diff options
author | Viktor Prutyanov | 2018-08-29 14:41:25 +0200 |
---|---|---|
committer | Paolo Bonzini | 2018-10-02 19:09:12 +0200 |
commit | 3fa2d384c245bcee3a9ecfa11f298b76ea4c9d57 (patch) | |
tree | e6dc921bb305a9d2eb6f6a2d24dcd6f553856883 /contrib/elf2dmp/kdbg.h | |
parent | dump: move Windows dump structures definitions (diff) | |
download | qemu-3fa2d384c245bcee3a9ecfa11f298b76ea4c9d57.tar.gz qemu-3fa2d384c245bcee3a9ecfa11f298b76ea4c9d57.tar.xz qemu-3fa2d384c245bcee3a9ecfa11f298b76ea4c9d57.zip |
contrib: add elf2dmp tool
elf2dmp is a converter from ELF dump (produced by 'dump-guest-memory') to
Windows MEMORY.DMP format (also know as 'Complete Memory Dump') which can be
opened in WinDbg.
This tool can help if VMCoreInfo device/driver is absent in Windows VM and
'dump-guest-memory -w' is not available but dump can be created in ELF format.
The tool works as follows:
1. Determine the system paging root looking at GS_BASE or KERNEL_GS_BASE
to locate the PRCB structure and finds the kernel CR3 nearby if QEMU CPU
state CR3 is not suitable.
2. Find an address within the kernel image by dereferencing the first
IDT entry and scans virtual memory upwards until the start of the
kernel.
3. Download a PDB matching the kernel from the Microsoft symbol store,
and figure out the layout of certain relevant structures necessary for
the dump.
4. Populate the corresponding structures in the memory image and create
the appropriate dump header.
Signed-off-by: Viktor Prutyanov <viktor.prutyanov@virtuozzo.com>
Message-Id: <1535546488-30208-3-git-send-email-viktor.prutyanov@virtuozzo.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'contrib/elf2dmp/kdbg.h')
-rw-r--r-- | contrib/elf2dmp/kdbg.h | 194 |
1 files changed, 194 insertions, 0 deletions
diff --git a/contrib/elf2dmp/kdbg.h b/contrib/elf2dmp/kdbg.h new file mode 100644 index 0000000000..851b57c321 --- /dev/null +++ b/contrib/elf2dmp/kdbg.h @@ -0,0 +1,194 @@ +/* + * Copyright (c) 2018 Virtuozzo International GmbH + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * + */ + +#ifndef KDBG_H +#define KDBG_H + +typedef struct DBGKD_GET_VERSION64 { + uint16_t MajorVersion; + uint16_t MinorVersion; + uint8_t ProtocolVersion; + uint8_t KdSecondaryVersion; + uint16_t Flags; + uint16_t MachineType; + uint8_t MaxPacketType; + uint8_t MaxStateChange; + uint8_t MaxManipulate; + uint8_t Simulation; + uint16_t Unused[1]; + uint64_t KernBase; + uint64_t PsLoadedModuleList; + uint64_t DebuggerDataList; +} DBGKD_GET_VERSION64; + +typedef struct DBGKD_DEBUG_DATA_HEADER64 { + struct LIST_ENTRY64 { + struct LIST_ENTRY64 *Flink; + struct LIST_ENTRY64 *Blink; + } List; + uint32_t OwnerTag; + uint32_t Size; +} DBGKD_DEBUG_DATA_HEADER64; + +typedef struct KDDEBUGGER_DATA64 { + DBGKD_DEBUG_DATA_HEADER64 Header; + + uint64_t KernBase; + uint64_t BreakpointWithStatus; + uint64_t SavedContext; + uint16_t ThCallbackStack; + uint16_t NextCallback; + uint16_t FramePointer; + uint16_t PaeEnabled:1; + uint64_t KiCallUserMode; + uint64_t KeUserCallbackDispatcher; + uint64_t PsLoadedModuleList; + uint64_t PsActiveProcessHead; + uint64_t PspCidTable; + uint64_t ExpSystemResourcesList; + uint64_t ExpPagedPoolDescriptor; + uint64_t ExpNumberOfPagedPools; + uint64_t KeTimeIncrement; + uint64_t KeBugCheckCallbackListHead; + uint64_t KiBugcheckData; + uint64_t IopErrorLogListHead; + uint64_t ObpRootDirectoryObject; + uint64_t ObpTypeObjectType; + uint64_t MmSystemCacheStart; + uint64_t MmSystemCacheEnd; + uint64_t MmSystemCacheWs; + uint64_t MmPfnDatabase; + uint64_t MmSystemPtesStart; + uint64_t MmSystemPtesEnd; + uint64_t MmSubsectionBase; + uint64_t MmNumberOfPagingFiles; + uint64_t MmLowestPhysicalPage; + uint64_t MmHighestPhysicalPage; + uint64_t MmNumberOfPhysicalPages; + uint64_t MmMaximumNonPagedPoolInBytes; + uint64_t MmNonPagedSystemStart; + uint64_t MmNonPagedPoolStart; + uint64_t MmNonPagedPoolEnd; + uint64_t MmPagedPoolStart; + uint64_t MmPagedPoolEnd; + uint64_t MmPagedPoolInformation; + uint64_t MmPageSize; + uint64_t MmSizeOfPagedPoolInBytes; + uint64_t MmTotalCommitLimit; + uint64_t MmTotalCommittedPages; + uint64_t MmSharedCommit; + uint64_t MmDriverCommit; + uint64_t MmProcessCommit; + uint64_t MmPagedPoolCommit; + uint64_t MmExtendedCommit; + uint64_t MmZeroedPageListHead; + uint64_t MmFreePageListHead; + uint64_t MmStandbyPageListHead; + uint64_t MmModifiedPageListHead; + uint64_t MmModifiedNoWritePageListHead; + uint64_t MmAvailablePages; + uint64_t MmResidentAvailablePages; + uint64_t PoolTrackTable; + uint64_t NonPagedPoolDescriptor; + uint64_t MmHighestUserAddress; + uint64_t MmSystemRangeStart; + uint64_t MmUserProbeAddress; + uint64_t KdPrintCircularBuffer; + uint64_t KdPrintCircularBufferEnd; + uint64_t KdPrintWritePointer; + uint64_t KdPrintRolloverCount; + uint64_t MmLoadedUserImageList; + + /* NT 5.1 Addition */ + + uint64_t NtBuildLab; + uint64_t KiNormalSystemCall; + + /* NT 5.0 hotfix addition */ + + uint64_t KiProcessorBlock; + uint64_t MmUnloadedDrivers; + uint64_t MmLastUnloadedDriver; + uint64_t MmTriageActionTaken; + uint64_t MmSpecialPoolTag; + uint64_t KernelVerifier; + uint64_t MmVerifierData; + uint64_t MmAllocatedNonPagedPool; + uint64_t MmPeakCommitment; + uint64_t MmTotalCommitLimitMaximum; + uint64_t CmNtCSDVersion; + + /* NT 5.1 Addition */ + + uint64_t MmPhysicalMemoryBlock; + uint64_t MmSessionBase; + uint64_t MmSessionSize; + uint64_t MmSystemParentTablePage; + + /* Server 2003 addition */ + + uint64_t MmVirtualTranslationBase; + uint16_t OffsetKThreadNextProcessor; + uint16_t OffsetKThreadTeb; + uint16_t OffsetKThreadKernelStack; + uint16_t OffsetKThreadInitialStack; + uint16_t OffsetKThreadApcProcess; + uint16_t OffsetKThreadState; + uint16_t OffsetKThreadBStore; + uint16_t OffsetKThreadBStoreLimit; + uint16_t SizeEProcess; + uint16_t OffsetEprocessPeb; + uint16_t OffsetEprocessParentCID; + uint16_t OffsetEprocessDirectoryTableBase; + uint16_t SizePrcb; + uint16_t OffsetPrcbDpcRoutine; + uint16_t OffsetPrcbCurrentThread; + uint16_t OffsetPrcbMhz; + uint16_t OffsetPrcbCpuType; + uint16_t OffsetPrcbVendorString; + uint16_t OffsetPrcbProcStateContext; + uint16_t OffsetPrcbNumber; + uint16_t SizeEThread; + uint64_t KdPrintCircularBufferPtr; + uint64_t KdPrintBufferSize; + uint64_t KeLoaderBlock; + uint16_t SizePcr; + uint16_t OffsetPcrSelfPcr; + uint16_t OffsetPcrCurrentPrcb; + uint16_t OffsetPcrContainedPrcb; + uint16_t OffsetPcrInitialBStore; + uint16_t OffsetPcrBStoreLimit; + uint16_t OffsetPcrInitialStack; + uint16_t OffsetPcrStackLimit; + uint16_t OffsetPrcbPcrPage; + uint16_t OffsetPrcbProcStateSpecialReg; + uint16_t GdtR0Code; + uint16_t GdtR0Data; + uint16_t GdtR0Pcr; + uint16_t GdtR3Code; + uint16_t GdtR3Data; + uint16_t GdtR3Teb; + uint16_t GdtLdt; + uint16_t GdtTss; + uint16_t Gdt64R3CmCode; + uint16_t Gdt64R3CmTeb; + uint64_t IopNumTriageDumpDataBlocks; + uint64_t IopTriageDumpDataBlocks; + + /* Longhorn addition */ + + uint64_t VfCrashDataBlock; + uint64_t MmBadPagesDetected; + uint64_t MmZeroedPageSingleBitErrorsDetected; + + /* Windows 7 addition */ + + uint64_t EtwpDebuggerData; + uint16_t OffsetPrcbContext; +} KDDEBUGGER_DATA64; + +#endif /* KDBG_H */ |