How to use minidump - 10 common examples
To help you get started, we’ve selected a few minidump examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
skelsec / pypykatz / pypykatz / commons / readers / local / live_reader.py View on Github 
def read_uint(self):
"""
Reads an integer. The size depends on the architecture.
Reads a 4 byte small-endian unsinged int on 32 bit arch
Reads an 8 byte small-endian unsinged int on 64 bit arch
"""
if self.reader.processor_architecture == PROCESSOR_ARCHITECTURE.AMD64:
return int.from_bytes(self.read(8), byteorder = 'little', signed = False)
else:
return int.from_bytes(self.read(4), byteorder = 'little', signed = False)else:
self.memory_segments = minidumpfile.memory_segments.memory_segments
self.is_fulldump = False
self.filename = minidumpfile.filename
self.file_handle = minidumpfile.file_handle
#reader params
self.sizeof_long = 4
self.unpack_long = 'def read_uint(self):
"""
Reads an integer. The size depends on the architecture.
Reads a 4 byte small-endian unsinged int on 32 bit arch
Reads an 8 byte small-endian unsinged int on 64 bit arch
"""
if self.reader.processor_architecture == PROCESSOR_ARCHITECTURE.AMD64:
return int.from_bytes(self.read(8), byteorder = 'little', signed = False)
else:
return int.from_bytes(self.read(4), byteorder = 'little', signed = False)if minidumpfile.memory_segments_64:
self.memory_segments = minidumpfile.memory_segments_64.memory_segments
self.is_fulldump = True
else:
self.memory_segments = minidumpfile.memory_segments.memory_segments
self.is_fulldump = False
self.filename = minidumpfile.filename
self.file_handle = minidumpfile.file_handle
#reader params
self.sizeof_long = 4
self.unpack_long = 'def setup(self):
logging.log(1, 'Enabling debug privilege')
enable_debug_privilege()
logging.log(1, 'Getting generic system info')
sysinfo = GetSystemInfo()
self.processor_architecture = PROCESSOR_ARCHITECTURE(sysinfo.id.w.wProcessorArchitecture)
logging.log(1, 'Getting build number')
#self.BuildNumber = GetVersionEx().dwBuildNumber #this one doesnt work reliably on frozen binaries :(((
key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\')
buildnumber, t = winreg.QueryValueEx(key, 'CurrentBuildNumber')
self.BuildNumber = int(buildnumber)
logging.log(1, 'Searching for lsass.exe')
pid = get_lsass_pid()
logging.log(1, 'Lsass.exe found at PID %d' % pid)
logging.log(1, 'Opening lsass.exe')
self.lsass_process_handle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
if self.lsass_process_handle is None:
raise Exception('Failed to open lsass.exe Reason: %s' % WinError(get_last_error()))def parse(buff):
msi = MINIDUMP_SYSTEM_INFO()
msi.ProcessorArchitecture = PROCESSOR_ARCHITECTURE(int.from_bytes(buff.read(2), byteorder = 'little', signed = False))
msi.ProcessorLevel = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
msi.ProcessorRevision = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
#the below field is present in the documentation from MSDN, however is not present in the actual dump
#msi.Reserved0 = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
msi.NumberOfProcessors = int.from_bytes(buff.read(1), byteorder = 'little', signed = False)
msi.ProductType = PRODUCT_TYPE(int.from_bytes(buff.read(1), byteorder = 'little', signed = False))
msi.MajorVersion = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
msi.MinorVersion = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
msi.BuildNumber = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
msi.PlatformId = PLATFORM_ID(int.from_bytes(buff.read(4), byteorder = 'little', signed = False))
msi.CSDVersionRva = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
#msi.Reserved1 = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
msi.SuiteMask = SUITE_MASK(int.from_bytes(buff.read(2), byteorder = 'little', signed = False))
msi.Reserved2 = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
if msi.ProcessorArchitecture == PROCESSOR_ARCHITECTURE.INTEL:
for _ in range(3):def setup(self):
logging.log(1, 'Enabling debug privilege')
enable_debug_privilege()
logging.log(1, 'Getting generic system info')
sysinfo = GetSystemInfo()
self.processor_architecture = PROCESSOR_ARCHITECTURE(sysinfo.id.w.wProcessorArchitecture)
logging.log(1, 'Getting build number')
#self.BuildNumber = GetVersionEx().dwBuildNumber #this one doesnt work reliably on frozen binaries :(((
key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\')
buildnumber, t = winreg.QueryValueEx(key, 'CurrentBuildNumber')
self.BuildNumber = int(buildnumber)
logging.log(1, 'Searching for lsass.exe')
pid = get_lsass_pid()
logging.log(1, 'Lsass.exe found at PID %d' % pid)
logging.log(1, 'Opening lsass.exe')
self.lsass_process_handle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
if self.lsass_process_handle is None:
raise Exception('Failed to open lsass.exe Reason: %s' % WinError(get_last_error()))self.is_fulldump = True
else:
self.memory_segments = minidumpfile.memory_segments.memory_segments
self.is_fulldump = False
self.filename = minidumpfile.filename
self.file_handle = minidumpfile.file_handle
#reader params
self.sizeof_long = 4
self.unpack_long = 'def read_uint(self):
"""
Reads an integer. The size depends on the architecture.
Reads a 4 byte small-endian unsinged int on 32 bit arch
Reads an 8 byte small-endian unsinged int on 64 bit arch
"""
if self.reader.processor_architecture == PROCESSOR_ARCHITECTURE.AMD64:
return int.from_bytes(self.read(8), byteorder = 'little', signed = False)
else:
return int.from_bytes(self.read(4), byteorder = 'little', signed = False)def __init__(self, reader):
self.value = int.from_bytes(reader.read(4), byteorder = 'little', signed = False)
class ULONGLONG:
def __init__(self, reader):
self.value = int.from_bytes(reader.read(8), byteorder = 'little', signed = False)
class ULONG32:
def __init__(self, reader):
self.value = int.from_bytes(reader.read(4), byteorder = 'little', signed = False)
class ULONG64:
def __init__(self, reader):
self.value = int.from_bytes(reader.read(8), byteorder = 'little', signed = False)
class PWSTR(POINTER):
def __init__(self, reader):
super().__init__(reader, None)
class PCHAR(POINTER):
def __init__(self, reader):
super().__init__(reader, CHAR)
class USHORT:
def __init__(self, reader):
self.value = int.from_bytes(reader.read(2), byteorder = 'little', signed = False)
class SHORT:
def __init__(self, reader):
self.value = int.from_bytes(reader.read(2), byteorder = 'little', signed = True)
#https://msdn.microsoft.com/en-us/library/windows/hardware/ff554296(v=vs.85).aspxminidump
Python library to parse Windows minidump file format
Package Health Score
77 / 100Popular minidump functions
- minidump.constants.MINIDUMP_STREAM_TYPE
- minidump.directory.MINIDUMP_DIRECTORY
- minidump.directory.MINIDUMP_DIRECTORY.get_stream_type_value
- minidump.header.MinidumpHeader
- minidump.minidumpfile.MinidumpFile
- minidump.minidumpfile.MinidumpFile.parse
- minidump.minidumpfile.MinidumpFile.parse_bytes
- minidump.minidumpreader.MinidumpBufferedMemorySegment
- minidump.StreamDirectory
- minidump.streams.HandleDataStream.MinidumpHandleDescriptor
- minidump.streams.MemoryListStream.MINIDUMP_MEMORY_DESCRIPTOR.parse
- minidump.streams.MiscInfoStream.MinidumpMiscInfo2Flags1
- minidump.streams.MiscInfoStream.MinidumpMiscInfoFlags1
- minidump.streams.ModuleListStream.VS_FIXEDFILEINFO
- minidump.streams.SystemInfoStream.PROCESSOR_ARCHITECTURE
- minidump.streams.SystemInfoStream.PROCESSOR_ARCHITECTURE.AMD64
- minidump.streams.SystemInfoStream.PROCESSOR_ARCHITECTURE.INTEL
- minidump.streamType
- minidump.utils.winapi.defines.Structure
- minidump.win_datatypes.POINTER