Multiplatform windows kernel crash dump analysis tool with a WinDbg flavor.
This is another episode from the series "there doesn't seem to exist such thing".
I often find myself needing to analyze Windows kernel crash dumps on non-Windows platforms. Surprisingly, WinDbg/cdb runs rather poorly under Wine. Also, even on Windows, WinDbg is notoriously slow.
I also thought this would be a fun showcase for the vmi-rs framework.
Initially, I planned to make ephemera a general-purpose memory forensics
framework - similar to Volatility or Rekall - but I quickly realized that the
scope of such a project is incompatible with the amount of time I can
realistically dedicate to this.
Maybe, some day. Who knows.
- Supports symbol caching and PDB downloading/parsing via the [
isr]. - Supports only Windows kernel crash dumps (i.e.
MEMORY.DMPfiles). - Supports only AMD64 architecture.
- Supports only a small subset of WinDbg commands (see below).
- It's fast. Really fast.
!process 0 7takes minutes in WinDbg. Inephemera, it takes about 1 second on a 4GB dump (if all symbols are already cached).
demo.mp4
Here's a short list of currently supported commands:
Commands:
!analyze Analyze the crash.
!process [Proc [Flags [Image]]] Information about a process or all processes.
Proc: PID, EPROCESS addr, 0 (all), -1 (current).
!thread [Thread [Flags]] Information about a thread or all threads.
Thread: TID, ETHREAD addr, 0 (all), -1 (current).
dt <type> [address] Display type layout, optionally at an address.
db [Address [L<Count> | Address2]] Display memory as bytes and ASCII.
Address: hex, 0n<decimal>, register, or module!symbol.
Arithmetic: a+b, a-b. Empty module means nt.
dd [Address [L<Count> | Address2]] Display memory as DWORDs.
dq [Address [L<Count> | Address2]] Display memory as QWORDs.
dp [Address [L<Count> | Address2]] Alias for dq on 64-bit.
dps [Address [L<Count> | Address2]] Display memory as QWORDs with symbols.
k [FrameCount] Display stack backtrace: Child-SP, RetAddr, Call Site.
kb [FrameCount] As k, plus the first four home-space args per frame.
kc [FrameCount] As k, Call Site only.
kv [FrameCount] As kb, plus TrapFrame @ addr for trap-handler frames.
r [Reg] Display registers.
Reg: rax..r15, rip, rsp, rbp, cs/ds/es/fs/gs/ss, efl.
.process [/r] [/p] <address> Set the process context.
.thread [/r] [/p] <address> Set the register context to a thread.
~<n> Change the current processor.
.help, help, ? Show this list.
q, quit, .quit Exit the REPL.
-
Could it be made into a full-fledged debugger, with support for live debugging, breakpoints, ...?
Yes! Quite easily, actually.
vmi-rssupports multiple backend drivers, so it's just a matter of replacingVmiKdmpDriverwith something else. Implementing a new driver is also pretty straightforward - for read-only operations you only need to implementVmiReadtrait.
This project is licensed under the MIT license.