def check_file(self):
"""Check specifically for 64 bit crash dumps."""
# Must start with the magic PAGEDU64
self.as_assert((self.base.read(0, 8) == 'PAGEDU64'),
"Header signature invalid")
self.profile = crashdump.CrashDump64Profile(session=self.session)
self.as_assert(self.profile.has_type("_DMP_HEADER64"),
"_DMP_HEADER64 not available in profile")
self.header = self.profile.Object("_DMP_HEADER64",
offset=self.offset,
vm=self.base)
# The following error is fatal - abort the voting mechanism.
# Unfortunately Volatility does not set this field correctly, so we do
# not make it a fatal error. It can lead to problems if we try to parse
# other crash dump formats, (Especially Win8 ones - see below) so we
# might consider making this a fatal error in future.
if self.header.DumpType != "Full Dump":
self.session.logging.warning(
"This is not a full memory crash dump. Kernel crash dumps are "
"not supported.")
# Catch this error early or we will hog all memory trying to parse a
# huge number of Runs. On Windows 8 we have observed the DumpType to be
# == 5 and these fields are padded with "PAGE" (i.e. 0x45474150).
if self.header.PhysicalMemoryBlockBuffer.NumberOfRuns > 100:
raise RuntimeError(
"This crashdump file format is not supported. Rekall does not "
"currently support crashdumps using the Win8 format.")
def __init__(self, **kwargs):
super(WindowsCrashBMP, self).__init__(**kwargs)
self.as_assert(self.base, "Must stack on another address space")
# Must start with the magic PAGEDU64
self.as_assert((self.base.read(0, 8) == 'PAGEDU64'),
"Header signature invalid")
self.profile = crashdump.CrashDump64Profile(session=self.session)
self.header = self.profile.Object("_DMP_HEADER64", vm=self.base)
self.as_assert(self.header.DumpType == "BMP Dump",
"Only BMP dumps supported.")
self.bmp_header = self.header.BMPHeader
PAGE_SIZE = 0x1000
# First run [Physical Offset, File Offset, Run length]
first_page = self.bmp_header.FirstPage.v()
last_run = [0, first_page, 0]
for pfn, present in enumerate(self._generate_bitmap()):
if present:
if pfn * PAGE_SIZE == last_run[0] + last_run[2]:
last_run[2] += PAGE_SIZE
else:
# Dump the last run only if it has non zero length.
if last_run[2] > 0:
self.add_run(*last_run)
# The next run starts here.
last_run = [
pfn * PAGE_SIZE, last_run[1] + last_run[2], PAGE_SIZE
]
# Flush the last run if needed.
if last_run[2] > 0:
self.add_run(*last_run)
# Set the DTB from the crash dump header.
self.session.SetCache("dtb",
self.header.DirectoryTableBase.v(),
volatile=False)
def __init__(self, **kwargs):
super(WindowsCrashBMP, self).__init__(**kwargs)
self.as_assert(self.base, "Must stack on another address space")
## Must start with the magic PAGEDU64
self.as_assert((self.base.read(0, 8) == 'PAGEDU64'),
"Header signature invalid")
self.profile = crashdump.CrashDump64Profile(session=self.session)
self.header = self.profile.Object("_DMP_HEADER64", vm=self.base)
self.as_assert(self.header.DumpType == "BMP Dump",
"Only BMP dumps supported.")
self.bmp_header = self.header.BMPHeader
PAGE_SIZE = 0x1000
# The first page is located immediately after the header.
first_page = self.bmp_header.FirstPage.v()
last_run = [0, first_page, 0]
for pfn, present in enumerate(self._generate_bitmap()):
if present:
if pfn * PAGE_SIZE == last_run[0] + last_run[2]:
last_run[2] += PAGE_SIZE
else:
# Dump the last run only if it is non zero.
if last_run[2] > 0:
self.runs.insert(last_run)
# The next run starts here.
last_run = [
pfn * PAGE_SIZE, last_run[1] + last_run[2], PAGE_SIZE
]
# Flush the last run if needed.
if last_run[2] > 0:
self.runs.insert(last_run)