Skip to content

vmi-rs/ephemera

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ephemera

Multiplatform windows kernel crash dump analysis tool with a WinDbg flavor.

Motivation

This is another episode from the series "there doesn't seem to exist such thing".

I often find myself needing to analyze Windows kernel crash dumps on non-Windows platforms. Surprisingly, WinDbg/cdb runs rather poorly under Wine. Also, even on Windows, WinDbg is notoriously slow.

I also thought this would be a fun showcase for the vmi-rs framework.

Initially, I planned to make ephemera a general-purpose memory forensics framework - similar to Volatility or Rekall - but I quickly realized that the scope of such a project is incompatible with the amount of time I can realistically dedicate to this.

Maybe, some day. Who knows.

Features

  • Supports symbol caching and PDB downloading/parsing via the [isr].
  • Supports only Windows kernel crash dumps (i.e. MEMORY.DMP files).
  • Supports only AMD64 architecture.
  • Supports only a small subset of WinDbg commands (see below).
  • It's fast. Really fast. !process 0 7 takes minutes in WinDbg. In ephemera, it takes about 1 second on a 4GB dump (if all symbols are already cached).

Demo

demo.mp4

Usage

Here's a short list of currently supported commands:

Commands:
  !analyze                             Analyze the crash.
  !process [Proc [Flags [Image]]]      Information about a process or all processes.
                                       Proc: PID, EPROCESS addr, 0 (all), -1 (current).
  !thread  [Thread [Flags]]            Information about a thread or all threads.
                                       Thread: TID, ETHREAD addr, 0 (all), -1 (current).
  dt <type> [address]                  Display type layout, optionally at an address.
  db  [Address [L<Count> | Address2]]  Display memory as bytes and ASCII.
                                       Address: hex, 0n<decimal>, register, or module!symbol.
                                                Arithmetic: a+b, a-b. Empty module means nt.
  dd  [Address [L<Count> | Address2]]  Display memory as DWORDs.
  dq  [Address [L<Count> | Address2]]  Display memory as QWORDs.
  dp  [Address [L<Count> | Address2]]  Alias for dq on 64-bit.
  dps [Address [L<Count> | Address2]]  Display memory as QWORDs with symbols.
  k  [FrameCount]                      Display stack backtrace: Child-SP, RetAddr, Call Site.
  kb [FrameCount]                      As k, plus the first four home-space args per frame.
  kc [FrameCount]                      As k, Call Site only.
  kv [FrameCount]                      As kb, plus TrapFrame @ addr for trap-handler frames.
  r [Reg]                              Display registers.
                                       Reg: rax..r15, rip, rsp, rbp, cs/ds/es/fs/gs/ss, efl.
  .process [/r] [/p] <address>         Set the process context.
  .thread  [/r] [/p] <address>         Set the register context to a thread.
  ~<n>                                 Change the current processor.
  .help, help, ?                       Show this list.
  q, quit, .quit                       Exit the REPL.

FAQ

  • Could it be made into a full-fledged debugger, with support for live debugging, breakpoints, ...?

    Yes! Quite easily, actually. vmi-rs supports multiple backend drivers, so it's just a matter of replacing VmiKdmpDriver with something else. Implementing a new driver is also pretty straightforward - for read-only operations you only need to implement VmiRead trait.

License

This project is licensed under the MIT license.

About

Multiplatform MEMORY.DMP analysis tool with a WinDbg flavor

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages