | "end": "0xfffff80751807000", 110 | "name": "WDFLDR.sys" 111 | }, 112 | { 113 | "start": "0xfffff80751810000", 114 | "end": "0xfffff80751823000", 115 | "name": "WppRecorder.sys" 116 | }, 117 | { 118 | "start": "0xfffff80751830000", 119 | "end": "0xfffff80751857000", 120 | "name": "acpiex.sys" 121 | }, 122 | { 123 | "start": "0xfffff80751860000", 124 | "end": "0xfffff8075186f000", 125 | "name": "msseccore.sys" 126 | }, 127 | { 128 | "start": "0xfffff80751870000", 129 | "end": "0xfffff80751928000", 130 | "name": "ACPI.sys" 131 | }, 132 | { 133 | "start": "0xfffff80751930000", 134 | "end": "0xfffff8075193c000", 135 | "name": "WMILIB.sys" 136 | }, 137 | { 138 | "start": "0xfffff80751940000", 139 | "end": "0xfffff80751958000", 140 | "name": "WindowsTrustedRT.sys" 141 | }, 142 | { 143 | "start": "0xfffff80751960000", 144 | "end": "0xfffff807519e6000", 145 | "name": "intelpep.sys" 146 | }, 147 | { 148 | "start": "0xfffff807519f0000", 149 | "end": "0xfffff807519fb000", 150 | "name": "WindowsTrustedRTProxy.sys" 151 | }, 152 | { 153 | "start": "0xfffff80751a00000", 154 | "end": "0xfffff80751a13000", 155 | "name": "IntelPMT.sys" 156 | }, 157 | { 158 | "start": "0xfffff80751a20000", 159 | "end": "0xfffff80751a36000", 160 | "name": "pcw.sys" 161 | }, 162 | { 163 | "start": "0xfffff80751a40000", 164 | "end": "0xfffff80751a5c000", 165 | "name": "vdrvroot.sys" 166 | }, 167 | { 168 | "start": "0xfffff80751a60000", 169 | "end": "0xfffff80751aa7000", 170 | "name": "ucx01000.sys" 171 | }, 172 | { 173 | "start": "0xfffff80751ab0000", 174 | "end": "0xfffff80751ae1000", 175 | "name": "pdc.sys" 176 | }, 177 | { 178 | "start": "0xfffff80751af0000", 179 | "end": "0xfffff80751b08000", 180 | "name": "CEA.sys" 181 | }, 182 | { 183 | "start": "0xfffff80751b10000", 184 | "end": "0xfffff80751b43000", 185 | "name": "partmgr.sys" 186 | }, 187 | { 188 | "start": "0xfffff80751b50000", 189 | "end": "0xfffff80751b84000", 190 | "name": "vmbus.sys" 191 | }, 192 | { 193 | "start": "0xfffff80751b90000", 194 | "end": "0xfffff80751bb7000", 195 | "name": "vmbkmcl.sys" 196 | }, 197 | { 198 | "start": "0xfffff80751bc0000", 199 | "end": "0xfffff80751bd4000", 200 | "name": "winhv.sys" 201 | }, 202 | { 203 | "start": "0xfffff80751be0000", 204 | "end": "0xfffff80751c0a000", 205 | "name": "hvsocket.sys" 206 | }, 207 | { 208 | "start": "0xfffff80751c10000", 209 | "end": "0xfffff80751cb0000", 210 | "name": "NETIO.sys" 211 | }, 212 | { 213 | "start": "0xfffff80751cc0000", 214 | "end": "0xfffff80751e50000", 215 | "name": "NDIS.sys" 216 | }, 217 | { 218 | "start": "0xfffff80751e60000", 219 | "end": "0xfffff80751e7b000", 220 | "name": "vpci.sys" 221 | }, 222 | { 223 | "start": "0xfffff80751e80000", 224 | "end": "0xfffff80751e9c000", 225 | "name": "volmgr.sys" 226 | }, 227 | { 228 | "start": "0xfffff80751ea0000", 229 | "end": "0xfffff80751ef1000", 230 | "name": "sdbus.sys" 231 | }, 232 | { 233 | "start": "0xfffff80751f00000", 234 | "end": "0xfffff80751f19000", 235 | "name": "urscx01000.sys" 236 | }, 237 | { 238 | "start": "0xfffff80751f20000", 239 | "end": "0xfffff80751f3f000", 240 | "name": "mountmgr.sys" 241 | }, 242 | { 243 | "start": "0xfffff80751f40000", 244 | "end": "0xfffff80752055000", 245 | "name": "iaStorAVC.sys" 246 | }, 247 | { 248 | "start": "0xfffff80752060000", 249 | "end": "0xfffff8075217c000", 250 | "name": "storport.sys" 251 | }, 252 | { 253 | "start": "0xfffff80752180000", 254 | "end": "0xfffff8075219c000", 255 | "name": "fileinfo.sys" 256 | }, 257 | { 258 | "start": "0xfffff807521a0000", 259 | "end": "0xfffff807521db000", 260 | "name": "wcifs.sys" 261 | }, 262 | { 263 | "start": "0xfffff807521e0000", 264 | "end": "0xfffff80752513000", 265 | "name": "Ntfs.sys" 266 | }, 267 | { 268 | "start": "0xfffff80752520000", 269 | "end": "0xfffff807525a6000", 270 | "name": "usbhub.sys" 271 | }, 272 | { 273 | "start": "0xfffff807525b0000", 274 | "end": "0xfffff807525bf000", 275 | "name": "USBD.sys" 276 | }, 277 | { 278 | "start": "0xfffff807525c0000", 279 | "end": "0xfffff807525d3000", 280 | "name": "storvsc.sys" 281 | }, 282 | { 283 | "start": "0xfffff807525e0000", 284 | "end": "0xfffff807525ef000", 285 | "name": "urschipidea.sys" 286 | }, 287 | { 288 | "start": "0xfffff807525f0000", 289 | "end": "0xfffff80752625000", 290 | "name": "usbccgp.sys" 291 | }, 292 | { 293 | "start": "0xfffff80752630000", 294 | "end": "0xfffff807526e0000", 295 | "name": "UsbHub3.sys" 296 | }, 297 | { 298 | "start": "0xfffff807526f0000", 299 | "end": "0xfffff8075270b000", 300 | "name": "usbehci.sys" 301 | }, 302 | { 303 | "start": "0xfffff80752710000", 304 | "end": "0xfffff80752789000", 305 | "name": "USBPORT.sys" 306 | }, 307 | { 308 | "start": "0xfffff80752790000", 309 | "end": "0xfffff8075279f000", 310 | "name": "Fs_Rec.sys" 311 | }, 312 | { 313 | "start": "0xfffff807527a0000", 314 | "end": "0xfffff807527d5000", 315 | "name": "ksecpkg.sys" 316 | }, 317 | { 318 | "start": "0xfffff807527e0000", 319 | "end": "0xfffff80752b0d000", 320 | "name": "tcpip.sys" 321 | }, 322 | { 323 | "start": "0xfffff80752b10000", 324 | "end": "0xfffff80752b93000", 325 | "name": "fwpkclnt.sys" 326 | }, 327 | { 328 | "start": "0xfffff80752ba0000", 329 | "end": "0xfffff80752bd1000", 330 | "name": "wfplwfs.sys" 331 | }, 332 | { 333 | "start": "0xfffff80752be0000", 334 | "end": "0xfffff80752c88000", 335 | "name": "afd.sys" 336 | }, 337 | { 338 | "start": "0xfffff80752c90000", 339 | "end": "0xfffff80752ca1000", 340 | "name": "TDI.sys" 341 | }, 342 | { 343 | "start": "0xfffff80752cb0000", 344 | "end": "0xfffff80752cc3000", 345 | "name": "condrv.sys" 346 | }, 347 | { 348 | "start": "0xfffff80752cd0000", 349 | "end": "0xfffff80752ce3000", 350 | "name": "vmstorfl.sys" 351 | }, 352 | { 353 | "start": "0xfffff80752cf0000", 354 | "end": "0xfffff80752d17000", 355 | "name": "mup.sys" 356 | }, 357 | { 358 | "start": "0xfffff80752d20000", 359 | "end": "0xfffff80752d9d000", 360 | "name": "rdbss.sys" 361 | }, 362 | { 363 | "start": "0xfffff80752da0000", 364 | "end": "0xfffff80752e44000", 365 | "name": "mrxsmb.sys" 366 | }, 367 | { 368 | "start": "0xfffff80752e50000", 369 | "end": "0xfffff80752ec3000", 370 | "name": "msquic.sys" 371 | }, 372 | { 373 | "start": "0xfffff80752ed0000", 374 | "end": "0xfffff80752fa5000", 375 | "name": "fvevol.sys" 376 | }, 377 | { 378 | "start": "0xfffff80752fb0000", 379 | "end": "0xfffff80752fff000", 380 | "name": "mrxsmb20.sys" 381 | }, 382 | { 383 | "start": "0xfffff80753000000", 384 | "end": "0xfffff8075300b000", 385 | "name": "volume.sys" 386 | }, 387 | { 388 | "start": "0xfffff80753010000", 389 | "end": "0xfffff807530b3000", 390 | "name": "USBXHCI.sys" 391 | }, 392 | { 393 | "start": "0xfffff807530c0000", 394 | "end": "0xfffff807530e8000", 395 | "name": "USBSTOR.sys" 396 | }, 397 | { 398 | "start": "0xfffff807530f0000", 399 | "end": "0xfffff8075310b000", 400 | "name": "uaspstor.sys" 401 | }, 402 | { 403 | "start": "0xfffff80753110000", 404 | "end": "0xfffff80753129000", 405 | "name": "storufs.sys" 406 | }, 407 | { 408 | "start": "0xfffff80753130000", 409 | "end": "0xfffff8075314e000", 410 | "name": "sdstor.sys" 411 | }, 412 | { 413 | "start": "0xfffff80753150000", 414 | "end": "0xfffff807531a1000", 415 | "name": "rdyboost.sys" 416 | }, 417 | { 418 | "start": "0xfffff807531b0000", 419 | "end": "0xfffff807531c4000", 420 | "name": "nvmedisk.sys" 421 | }, 422 | { 423 | "start": "0xfffff807531d0000", 424 | "end": "0xfffff80753247000", 425 | "name": "CLASSPNP.sys" 426 | }, 427 | { 428 | "start": "0xfffff80753270000", 429 | "end": "0xfffff80753280000", 430 | "name": "hvcrash.sys" 431 | }, 432 | { 433 | "start": "0xfffff80753290000", 434 | "end": "0xfffff807532b0000", 435 | "name": "disk.sys" 436 | }, 437 | { 438 | "start": "0xfffff80753800000", 439 | "end": "0xfffff80753832000", 440 | "name": "cdrom.sys" 441 | }, 442 | { 443 | "start": "0xfffff80753840000", 444 | "end": "0xfffff8075384b000", 445 | "name": "Null.sys" 446 | }, 447 | { 448 | "start": "0xfffff80753850000", 449 | "end": "0xfffff80753cd6000", 450 | "name": "dxgkrnl.sys" 451 | }, 452 | { 453 | "start": "0xfffff80753ce0000", 454 | "end": "0xfffff80753d02000", 455 | "name": "watchdog.sys" 456 | }, 457 | { 458 | "start": "0xfffff80753d10000", 459 | "end": "0xfffff80753d27000", 460 | "name": "BasicDisplay.sys" 461 | }, 462 | { 463 | "start": "0xfffff80753d30000", 464 | "end": "0xfffff80753d42000", 465 | "name": "BasicRender.sys" 466 | }, 467 | { 468 | "start": "0xfffff80753d50000", 469 | "end": "0xfffff80753d6c000", 470 | "name": "Npfs.sys" 471 | }, 472 | { 473 | "start": "0xfffff80753d70000", 474 | "end": "0xfffff80753d82000", 475 | "name": "Msfs.sys" 476 | }, 477 | { 478 | "start": "0xfffff80753d90000", 479 | "end": "0xfffff80753db8000", 480 | "name": "CimFS.sys" 481 | }, 482 | { 483 | "start": "0xfffff80753dc0000", 484 | "end": "0xfffff80753de4000", 485 | "name": "tdx.sys" 486 | }, 487 | { 488 | "start": "0xfffff80753df0000", 489 | "end": "0xfffff80753e04000", 490 | "name": "afunix.sys" 491 | }, 492 | { 493 | "start": "0xfffff80753e10000", 494 | "end": "0xfffff80753e2b000", 495 | "name": "vwififlt.sys" 496 | }, 497 | { 498 | "start": "0xfffff80753e30000", 499 | "end": "0xfffff80753e5b000", 500 | "name": "pacer.sys" 501 | }, 502 | { 503 | "start": "0xfffff80753e60000", 504 | "end": "0xfffff80753e75000", 505 | "name": "ndiscap.sys" 506 | }, 507 | { 508 | "start": "0xfffff80753e80000", 509 | "end": "0xfffff80753e93000", 510 | "name": "nsiproxy.sys" 511 | }, 512 | { 513 | "start": "0xfffff80753ea0000", 514 | "end": "0xfffff80753eb0000", 515 | "name": "npsvctrig.sys" 516 | }, 517 | { 518 | "start": "0xfffff80753ec0000", 519 | "end": "0xfffff80753ece000", 520 | "name": "hvsocketcontrol.sys" 521 | }, 522 | { 523 | "start": "0xfffff80753ed0000", 524 | "end": "0xfffff80753eff000", 525 | "name": "dfsc.sys" 526 | }, 527 | { 528 | "start": "0xfffff80753f00000", 529 | "end": "0xfffff80753f28000", 530 | "name": "bindflt.sys" 531 | }, 532 | { 533 | "start": "0xfffff80753f40000", 534 | "end": "0xfffff80753f5a000", 535 | "name": "bam.sys" 536 | }, 537 | { 538 | "start": "0xfffff80753f60000", 539 | "end": "0xfffff80753fbc000", 540 | "name": "ahcache.sys" 541 | }, 542 | { 543 | "start": "0xfffff80753fc0000", 544 | "end": "0xfffff80753fcf000", 545 | "name": "kdnic.sys" 546 | }, 547 | { 548 | "start": "0xfffff80753fd0000", 549 | "end": "0xfffff80753fe7000", 550 | "name": "umbus.sys" 551 | }, 552 | { 553 | "start": "0xfffff80753ff0000", 554 | "end": "0xfffff80754001000", 555 | "name": "vkrnlintvsc.sys" 556 | }, 557 | { 558 | "start": "0xfffff80754010000", 559 | "end": "0xfffff80754026000", 560 | "name": "dmvsc.sys" 561 | }, 562 | { 563 | "start": "0xfffff80754030000", 564 | "end": "0xfffff8075403c000", 565 | "name": "acpipagr.sys" 566 | }, 567 | { 568 | "start": "0xfffff80754040000", 569 | "end": "0xfffff8075404c000", 570 | "name": "vmgencounter.sys" 571 | }, 572 | { 573 | "start": "0xfffff80754050000", 574 | "end": "0xfffff8075409e000", 575 | "name": "intelppm.sys" 576 | }, 577 | { 578 | "start": "0xfffff807540a0000", 579 | "end": "0xfffff807540ac000", 580 | "name": "swenum.sys" 581 | }, 582 | { 583 | "start": "0xfffff807540b0000", 584 | "end": "0xfffff80754135000", 585 | "name": "ks.sys" 586 | }, 587 | { 588 | "start": "0xfffff80754140000", 589 | "end": "0xfffff80754150000", 590 | "name": "rdpbus.sys" 591 | }, 592 | { 593 | "start": "0xfffff80754160000", 594 | "end": "0xfffff8075416c000", 595 | "name": "WIN32KSGD.sys" 596 | }, 597 | { 598 | "start": "0xfffff80754170000", 599 | "end": "0xfffff80754186000", 600 | "name": "HIDPARSE.sys" 601 | }, 602 | { 603 | "start": "0xfffff80754190000", 604 | "end": "0xfffff807542a7000", 605 | "name": "dxgmms2.sys" 606 | }, 607 | { 608 | "start": "0xfffff807542b0000", 609 | "end": "0xfffff807542bc000", 610 | "name": "vmgid.sys" 611 | }, 612 | { 613 | "start": "0xfffff807542c0000", 614 | "end": "0xfffff807542d5000", 615 | "name": "mmcss.sys" 616 | }, 617 | { 618 | "start": "0xfffff807542e0000", 619 | "end": "0xfffff8075436c000", 620 | "name": "cldflt.sys" 621 | }, 622 | { 623 | "start": "0xfffff807543c0000", 624 | "end": "0xfffff807543e7000", 625 | "name": "crashdmp.sys" 626 | }, 627 | { 628 | "start": "0xfffff80760200000", 629 | "end": "0xfffff807603a5000", 630 | "name": "HTTP.sys" 631 | }, 632 | { 633 | "start": "0xfffff807603b0000", 634 | "end": "0xfffff807603cb000", 635 | "name": "mpsdrv.sys" 636 | }, 637 | { 638 | "start": "0xfffff807603d0000", 639 | "end": "0xfffff807603fe000", 640 | "name": "Ndu.sys" 641 | }, 642 | { 643 | "start": "0xfffff80760400000", 644 | "end": "0xfffff8076045c000", 645 | "name": "srvnet.sys" 646 | }, 647 | { 648 | "start": "0xfffff80760460000", 649 | "end": "0xfffff80760475000", 650 | "name": "tcpipreg.sys" 651 | }, 652 | { 653 | "start": "0xfffff80760480000", 654 | "end": "0xfffff80760558000", 655 | "name": "srv2.sys" 656 | }, 657 | { 658 | "start": "0xfffff80760560000", 659 | "end": "0xfffff8076056d000", 660 | "name": "vrd.sys" 661 | }, 662 | { 663 | "start": "0xfffff80760570000", 664 | "end": "0xfffff807605bf000", 665 | "name": "netvsc.sys" 666 | }, 667 | { 668 | "start": "0xfffff807605c0000", 669 | "end": "0xfffff807605d0000", 670 | "name": "terminpt.sys" 671 | }, 672 | { 673 | "start": "0xfffff807605e0000", 674 | "end": "0xfffff807605f5000", 675 | "name": "kbdclass.sys" 676 | }, 677 | { 678 | "start": "0xfffff80760600000", 679 | "end": "0xfffff80760615000", 680 | "name": "mouclass.sys" 681 | }, 682 | { 683 | "start": "0xfffff80760620000", 684 | "end": "0xfffff80760677000", 685 | "name": "WUDFRd.sys" 686 | }, 687 | { 688 | "start": "0xfffff80760680000", 689 | "end": "0xfffff80760696000", 690 | "name": "IndirectKmd.sys" 691 | }, 692 | { 693 | "start": "0xfffff807606e0000", 694 | "end": "0xfffff807606fd000", 695 | "name": "monitor.sys" 696 | }, 697 | { 698 | "start": "0xfffff80760900000", 699 | "end": "0xfffff80760930000", 700 | "name": "rdpdr.sys" 701 | } 702 | ] -------------------------------------------------------------------------------- /tests/modules_5.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "start": "0x450000", 4 | "end": "0x469000", 5 | "name": "Project1.exe" 6 | }, 7 | { 8 | "start": "0x74ec0000", 9 | "end": "0x74f5f000", 10 | "name": "apphelp.dll" 11 | }, 12 | { 13 | "start": "0x76120000", 14 | "end": "0x76210000", 15 | "name": "KERNEL32.dLL" 16 | }, 17 | { 18 | "start": "0x76640000", 19 | "end": "0x76855000", 20 | "name": "KERNELBASE.dll" 21 | }, 22 | { 23 | "start": "0x77c30000", 24 | "end": "0x77c3a000", 25 | "name": "wow64cpu.dll" 26 | }, 27 | { 28 | "start": "0x77c40000", 29 | "end": "0x77de3000", 30 | "name": "ntdll.dll" 31 | }, 32 | { 33 | "start": "0x7ff885020000", 34 | "end": "0x7ff885079000", 35 | "name": "wow64.dll" 36 | }, 37 | { 38 | "start": "0x7ff885410000", 39 | "end": "0x7ff885493000", 40 | "name": "wow64win.dll" 41 | }, 42 | { 43 | "start": "0x7ff886f10000", 44 | "end": "0x7ff887105000", 45 | "name": "ntdll.dll" 46 | }, 47 | { 48 | "start": "0xfffff8011f760000", 49 | "end": "0xfffff8011f9ef000", 50 | "name": "mcupdate_GenuineIntel.dll" 51 | }, 52 | { 53 | "start": "0xfffff8011f9f0000", 54 | "end": "0xfffff8011f9f6000", 55 | "name": "hal.dll" 56 | }, 57 | { 58 | "start": "0xfffff8011fa00000", 59 | "end": "0xfffff8011fa0d000", 60 | "name": "kdstub.dll" 61 | }, 62 | { 63 | "start": "0xfffff8011fa10000", 64 | "end": "0xfffff8011fa59000", 65 | "name": "kdnet.dll" 66 | }, 67 | { 68 | "start": "0xfffff8011fa60000", 69 | "end": "0xfffff8011fa87000", 70 | "name": "tm.sys" 71 | }, 72 | { 73 | "start": "0xfffff8011fa90000", 74 | "end": "0xfffff8011fafa000", 75 | "name": "CLFS.SYS" 76 | }, 77 | { 78 | "start": "0xfffff8011fb00000", 79 | "end": "0xfffff8011fb1a000", 80 | "name": "PSHED.dll" 81 | }, 82 | { 83 | "start": "0xfffff8011fb20000", 84 | "end": "0xfffff8011fb2b000", 85 | "name": "BOOTVID.dll" 86 | }, 87 | { 88 | "start": "0xfffff8011fb30000", 89 | "end": "0xfffff8011fb59000", 90 | "name": "ksecdd.sys" 91 | }, 92 | { 93 | "start": "0xfffff80122800000", 94 | "end": "0xfffff80123846000", 95 | "name": "ntoskrnl.exe" 96 | }, 97 | { 98 | "start": "0xfffff80125300000", 99 | "end": "0xfffff80125414000", 100 | "name": "clipsp.sys" 101 | }, 102 | { 103 | "start": "0xfffff80125420000", 104 | "end": "0xfffff8012548f000", 105 | "name": "FLTMGR.SYS" 106 | }, 107 | { 108 | "start": "0xfffff80125490000", 109 | "end": "0xfffff801254f3000", 110 | "name": "msrpc.sys" 111 | }, 112 | { 113 | "start": "0xfffff80125500000", 114 | "end": "0xfffff8012550e000", 115 | "name": "cmimcext.sys" 116 | }, 117 | { 118 | "start": "0xfffff80125510000", 119 | "end": "0xfffff80125521000", 120 | "name": "werkernel.sys" 121 | }, 122 | { 123 | "start": "0xfffff80125530000", 124 | "end": "0xfffff8012553c000", 125 | "name": "ntosext.sys" 126 | }, 127 | { 128 | "start": "0xfffff80125540000", 129 | "end": "0xfffff80125624000", 130 | "name": "CI.dll" 131 | }, 132 | { 133 | "start": "0xfffff80125630000", 134 | "end": "0xfffff801256eb000", 135 | "name": "cng.sys" 136 | }, 137 | { 138 | "start": "0xfffff801256f0000", 139 | "end": "0xfffff801257c1000", 140 | "name": "Wdf01000.sys" 141 | }, 142 | { 143 | "start": "0xfffff801257d0000", 144 | "end": "0xfffff801257e3000", 145 | "name": "WDFLDR.SYS" 146 | }, 147 | { 148 | "start": "0xfffff801257f0000", 149 | "end": "0xfffff801257ff000", 150 | "name": "SleepStudyHelper.sys" 151 | }, 152 | { 153 | "start": "0xfffff80125800000", 154 | "end": "0xfffff80125811000", 155 | "name": "WppRecorder.sys" 156 | }, 157 | { 158 | "start": "0xfffff80125820000", 159 | "end": "0xfffff80125846000", 160 | "name": "acpiex.sys" 161 | }, 162 | { 163 | "start": "0xfffff80125850000", 164 | "end": "0xfffff8012589c000", 165 | "name": "mssecflt.sys" 166 | }, 167 | { 168 | "start": "0xfffff801258a0000", 169 | "end": "0xfffff801258ba000", 170 | "name": "SgrmAgent.sys" 171 | }, 172 | { 173 | "start": "0xfffff801258c0000", 174 | "end": "0xfffff8012598c000", 175 | "name": "ACPI.sys" 176 | }, 177 | { 178 | "start": "0xfffff80125990000", 179 | "end": "0xfffff8012599c000", 180 | "name": "WMILIB.SYS" 181 | }, 182 | { 183 | "start": "0xfffff801259c0000", 184 | "end": "0xfffff80125a2b000", 185 | "name": "intelpep.sys" 186 | }, 187 | { 188 | "start": "0xfffff80125a30000", 189 | "end": "0xfffff80125a47000", 190 | "name": "WindowsTrustedRT.sys" 191 | }, 192 | { 193 | "start": "0xfffff80125a50000", 194 | "end": "0xfffff80125a5b000", 195 | "name": "IntelTA.sys" 196 | }, 197 | { 198 | "start": "0xfffff80125a60000", 199 | "end": "0xfffff80125a6b000", 200 | "name": "WindowsTrustedRTProxy.sys" 201 | }, 202 | { 203 | "start": "0xfffff80125a70000", 204 | "end": "0xfffff80125a84000", 205 | "name": "pcw.sys" 206 | }, 207 | { 208 | "start": "0xfffff80125a90000", 209 | "end": "0xfffff80125aa5000", 210 | "name": "vdrvroot.sys" 211 | }, 212 | { 213 | "start": "0xfffff80125ab0000", 214 | "end": "0xfffff80125af4000", 215 | "name": "ucx01000.sys" 216 | }, 217 | { 218 | "start": "0xfffff80125b00000", 219 | "end": "0xfffff80125b2f000", 220 | "name": "pdc.sys" 221 | }, 222 | { 223 | "start": "0xfffff80125b30000", 224 | "end": "0xfffff80125b4a000", 225 | "name": "CEA.sys" 226 | }, 227 | { 228 | "start": "0xfffff80125b50000", 229 | "end": "0xfffff80125b81000", 230 | "name": "partmgr.sys" 231 | }, 232 | { 233 | "start": "0xfffff80125b90000", 234 | "end": "0xfffff80125c3a000", 235 | "name": "spaceport.sys" 236 | }, 237 | { 238 | "start": "0xfffff80125c40000", 239 | "end": "0xfffff80125c59000", 240 | "name": "volmgr.sys" 241 | }, 242 | { 243 | "start": "0xfffff80125c60000", 244 | "end": "0xfffff80125caf000", 245 | "name": "sdbus.sys" 246 | }, 247 | { 248 | "start": "0xfffff80125cb0000", 249 | "end": "0xfffff80125d13000", 250 | "name": "volmgrx.sys" 251 | }, 252 | { 253 | "start": "0xfffff80125d20000", 254 | "end": "0xfffff80125d50000", 255 | "name": "vmbus.sys" 256 | }, 257 | { 258 | "start": "0xfffff80125d60000", 259 | "end": "0xfffff80125d8a000", 260 | "name": "hvsocket.sys" 261 | }, 262 | { 263 | "start": "0xfffff80125d90000", 264 | "end": "0xfffff80125e28000", 265 | "name": "NETIO.SYS" 266 | }, 267 | { 268 | "start": "0xfffff80125e30000", 269 | "end": "0xfffff80125fa0000", 270 | "name": "NDIS.SYS" 271 | }, 272 | { 273 | "start": "0xfffff80125fb0000", 274 | "end": "0xfffff80125fd0000", 275 | "name": "vmbkmcl.sys" 276 | }, 277 | { 278 | "start": "0xfffff80125fe0000", 279 | "end": "0xfffff80125ff2000", 280 | "name": "winhv.sys" 281 | }, 282 | { 283 | "start": "0xfffff80126000000", 284 | "end": "0xfffff80126018000", 285 | "name": "urscx01000.sys" 286 | }, 287 | { 288 | "start": "0xfffff80126020000", 289 | "end": "0xfffff8012603e000", 290 | "name": "mountmgr.sys" 291 | }, 292 | { 293 | "start": "0xfffff80126040000", 294 | "end": "0xfffff8012605c000", 295 | "name": "EhStorClass.sys" 296 | }, 297 | { 298 | "start": "0xfffff80126060000", 299 | "end": "0xfffff8012607a000", 300 | "name": "fileinfo.sys" 301 | }, 302 | { 303 | "start": "0xfffff80126080000", 304 | "end": "0xfffff801260c0000", 305 | "name": "Wof.sys" 306 | }, 307 | { 308 | "start": "0xfffff801260d0000", 309 | "end": "0xfffff8012612a000", 310 | "name": "WdFilter.sys" 311 | }, 312 | { 313 | "start": "0xfffff80126130000", 314 | "end": "0xfffff80126163000", 315 | "name": "usbccgp.sys" 316 | }, 317 | { 318 | "start": "0xfffff80126170000", 319 | "end": "0xfffff8012617e000", 320 | "name": "USBD.SYS" 321 | }, 322 | { 323 | "start": "0xfffff80126180000", 324 | "end": "0xfffff8012618d000", 325 | "name": "urschipidea.sys" 326 | }, 327 | { 328 | "start": "0xfffff80126190000", 329 | "end": "0xfffff8012619f000", 330 | "name": "storvsc.sys" 331 | }, 332 | { 333 | "start": "0xfffff801261a0000", 334 | "end": "0xfffff80126253000", 335 | "name": "storport.sys" 336 | }, 337 | { 338 | "start": "0xfffff80126260000", 339 | "end": "0xfffff8012627a000", 340 | "name": "usbehci.sys" 341 | }, 342 | { 343 | "start": "0xfffff80126280000", 344 | "end": "0xfffff801262f9000", 345 | "name": "USBPORT.SYS" 346 | }, 347 | { 348 | "start": "0xfffff80126300000", 349 | "end": "0xfffff801265d8000", 350 | "name": "Ntfs.sys" 351 | }, 352 | { 353 | "start": "0xfffff801265e0000", 354 | "end": "0xfffff80126665000", 355 | "name": "usbhub.sys" 356 | }, 357 | { 358 | "start": "0xfffff80126670000", 359 | "end": "0xfffff80126713000", 360 | "name": "UsbHub3.sys" 361 | }, 362 | { 363 | "start": "0xfffff80126720000", 364 | "end": "0xfffff8012672d000", 365 | "name": "Fs_Rec.sys" 366 | }, 367 | { 368 | "start": "0xfffff80126730000", 369 | "end": "0xfffff80126762000", 370 | "name": "ksecpkg.sys" 371 | }, 372 | { 373 | "start": "0xfffff80126770000", 374 | "end": "0xfffff80126a5b000", 375 | "name": "tcpip.sys" 376 | }, 377 | { 378 | "start": "0xfffff80126a60000", 379 | "end": "0xfffff80126adf000", 380 | "name": "fwpkclnt.sys" 381 | }, 382 | { 383 | "start": "0xfffff80126ae0000", 384 | "end": "0xfffff80126b10000", 385 | "name": "wfplwfs.sys" 386 | }, 387 | { 388 | "start": "0xfffff80126b20000", 389 | "end": "0xfffff80126be8000", 390 | "name": "fvevol.sys" 391 | }, 392 | { 393 | "start": "0xfffff80126bf0000", 394 | "end": "0xfffff80126bfb000", 395 | "name": "volume.sys" 396 | }, 397 | { 398 | "start": "0xfffff80126c00000", 399 | "end": "0xfffff80126c6d000", 400 | "name": "volsnap.sys" 401 | }, 402 | { 403 | "start": "0xfffff80126c70000", 404 | "end": "0xfffff80126d10000", 405 | "name": "USBXHCI.SYS" 406 | }, 407 | { 408 | "start": "0xfffff80126d20000", 409 | "end": "0xfffff80126d45000", 410 | "name": "USBSTOR.SYS" 411 | }, 412 | { 413 | "start": "0xfffff80126d50000", 414 | "end": "0xfffff80126d68000", 415 | "name": "uaspstor.sys" 416 | }, 417 | { 418 | "start": "0xfffff80126d70000", 419 | "end": "0xfffff80126d8e000", 420 | "name": "sdstor.sys" 421 | }, 422 | { 423 | "start": "0xfffff80126d90000", 424 | "end": "0xfffff80126de0000", 425 | "name": "rdyboost.sys" 426 | }, 427 | { 428 | "start": "0xfffff80126df0000", 429 | "end": "0xfffff80126e16000", 430 | "name": "mup.sys" 431 | }, 432 | { 433 | "start": "0xfffff80126e20000", 434 | "end": "0xfffff80126e32000", 435 | "name": "iorate.sys" 436 | }, 437 | { 438 | "start": "0xfffff80126e60000", 439 | "end": "0xfffff80126e7c000", 440 | "name": "disk.sys" 441 | }, 442 | { 443 | "start": "0xfffff80126e80000", 444 | "end": "0xfffff80126eed000", 445 | "name": "CLASSPNP.SYS" 446 | }, 447 | { 448 | "start": "0xfffff80127200000", 449 | "end": "0xfffff80127215000", 450 | "name": "filecrypt.sys" 451 | }, 452 | { 453 | "start": "0xfffff80127220000", 454 | "end": "0xfffff8012722e000", 455 | "name": "tbs.sys" 456 | }, 457 | { 458 | "start": "0xfffff80127230000", 459 | "end": "0xfffff8012723a000", 460 | "name": "Null.SYS" 461 | }, 462 | { 463 | "start": "0xfffff80127240000", 464 | "end": "0xfffff8012724a000", 465 | "name": "Beep.SYS" 466 | }, 467 | { 468 | "start": "0xfffff80127250000", 469 | "end": "0xfffff801275fa000", 470 | "name": "dxgkrnl.sys" 471 | }, 472 | { 473 | "start": "0xfffff80127600000", 474 | "end": "0xfffff80127618000", 475 | "name": "watchdog.sys" 476 | }, 477 | { 478 | "start": "0xfffff80127620000", 479 | "end": "0xfffff80127636000", 480 | "name": "BasicDisplay.sys" 481 | }, 482 | { 483 | "start": "0xfffff80127640000", 484 | "end": "0xfffff80127651000", 485 | "name": "BasicRender.sys" 486 | }, 487 | { 488 | "start": "0xfffff80127660000", 489 | "end": "0xfffff8012767c000", 490 | "name": "Npfs.SYS" 491 | }, 492 | { 493 | "start": "0xfffff80127680000", 494 | "end": "0xfffff80127691000", 495 | "name": "Msfs.SYS" 496 | }, 497 | { 498 | "start": "0xfffff801276a0000", 499 | "end": "0xfffff801276be000", 500 | "name": "CimFS.SYS" 501 | }, 502 | { 503 | "start": "0xfffff801276c0000", 504 | "end": "0xfffff801276e2000", 505 | "name": "tdx.sys" 506 | }, 507 | { 508 | "start": "0xfffff801276f0000", 509 | "end": "0xfffff80127700000", 510 | "name": "TDI.SYS" 511 | }, 512 | { 513 | "start": "0xfffff80127710000", 514 | "end": "0xfffff8012776c000", 515 | "name": "netbt.sys" 516 | }, 517 | { 518 | "start": "0xfffff80127770000", 519 | "end": "0xfffff80127783000", 520 | "name": "afunix.sys" 521 | }, 522 | { 523 | "start": "0xfffff80127790000", 524 | "end": "0xfffff80127836000", 525 | "name": "afd.sys" 526 | }, 527 | { 528 | "start": "0xfffff80127840000", 529 | "end": "0xfffff8012785a000", 530 | "name": "vwififlt.sys" 531 | }, 532 | { 533 | "start": "0xfffff80127860000", 534 | "end": "0xfffff8012788b000", 535 | "name": "pacer.sys" 536 | }, 537 | { 538 | "start": "0xfffff80127890000", 539 | "end": "0xfffff801278a4000", 540 | "name": "ndiscap.sys" 541 | }, 542 | { 543 | "start": "0xfffff801278b0000", 544 | "end": "0xfffff801278c4000", 545 | "name": "netbios.sys" 546 | }, 547 | { 548 | "start": "0xfffff801278d0000", 549 | "end": "0xfffff80127971000", 550 | "name": "Vid.sys" 551 | }, 552 | { 553 | "start": "0xfffff80127980000", 554 | "end": "0xfffff801279a1000", 555 | "name": "winhvr.sys" 556 | }, 557 | { 558 | "start": "0xfffff801279b0000", 559 | "end": "0xfffff80127a2b000", 560 | "name": "rdbss.sys" 561 | }, 562 | { 563 | "start": "0xfffff80127a30000", 564 | "end": "0xfffff80127ac7000", 565 | "name": "csc.sys" 566 | }, 567 | { 568 | "start": "0xfffff80127ad0000", 569 | "end": "0xfffff80127ae2000", 570 | "name": "nsiproxy.sys" 571 | }, 572 | { 573 | "start": "0xfffff80127af0000", 574 | "end": "0xfffff80127afe000", 575 | "name": "npsvctrig.sys" 576 | }, 577 | { 578 | "start": "0xfffff80127b00000", 579 | "end": "0xfffff80127b10000", 580 | "name": "mssmbios.sys" 581 | }, 582 | { 583 | "start": "0xfffff80127b20000", 584 | "end": "0xfffff80127b2a000", 585 | "name": "gpuenergydrv.sys" 586 | }, 587 | { 588 | "start": "0xfffff80127b30000", 589 | "end": "0xfffff80127b5c000", 590 | "name": "dfsc.sys" 591 | }, 592 | { 593 | "start": "0xfffff80127b80000", 594 | "end": "0xfffff80127bec000", 595 | "name": "fastfat.SYS" 596 | }, 597 | { 598 | "start": "0xfffff80127bf0000", 599 | "end": "0xfffff80127c07000", 600 | "name": "bam.sys" 601 | }, 602 | { 603 | "start": "0xfffff80127c10000", 604 | "end": "0xfffff80127c5e000", 605 | "name": "ahcache.sys" 606 | }, 607 | { 608 | "start": "0xfffff80127c60000", 609 | "end": "0xfffff80127c72000", 610 | "name": "CompositeBus.sys" 611 | }, 612 | { 613 | "start": "0xfffff80127c80000", 614 | "end": "0xfffff80127c8d000", 615 | "name": "kdnic.sys" 616 | }, 617 | { 618 | "start": "0xfffff80127c90000", 619 | "end": "0xfffff80127ca5000", 620 | "name": "umbus.sys" 621 | }, 622 | { 623 | "start": "0xfffff80127cb0000", 624 | "end": "0xfffff80127cc5000", 625 | "name": "CAD.sys" 626 | }, 627 | { 628 | "start": "0xfffff80127cd0000", 629 | "end": "0xfffff80127ce4000", 630 | "name": "dmvsc.sys" 631 | }, 632 | { 633 | "start": "0xfffff80127cf0000", 634 | "end": "0xfffff80127cfe000", 635 | "name": "VMBusHID.sys" 636 | }, 637 | { 638 | "start": "0xfffff80127d00000", 639 | "end": "0xfffff80127d3f000", 640 | "name": "HIDCLASS.SYS" 641 | }, 642 | { 643 | "start": "0xfffff80127d40000", 644 | "end": "0xfffff80127d53000", 645 | "name": "HIDPARSE.SYS" 646 | }, 647 | { 648 | "start": "0xfffff80127d60000", 649 | "end": "0xfffff80127d6c000", 650 | "name": "hyperkbd.sys" 651 | }, 652 | { 653 | "start": "0xfffff80127d70000", 654 | "end": "0xfffff80127d84000", 655 | "name": "kbdclass.sys" 656 | }, 657 | { 658 | "start": "0xfffff80127d90000", 659 | "end": "0xfffff80127da0000", 660 | "name": "HyperVideo.sys" 661 | }, 662 | { 663 | "start": "0xfffff80127db0000", 664 | "end": "0xfffff80127dbf000", 665 | "name": "CmBatt.sys" 666 | }, 667 | { 668 | "start": "0xfffff80127dc0000", 669 | "end": "0xfffff80127dd0000", 670 | "name": "BATTC.SYS" 671 | }, 672 | { 673 | "start": "0xfffff80127de0000", 674 | "end": "0xfffff80127deb000", 675 | "name": "vmgencounter.sys" 676 | }, 677 | { 678 | "start": "0xfffff80127df0000", 679 | "end": "0xfffff80127e30000", 680 | "name": "intelppm.sys" 681 | }, 682 | { 683 | "start": "0xfffff80127e40000", 684 | "end": "0xfffff80127e4d000", 685 | "name": "NdisVirtualBus.sys" 686 | }, 687 | { 688 | "start": "0xfffff80127e50000", 689 | "end": "0xfffff80127e5c000", 690 | "name": "swenum.sys" 691 | }, 692 | { 693 | "start": "0xfffff80127e60000", 694 | "end": "0xfffff80127ed6000", 695 | "name": "ks.sys" 696 | }, 697 | { 698 | "start": "0xfffff80127ee0000", 699 | "end": "0xfffff80127eee000", 700 | "name": "rdpbus.sys" 701 | }, 702 | { 703 | "start": "0xfffff80127ef0000", 704 | "end": "0xfffff80127f00000", 705 | "name": "mouhid.sys" 706 | }, 707 | { 708 | "start": "0xfffff80127f10000", 709 | "end": "0xfffff80127f23000", 710 | "name": "mouclass.sys" 711 | }, 712 | { 713 | "start": "0xfffff80127f40000", 714 | "end": "0xfffff80127f4e000", 715 | "name": "dump_diskdump.sys" 716 | }, 717 | { 718 | "start": "0xfffff80127f60000", 719 | "end": "0xfffff80127f6f000", 720 | "name": "dump_storvsc.sys" 721 | }, 722 | { 723 | "start": "0xfffff80127f70000", 724 | "end": "0xfffff80127f90000", 725 | "name": "dump_vmbkmcl.sys" 726 | }, 727 | { 728 | "start": "0xfffff80127fc0000", 729 | "end": "0xfffff80127fdd000", 730 | "name": "dump_dumpfve.sys" 731 | }, 732 | { 733 | "start": "0xfffff801280f0000", 734 | "end": "0xfffff8012810e000", 735 | "name": "crashdmp.sys" 736 | }, 737 | { 738 | "start": "0xfffff801281c0000", 739 | "end": "0xfffff801281f0000", 740 | "name": "cdrom.sys" 741 | }, 742 | { 743 | "start": "0xfffff80128400000", 744 | "end": "0xfffff8012840b000", 745 | "name": "vmgid.sys" 746 | }, 747 | { 748 | "start": "0xfffff80128410000", 749 | "end": "0xfffff80128439000", 750 | "name": "luafv.sys" 751 | }, 752 | { 753 | "start": "0xfffff80128440000", 754 | "end": "0xfffff80128476000", 755 | "name": "wcifs.sys" 756 | }, 757 | { 758 | "start": "0xfffff80128480000", 759 | "end": "0xfffff801284ff000", 760 | "name": "cldflt.sys" 761 | }, 762 | { 763 | "start": "0xfffff80128500000", 764 | "end": "0xfffff8012851a000", 765 | "name": "storqosflt.sys" 766 | }, 767 | { 768 | "start": "0xfffff80128520000", 769 | "end": "0xfffff80128548000", 770 | "name": "bindflt.sys" 771 | }, 772 | { 773 | "start": "0xfffff80128550000", 774 | "end": "0xfffff80128575000", 775 | "name": "bowser.sys" 776 | }, 777 | { 778 | "start": "0xfffff80128580000", 779 | "end": "0xfffff801285d6000", 780 | "name": "msquic.sys" 781 | }, 782 | { 783 | "start": "0xfffff801285e0000", 784 | "end": "0xfffff80128674000", 785 | "name": "mrxsmb.sys" 786 | }, 787 | { 788 | "start": "0xfffff80128680000", 789 | "end": "0xfffff801286c6000", 790 | "name": "mrxsmb20.sys" 791 | }, 792 | { 793 | "start": "0xfffff801286d0000", 794 | "end": "0xfffff801286e8000", 795 | "name": "lltdio.sys" 796 | }, 797 | { 798 | "start": "0xfffff801286f0000", 799 | "end": "0xfffff80128708000", 800 | "name": "mslldp.sys" 801 | }, 802 | { 803 | "start": "0xfffff80128710000", 804 | "end": "0xfffff8012872b000", 805 | "name": "rspndr.sys" 806 | }, 807 | { 808 | "start": "0xfffff80128730000", 809 | "end": "0xfffff801288b8000", 810 | "name": "HTTP.sys" 811 | }, 812 | { 813 | "start": "0xfffff801288c0000", 814 | "end": "0xfffff801288da000", 815 | "name": "mpsdrv.sys" 816 | }, 817 | { 818 | "start": "0xfffff801288e0000", 819 | "end": "0xfffff801288fb000", 820 | "name": "monitor.sys" 821 | }, 822 | { 823 | "start": "0xfffff80128900000", 824 | "end": "0xfffff80128953000", 825 | "name": "srvnet.sys" 826 | }, 827 | { 828 | "start": "0xfffff80128960000", 829 | "end": "0xfffff80128974000", 830 | "name": "mmcss.sys" 831 | }, 832 | { 833 | "start": "0xfffff80128980000", 834 | "end": "0xfffff801289a7000", 835 | "name": "Ndu.sys" 836 | }, 837 | { 838 | "start": "0xfffff801289b0000", 839 | "end": "0xfffff80128a77000", 840 | "name": "srv2.sys" 841 | }, 842 | { 843 | "start": "0xfffff80128a80000", 844 | "end": "0xfffff80128b56000", 845 | "name": "peauth.sys" 846 | }, 847 | { 848 | "start": "0xfffff80128b60000", 849 | "end": "0xfffff80128b75000", 850 | "name": "tcpipreg.sys" 851 | }, 852 | { 853 | "start": "0xfffff80128b80000", 854 | "end": "0xfffff80128b8f000", 855 | "name": "terminpt.sys" 856 | }, 857 | { 858 | "start": "0xfffff80128b90000", 859 | "end": "0xfffff80128be4000", 860 | "name": "WUDFRd.sys" 861 | }, 862 | { 863 | "start": "0xfffff80128bf0000", 864 | "end": "0xfffff80128c02000", 865 | "name": "IndirectKmd.sys" 866 | }, 867 | { 868 | "start": "0xfffff80128c10000", 869 | "end": "0xfffff80128c22000", 870 | "name": "WdNisDrv.sys" 871 | }, 872 | { 873 | "start": "0xfffff80128c30000", 874 | "end": "0xfffff80128c42000", 875 | "name": "condrv.sys" 876 | }, 877 | { 878 | "start": "0xfffff801290a0000", 879 | "end": "0xfffff80129181000", 880 | "name": "dxgmms2.sys" 881 | }, 882 | { 883 | "start": "0xfffff80129190000", 884 | "end": "0xfffff8012919d000", 885 | "name": "rdpvideominiport.sys" 886 | }, 887 | { 888 | "start": "0xfffff801291a0000", 889 | "end": "0xfffff801291cf000", 890 | "name": "rdpdr.sys" 891 | }, 892 | { 893 | "start": "0xfffff801291d0000", 894 | "end": "0xfffff801291f8000", 895 | "name": "tsusbhub.sys" 896 | }, 897 | { 898 | "start": "0xfffffd66c3290000", 899 | "end": "0xfffffd66c332a000", 900 | "name": "win32k.sys" 901 | }, 902 | { 903 | "start": "0xfffffd66c3400000", 904 | "end": "0xfffffd66c37b7000", 905 | "name": "win32kfull.sys" 906 | }, 907 | { 908 | "start": "0xfffffd66c37c0000", 909 | "end": "0xfffffd66c3809000", 910 | "name": "cdd.dll" 911 | }, 912 | { 913 | "start": "0xfffffd66c3b70000", 914 | "end": "0xfffffd66c3e43000", 915 | "name": "win32kbase.sys" 916 | } 917 | ] -------------------------------------------------------------------------------- /tests/regression.rs: -------------------------------------------------------------------------------- 1 | // Axel '0vercl0k' Souchet - March 17 2024 2 | use std::collections::HashSet; 3 | use std::env; 4 | use std::fs::File; 5 | use std::ops::Range; 6 | use std::path::PathBuf; 7 | 8 | use kdmp_parser::{AddrTranslationError, Gpa, Gva, KdmpParserError, KernelDumpParser}; 9 | use serde::Deserialize; 10 | 11 | /// Convert an hexadecimal encoded integer string into a `u64`. 12 | pub fn hex_str(s: &str) -> u64 { 13 | let prefix = s.strip_prefix("0x"); 14 | 15 | u64::from_str_radix(prefix.unwrap_or(s), 16).unwrap() 16 | } 17 | 18 | #[derive(Debug, Deserialize)] 19 | struct M { 20 | name: String, 21 | start: String, 22 | end: String, 23 | } 24 | 25 | #[derive(Debug)] 26 | struct Module { 27 | name: String, 28 | at: Range, 29 | } 30 | 31 | impl From for Module { 32 | fn from(value: M) -> Self { 33 | Self { 34 | name: value.name, 35 | at: hex_str(&value.start).into()..hex_str(&value.end).into(), 36 | } 37 | } 38 | } 39 | 40 | struct TestcaseValues<'test> { 41 | file: PathBuf, 42 | dump_type: kdmp_parser::DumpType, 43 | size: u64, 44 | phys_addr: u64, 45 | phys_bytes: [u8; 16], 46 | virt_addr: u64, 47 | virt_bytes: [u8; 16], 48 | rax: u64, 49 | rbx: u64, 50 | rcx: u64, 51 | rdx: u64, 52 | rsi: u64, 53 | rdi: u64, 54 | rip: u64, 55 | rsp: u64, 56 | rbp: u64, 57 | r8: u64, 58 | r9: u64, 59 | r10: u64, 60 | r11: u64, 61 | r12: u64, 62 | r13: u64, 63 | r14: u64, 64 | r15: u64, 65 | modules: &'test [Module], 66 | } 67 | 68 | fn compare_modules(parser: &KernelDumpParser, modules: &[Module]) -> bool { 69 | let parser_modules = parser.user_modules().chain(parser.kernel_modules()); 70 | let mut seen = HashSet::new(); 71 | for (r, name) in parser_modules { 72 | if seen.contains(&r.start) { 73 | eprintln!("already seen {}", r.start); 74 | return false; 75 | } 76 | 77 | let found_mod = modules.iter().find(|m| m.at == *r).unwrap(); 78 | seen.insert(r.start); 79 | 80 | let filename = name.rsplit_once('\\').map(|(_, s)| s).unwrap_or(name); 81 | if filename.to_lowercase() != found_mod.name.to_lowercase() { 82 | if found_mod.name == "nt" && filename == "ntoskrnl.exe" { 83 | continue; 84 | } 85 | 86 | eprintln!("{name} {found_mod:?}"); 87 | return false; 88 | } 89 | } 90 | 91 | seen.len() == modules.len() 92 | } 93 | 94 | // Extract the info with WinDbg w/ the below: 95 | // ``` 96 | // dx -r2 @$curprocess.Modules.Select(p => new {start=p.BaseAddress, end=p.BaseAddress + p.Size, name=p.Name}) 97 | // ``` 98 | #[test] 99 | fn regressions() { 100 | let base_path = 101 | PathBuf::from(env::var("TESTDATAS").expect("I need the TESTDATAS env var to work")); 102 | 103 | let test_dir = PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests"); 104 | let modules_1: Vec = 105 | serde_json::from_reader(File::open(test_dir.join("modules_1.json")).unwrap()).unwrap(); 106 | let modules_1 = modules_1 107 | .into_iter() 108 | .map(|m| m.into()) 109 | .collect::>(); 110 | // kd> r 111 | // rax=0000000000000003 rbx=fffff8050f4e9f70 rcx=0000000000000001 112 | // rdx=fffff805135684d0 rsi=0000000000000100 rdi=fffff8050f4e9f80 113 | // rip=fffff805108776a0 rsp=fffff805135684f8 rbp=fffff80513568600 114 | // r8=0000000000000003 r9=fffff805135684b8 r10=0000000000000000 115 | // r11=ffffa8848825e000 r12=fffff8050f4e9f80 r13=fffff80510c3c958 116 | // r14=0000000000000000 r15=0000000000000052 117 | // iopl=0 nv up ei pl nz na pe nc 118 | // cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040202 119 | let bmp = TestcaseValues { 120 | file: base_path.join("bmp.dmp"), 121 | dump_type: kdmp_parser::DumpType::Bmp, 122 | size: 0x54_4b, 123 | phys_addr: 0x6d_4d_22, 124 | phys_bytes: [ 125 | 0x6d, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x63, 0x88, 0x75, 0x00, 0x00, 0x00, 0x00, 0x0a, 126 | 0x63, 0x98, 127 | ], 128 | virt_addr: 0xfffff805_108776a0, 129 | virt_bytes: [ 130 | 0xcc, 0xc3, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 131 | 0x00, 0x00, 132 | ], 133 | rax: 0x00000000_00000003, 134 | rbx: 0xfffff805_0f4e9f70, 135 | rcx: 0x00000000_00000001, 136 | rdx: 0xfffff805_135684d0, 137 | rsi: 0x00000000_00000100, 138 | rdi: 0xfffff805_0f4e9f80, 139 | rip: 0xfffff805_108776a0, 140 | rsp: 0xfffff805_135684f8, 141 | rbp: 0xfffff805_13568600, 142 | r8: 0x00000000_00000003, 143 | r9: 0xfffff805_135684b8, 144 | r10: 0x00000000_00000000, 145 | r11: 0xffffa884_8825e000, 146 | r12: 0xfffff805_0f4e9f80, 147 | r13: 0xfffff805_10c3c958, 148 | r14: 0x00000000_00000000, 149 | r15: 0x00000000_00000052, 150 | modules: modules_1.as_slice(), 151 | }; 152 | 153 | let full = TestcaseValues { 154 | file: base_path.join("full.dmp"), 155 | dump_type: kdmp_parser::DumpType::Full, 156 | size: 0x03_fb_e6, 157 | phys_addr: 0x6d_4d_22, 158 | phys_bytes: [ 159 | 0x6d, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x63, 0x88, 0x75, 0x00, 0x00, 0x00, 0x00, 0x0a, 160 | 0x63, 0x98, 161 | ], 162 | virt_addr: 0xfffff805_108776a0, 163 | virt_bytes: [ 164 | 0xcc, 0xc3, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 165 | 0x00, 0x00, 166 | ], 167 | rax: 0x00000000_00000003, 168 | rbx: 0xfffff805_0f4e9f70, 169 | rcx: 0x00000000_00000001, 170 | rdx: 0xfffff805_135684d0, 171 | rsi: 0x00000000_00000100, 172 | rdi: 0xfffff805_0f4e9f80, 173 | rip: 0xfffff805_108776a0, 174 | rsp: 0xfffff805_135684f8, 175 | rbp: 0xfffff805_13568600, 176 | r8: 0x00000000_00000003, 177 | r9: 0xfffff805_135684b8, 178 | r10: 0x00000000_00000000, 179 | r11: 0xffffa884_8825e000, 180 | r12: 0xfffff805_0f4e9f80, 181 | r13: 0xfffff805_10c3c958, 182 | r14: 0x00000000_00000000, 183 | r15: 0x00000000_00000052, 184 | modules: &modules_1, 185 | }; 186 | 187 | let modules_2: Vec = 188 | serde_json::from_reader(File::open(test_dir.join("modules_2.json")).unwrap()).unwrap(); 189 | let modules_2 = modules_2 190 | .into_iter() 191 | .map(|m| m.into()) 192 | .collect::>(); 193 | 194 | let kernel_dump = TestcaseValues { 195 | file: base_path.join("kerneldump.dmp"), 196 | dump_type: kdmp_parser::DumpType::KernelMemory, 197 | size: 0xa0_2e, 198 | phys_addr: 0x02_58_92_f0, 199 | phys_bytes: [ 200 | 0x10, 0x8c, 0x24, 0x50, 0x0c, 0xc0, 0xff, 0xff, 0xa0, 0x19, 0x38, 0x51, 0x0c, 0xc0, 201 | 0xff, 0xff, 202 | ], 203 | virt_addr: 0xfffff803_f2c35470, 204 | virt_bytes: [ 205 | 0xcc, 0xc3, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 206 | 0x00, 0x00, 207 | ], 208 | rax: 0x00000000_00007a01, 209 | rbx: 0xffffc00c_5191e010, 210 | rcx: 0x00000000_00000001, 211 | rdx: 0x00000012_00000000, 212 | rsi: 0xffffc00c_51907bb0, 213 | rdi: 0x00000000_00000002, 214 | rip: 0xfffff803_f2c35470, 215 | rsp: 0xfffff803_f515ec28, 216 | rbp: 0x00000000_0c1c9800, 217 | r8: 0x00000000_000000b0, 218 | r9: 0xffffc00c_502ff000, 219 | r10: 0x00000000_00000057, 220 | r11: 0xfffff803_f3a04500, 221 | r12: 0xfffff803_f515ee60, 222 | r13: 0x00000000_00000003, 223 | r14: 0xfffff803_f1e9a180, 224 | r15: 0x00000000_0000001f, 225 | modules: &modules_2, 226 | }; 227 | 228 | let modules_3: Vec = 229 | serde_json::from_reader(File::open(test_dir.join("modules_3.json")).unwrap()).unwrap(); 230 | let modules_3 = modules_3 231 | .into_iter() 232 | .map(|m| m.into()) 233 | .collect::>(); 234 | 235 | let kernel_user_dump = TestcaseValues { 236 | file: base_path.join("kerneluserdump.dmp"), 237 | dump_type: kdmp_parser::DumpType::KernelAndUserMemory, 238 | size: 0x01_f7_c7, 239 | phys_addr: 0x02_58_92_f0, 240 | phys_bytes: [ 241 | 0x10, 0x8c, 0x24, 0x50, 0x0c, 0xc0, 0xff, 0xff, 0xa0, 0x19, 0x38, 0x51, 0x0c, 0xc0, 242 | 0xff, 0xff, 243 | ], 244 | virt_addr: 0xfffff803_f2c35470, 245 | virt_bytes: [ 246 | 0xcc, 0xc3, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 247 | 0x00, 0x00, 248 | ], 249 | rax: 0x00000000_00007a01, 250 | rbx: 0xffffc00c_5191e010, 251 | rcx: 0x00000000_00000001, 252 | rdx: 0x00000012_00000000, 253 | rsi: 0xffffc00c_51907bb0, 254 | rdi: 0x00000000_00000002, 255 | rip: 0xfffff803_f2c35470, 256 | rsp: 0xfffff803_f515ec28, 257 | rbp: 0x00000000_0c1c9800, 258 | r8: 0x00000000_000000b0, 259 | r9: 0xffffc00c_502ff000, 260 | r10: 0x00000000_00000057, 261 | r11: 0xfffff803_f3a04500, 262 | r12: 0xfffff803_f515ee60, 263 | r13: 0x00000000_00000003, 264 | r14: 0xfffff803_f1e9a180, 265 | r15: 0x00000000_0000001f, 266 | modules: &modules_3, 267 | }; 268 | 269 | let complete_dump = TestcaseValues { 270 | file: base_path.join("completedump.dmp"), 271 | dump_type: kdmp_parser::DumpType::CompleteMemory, 272 | size: 0x01_fb_f9, 273 | phys_addr: 0x02_58_92_f0, 274 | phys_bytes: [ 275 | 0x10, 0x8c, 0x24, 0x50, 0x0c, 0xc0, 0xff, 0xff, 0xa0, 0x19, 0x38, 0x51, 0x0c, 0xc0, 276 | 0xff, 0xff, 277 | ], 278 | virt_addr: 0xfffff803_f2c35470, 279 | virt_bytes: [ 280 | 0xcc, 0xc3, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 281 | 0x00, 0x00, 282 | ], 283 | rax: 0x00000000_00007a01, 284 | rbx: 0xffffc00c_5191e010, 285 | rcx: 0x00000000_00000001, 286 | rdx: 0x00000012_00000000, 287 | rsi: 0xffffc00c_51907bb0, 288 | rdi: 0x00000000_00000002, 289 | rip: 0xfffff803_f2c35470, 290 | rsp: 0xfffff803_f515ec28, 291 | rbp: 0x00000000_0c1c9800, 292 | r8: 0x00000000_000000b0, 293 | r9: 0xffffc00c_502ff000, 294 | r10: 0x00000000_00000057, 295 | r11: 0xfffff803_f3a04500, 296 | r12: 0xfffff803_f515ee60, 297 | r13: 0x00000000_00000003, 298 | r14: 0xfffff803_f1e9a180, 299 | r15: 0x00000000_0000001f, 300 | modules: &modules_3, 301 | }; 302 | 303 | let modules_4: Vec = 304 | serde_json::from_reader(File::open(test_dir.join("modules_4.json")).unwrap()).unwrap(); 305 | let modules_4 = modules_4 306 | .into_iter() 307 | .map(|m| m.into()) 308 | .collect::>(); 309 | 310 | let live_kernel = TestcaseValues { 311 | file: base_path.join("fulllivekernelmemory.dmp"), 312 | dump_type: kdmp_parser::DumpType::LiveKernelMemory, 313 | size: 0x01_54_f5, 314 | phys_addr: 0xd9_6a_90_00, 315 | phys_bytes: [ 316 | 0x67, 0xd8, 0xb6, 0xdd, 0x00, 0x00, 0x00, 0x0a, 0x67, 0xa8, 0x1d, 0xd6, 0x00, 0x00, 317 | 0x00, 0x0a, 318 | ], 319 | virt_addr: 0xfffff807_50a98b6d, 320 | virt_bytes: [ 321 | 0x48, 0x8d, 0x8f, 0x00, 0x01, 0x00, 0x00, 0xe8, 0x17, 0x2a, 0x98, 0xff, 0x48, 0x81, 322 | 0xc3, 0x48, 323 | ], 324 | rax: 0x00000000_00000004, 325 | rbx: 0xffffd20f_d8553000, 326 | rcx: 0xffffa100_0ed84a00, 327 | rdx: 0x00000000_00000000, 328 | rsi: 0xffffd20f_d3beeae0, 329 | rdi: 0xfffff807_4fb4b180, 330 | rip: 0xfffff807_50a98b6d, 331 | rsp: 0xfffffd8d_6bcaed10, 332 | rbp: 0x00000000_00000000, 333 | r8: 0x00000000_00000b80, 334 | r9: 0xffffd20f_d8553348, 335 | r10: 0x00000000_00000000, 336 | r11: 0xffffd20f_d8553000, 337 | r12: 0x00000000_00000002, 338 | r13: 0x00000000_00000000, 339 | r14: 0xffffd20f_d48d5080, 340 | r15: 0x00000000_00000001, 341 | modules: &modules_4, 342 | }; 343 | 344 | let modules_5: Vec = 345 | serde_json::from_reader(File::open(test_dir.join("modules_5.json")).unwrap()).unwrap(); 346 | let modules_5 = modules_5 347 | .into_iter() 348 | .map(|m| m.into()) 349 | .collect::>(); 350 | 351 | let wow64 = TestcaseValues { 352 | file: base_path.join("wow64_kernelactive.dmp"), 353 | dump_type: kdmp_parser::DumpType::KernelAndUserMemory, 354 | size: 0x03_ec_ff, 355 | phys_addr: 0x06_23_50_00, 356 | phys_bytes: [ 357 | 0xcc, 0x33, 0xc0, 0xc3, 0x3b, 0x0d, 0x00, 0x50, 0x46, 0x00, 0x75, 0x01, 0xc3, 0xe9, 358 | 0x79, 0x02, 359 | ], 360 | virt_addr: 0x00451000, 361 | virt_bytes: [ 362 | 0xcc, 0x33, 0xc0, 0xc3, 0x3b, 0x0d, 0x00, 0x50, 0x46, 0x00, 0x75, 0x01, 0xc3, 0xe9, 363 | 0x79, 0x02, 364 | ], 365 | rax: 0x00465e58, 366 | rbx: 0x0062d000, 367 | rcx: 0x00000000, 368 | rdx: 0x420e1d36, 369 | rsi: 0x009ef4c0, 370 | rdi: 0x009f0d30, 371 | rip: 0x00451000, 372 | rsp: 0x0056fbcc, 373 | rbp: 0x0056fc10, 374 | r8: 0x0000002b, 375 | r9: 0x77cb2c0c, 376 | r10: 0x00000000, 377 | r11: 0x0038e450, 378 | r12: 0x0062e000, 379 | r13: 0x0038fda0, 380 | r14: 0x0038ed40, 381 | r15: 0x77c34660, 382 | modules: &modules_5, 383 | }; 384 | 385 | let tests = [ 386 | &bmp, 387 | &full, 388 | &kernel_dump, 389 | &kernel_user_dump, 390 | &complete_dump, 391 | &live_kernel, 392 | &wow64, 393 | ]; 394 | 395 | for test in tests { 396 | let parser = KernelDumpParser::new(&test.file).unwrap(); 397 | eprintln!("{parser:?}"); 398 | assert_eq!(parser.dump_type(), test.dump_type); 399 | assert_eq!(parser.physmem().len(), test.size as usize); 400 | let mut buf = [0; 16]; 401 | parser 402 | .phys_read_exact(Gpa::new(test.phys_addr), &mut buf) 403 | .unwrap(); 404 | assert_eq!(buf, test.phys_bytes); 405 | parser 406 | .virt_read_exact(Gva::new(test.virt_addr), &mut buf) 407 | .unwrap(); 408 | assert_eq!(buf, test.virt_bytes); 409 | let ctx = parser.context_record(); 410 | assert_eq!(ctx.rax, test.rax); 411 | assert_eq!(ctx.rbx, test.rbx); 412 | assert_eq!(ctx.rcx, test.rcx); 413 | assert_eq!(ctx.rdx, test.rdx); 414 | assert_eq!(ctx.rsi, test.rsi); 415 | assert_eq!(ctx.rdi, test.rdi); 416 | assert_eq!(ctx.rip, test.rip); 417 | assert_eq!(ctx.rsp, test.rsp); 418 | assert_eq!(ctx.rbp, test.rbp); 419 | assert_eq!(ctx.r8, test.r8); 420 | assert_eq!(ctx.r9, test.r9); 421 | assert_eq!(ctx.r10, test.r10); 422 | assert_eq!(ctx.r11, test.r11); 423 | assert_eq!(ctx.r12, test.r12); 424 | assert_eq!(ctx.r13, test.r13); 425 | assert_eq!(ctx.r14, test.r14); 426 | assert_eq!(ctx.r15, test.r15); 427 | assert!(compare_modules(&parser, test.modules)); 428 | } 429 | 430 | // Example of a transition PTE readable by WinDbg (in kerneluserdump.dmp): 431 | // ``` 432 | // kd> db 0x1a42ea30240 l10 433 | // 000001a4`2ea30240 e0 07 a3 2e a4 01 00 00-80 f2 a2 2e a4 01 00 00 ................ 434 | // kd> !pte 0x1a42ea30240 435 | // VA 000001a42ea30240 436 | // PXE at FFFFECF67B3D9018 PPE at FFFFECF67B203480 PDE at FFFFECF640690BA8 PTE at FFFFEC80D2175180 437 | // contains 0A0000000ECC0867 contains 0A00000013341867 contains 0A000000077AF867 contains 00000000166B7880 438 | // pfn ecc0 ---DA--UWEV pfn 13341 ---DA--UWEV pfn 77af ---DA--UWEV not valid 439 | // Transition: 166b7 440 | // Protect: 4 - ReadWrite 441 | // ``` 442 | let parser = KernelDumpParser::new(&kernel_user_dump.file).unwrap(); 443 | let mut buffer = [0; 16]; 444 | let expected_buffer = [ 445 | 0xe0, 0x07, 0xa3, 0x2e, 0xa4, 0x01, 0x00, 0x00, 0x80, 0xf2, 0xa2, 0x2e, 0xa4, 0x01, 0x00, 446 | 0x00, 447 | ]; 448 | assert!(parser.virt_read(0x1a42ea30240.into(), &mut buffer).is_ok()); 449 | assert_eq!(buffer, expected_buffer); 450 | // Example of a valid PTE that don't have a physical page backing it (in 451 | // kerneldump.dmp): 452 | // ``` 453 | // kd> !pte 0x1a42ea30240 454 | // VA 000001a42ea30240 455 | // PXE at FFFFECF67B3D9018 PPE at FFFFECF67B203480 PDE at FFFFECF640690BA8 PTE at FFFFEC80D2175180 456 | // contains 0A0000000ECC0867 contains 0A00000013341867 contains 0A000000077AF867 contains 00000000166B7880 457 | // pfn ecc0 ---DA--UWEV pfn 13341 ---DA--UWEV pfn 77af ---DA--UWEV not valid 458 | // Transition: 166b7 459 | // Protect: 4 - ReadWrite 460 | // kd> !db 166b7240 461 | // Physical memory read at 166b7240 failed 462 | // 463 | // kd> !pte 0x16e23fa060 464 | // VA 00000016e23fa060 465 | // PXE at FFFFECF67B3D9000 PPE at FFFFECF67B2002D8 PDE at FFFFECF64005B888 PTE at FFFFEC800B711FD0 466 | // contains 0A00000001FEB867 contains 0A00000019A08867 contains 0A00000019A07867 contains 8000000001BC4867 467 | // pfn 1feb ---DA--UWEV pfn 19a08 ---DA--UWEV pfn 19a07 ---DA--UWEV pfn 1bc4 ---DA--UW-V 468 | // kd> !db 1bc4000 469 | // Physical memory read at 1bc4000 failed 470 | // ``` 471 | let parser = KernelDumpParser::new(&kernel_dump.file).unwrap(); 472 | let mut buffer = [0]; 473 | assert!(matches!( 474 | parser.virt_read(0x1a42ea30240.into(), &mut buffer), 475 | Err(KdmpParserError::AddrTranslation( 476 | AddrTranslationError::Phys(gpa) 477 | )) if gpa == 0x166b7240.into() 478 | )); 479 | 480 | assert!(matches!( 481 | parser.virt_read(0x16e23fa060.into(), &mut buffer), 482 | Err(KdmpParserError::AddrTranslation( 483 | AddrTranslationError::Phys(gpa) 484 | )) if gpa == 0x1bc4060.into() 485 | )); 486 | } 487 | --------------------------------------------------------------------------------