probe

package
v0.0.0-...-561fc3e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 25, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

README

How this works, and how to test.

How this works

Windows provides a limited subset of the debugger functionality with the base OS. This allows us to execute some (not all) debugger commands when we discover a crash dump file. But, the output is very limited. It simply dumps the strings that would appear in the debugger. So we have to parse the string to find the parts we're interested. A sample output is supplied below.

How to (really) test

Unfortunately, actually testing the parser then requires actual dumps. Actual dumps require multiple gigabytes of data. To manually test, in a VM (don't do this on your own machine), install the crasher driver (TBD: linked here). Start the driver. It will immediately crash. On reboot there will be a crash dump to parse, and (assuming the agent is installed) the agent will find and report.

Sample output from debugger callback.

Note that the string below is somewhat formatted. In practice, the string is sent to the callback in chunks, not necessarily, for example, on newline boundaries.

=== cut here ===

Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv* Executable search path is: *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe - Windows 10 Kernel Version 14393 MP (2 procs) Free x64 Product: Server, suite: TerminalServer SingleUserTS Built by: 14393.5989.amd64fre.GitEnlistment.230602-1907 Machine Name: Kernel base = 0xfffff8004567f000 PsLoadedModuleList = 0xfffff80045984cf0 Debug session time: Mon Jun 26 20:44:49.742 2023 (UTC - 7:00) System Uptime: 0 days 0:03:58.449 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe - Loading Kernel Symbols ............................................................... ................................................................ ........................ Loading User Symbols

Loading unloaded module list ...........

************* Symbol Loading Error Summary ************** Module name Error ntkrnlmp The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded. You should also verify that your symbol search path (.sympath) is correct. Unable to add extension DLL: kdexts Unable to add extension DLL: kext Unable to add extension DLL: exts The call to LoadLibrary(ext) failed, Win32 error 0n2 "The system cannot find the file specified." Please check your debugger configuration and/or network access. The call to LoadLibrary(ext) failed, Win32 error 0n2 "The system cannot find the file specified." Please check your debugger configuration and/or network access.


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

Bugcheck code 0000007E Arguments ffffffffc0000005 fffff806f7e010e6 ffffb481789326a8 ffffb48178931ef0

RetAddr : Args to Child : Call Site fffff800457f4db0 : 000000000000007e ffffffffc0000005 fffff806f7e010e6 ffffb481789326a8 : nt!KeBugCheckEx fffff800457cb7bf : 0000000000000004 0000000000000000 00007fffffff0000 ffffc5821b4e3800 : nt!memset+0x5530 fffff800457e602d : ffffb48178933000 ffffb481789318c0 0000000000000000 0000000000000050 : nt!_C_specific_handler+0x9 f fffff800457742a1 : ffffb48178933000 0000000000000000 ffffb4817892d000 0000000000000000 : nt!_chkstk+0x5d fffff800457730c4 : ffffb481789326a8 ffffb481789323f0 ffffb481789326a8 ffffb48178932570 : nt!KeQuerySystemTimePrecis e+0x27d1 fffff800457ee482 : 00003c7400000000 fffff800458a1d00 0000000000000000 fffff80045d940c4 : nt!KeQuerySystemTimePrecis e+0x15f4 fffff800457eafc0 : 0000000000000000 fffff80045a97fe0 ffff83012c077220 ffffc5821bb72c30 : nt!setjmpex+0x7622 fffff806f7e010e6 : 0000000000000001 0000000000000000 ffffb48176e2e000 fffff800456e6511 : nt!setjmpex+0x4160 *** ERROR: Module load completed but symbols could not be loaded for ddapmcrash.sys fffff806f7e07020 : ffffc5821bb72c30 ffffc58219f18000 ffffc5821bb72c30 ffff3ac8f399d666 : ddapmcrash+0x10e6 fffff80045b338f7 : 0000000000000000 0000000000000000 ffffc5821bb72c30 ffffffff000001c8 : ddapmcrash+0x7020 fffff80045ad140e : 0000000000000000 0000000000000000 0000000000000000 fffff80045a3e2c0 : nt!FsRtlNotifyVolumeEventE x+0x243b fffff80045715dc9 : fffff80000000000 ffffffff80000ba4 ffffc5821b4e3800 fffff80045a3e2c0 : nt!MmGetPhysicalMemoryRang esEx+0xb56 fffff800456c6f85 : ffffc5821b4e3800 0000000000000080 ffffc58218a636c0 ffffc5821b4e3800 : nt!KdPollBreakIn+0x8059 fffff800457e4df6 : ffffb48176e15180 ffffc5821b4e3800 fffff800456c6f44 0000000000000246 : nt!PsGetProcessSessionIdEx +0x2d5 0000000000000000 : ffffb48178933000 ffffb4817892d000 0000000000000000 00000000`00000000 : nt!KeSynchronizeExecution+ 0x7756

RetAddr : Args to Child : Call Site fffff800457f4db0 : 000000000000007e ffffffffc0000005 fffff806f7e010e6 ffffb481789326a8 : nt!KeBugCheckEx fffff800457cb7bf : 0000000000000004 0000000000000000 00007fffffff0000 ffffc5821b4e3800 : nt!memset+0x5530 fffff800457e602d : ffffb48178933000 ffffb481789318c0 0000000000000000 0000000000000050 : nt!_C_specific_handler+0x9 f fffff800457742a1 : ffffb48178933000 0000000000000000 ffffb4817892d000 0000000000000000 : nt!_chkstk+0x5d fffff800457730c4 : ffffb481789326a8 ffffb481789323f0 ffffb481789326a8 ffffb48178932570 : nt!KeQuerySystemTimePrecis e+0x27d1 fffff800457ee482 : 00003c7400000000 fffff800458a1d00 0000000000000000 fffff80045d940c4 : nt!KeQuerySystemTimePrecis e+0x15f4 fffff800457eafc0 : 0000000000000000 fffff80045a97fe0 ffff83012c077220 ffffc5821bb72c30 : nt!setjmpex+0x7622 fffff806f7e010e6 : 0000000000000001 0000000000000000 ffffb48176e2e000 fffff800456e6511 : nt!setjmpex+0x4160 fffff806f7e07020 : ffffc5821bb72c30 ffffc58219f18000 ffffc5821bb72c30 ffff3ac8f399d666 : ddapmcrash+0x10e6 fffff80045b338f7 : 0000000000000000 0000000000000000 ffffc5821bb72c30 ffffffff000001c8 : ddapmcrash+0x7020 fffff80045ad140e : 0000000000000000 0000000000000000 0000000000000000 fffff80045a3e2c0 : nt!FsRtlNotifyVolumeEventE x+0x243b fffff80045715dc9 : fffff80000000000 ffffffff80000ba4 ffffc5821b4e3800 fffff80045a3e2c0 : nt!MmGetPhysicalMemoryRang esEx+0xb56 fffff800456c6f85 : ffffc5821b4e3800 0000000000000080 ffffc58218a636c0 ffffc5821b4e3800 : nt!KdPollBreakIn+0x8059 fffff800457e4df6 : ffffb48176e15180 ffffc5821b4e3800 fffff800456c6f44 0000000000000246 : nt!PsGetProcessSessionIdEx +0x2d5 0000000000000000 : ffffb48178933000 ffffb4817892d000 0000000000000000 00000000`00000000 : nt!KeSynchronizeExecution+ 0x7756 PS C:\Users\Administrator>

Documentation

Rendered for windows/amd64

Overview

Package probe parses Windows crash dumps.

Index

Constants

View Source
const (
	DumpTypeUnknown      = int(-1)
	DumpTypeNone         = int(0) // none
	DumpTypeFull         = int(1) // complete, active
	DumpTypeSummary      = int(2) // kernel
	DumpTypeHeader       = int(3) // small
	DumpTypeTriage       = int(4)
	DumpTypeBitmapFull   = int(5)
	DumpTypeBitmapKernel = int(6)
	DumpTypeAutomatic    = int(7) // automatic
)

* the below represent the REG_DWORD in the registry for the dump type that's * currently configured. Types are not explicitly documented. These are * discovered via combination of helpful web searches and trial & error. * * the numbers with explicit comments are validated by trial and error. * remainder found here under the table "Value of CrashDumpEnabled" * https://crashdmp.wordpress.com/crash-mechanism/configuration/ *

View Source
const (
	// WinCrashStatusCodeUnknown indicates an invalid or corrupted code.
	WinCrashStatusCodeUnknown = int(-1)

	// WinCrashStatusCodeSuccess indicates that crash dump processing succeeded
	// or no crash dump was found.
	WinCrashStatusCodeSuccess = int(0)

	// WinCrashStatusCodeBusy indicates that crash dump processing is still busy
	// and no result is yet available.
	WinCrashStatusCodeBusy = int(1)

	// WinCrashStatusCodeFailed indicates that crash dump processing failed or had an error.
	WinCrashStatusCodeFailed = int(2)
)

Variables

This section is empty.

Functions

This section is empty.

Types

type WinCrashProbe

type WinCrashProbe struct {
	// contains filtered or unexported fields
}

WinCrashProbe has no stored state.

func NewWinCrashProbe

func NewWinCrashProbe(_ *sysconfigtypes.Config) (*WinCrashProbe, error)

NewWinCrashProbe returns an initialized WinCrashProbe

func (*WinCrashProbe) Get

func (p *WinCrashProbe) Get() *WinCrashStatus

Get returns the current crash, if any

type WinCrashStatus

type WinCrashStatus struct {
	StatusCode int    `json:"statuscode"`
	ErrString  string `json:"errstring"`
	FileName   string `json:"filename"`
	Type       int    `json:"dumptype"`
	DateString string `json:"datestring"`
	Offender   string `json:"offender"`
	BugCheck   string `json:"buckcheckcode"`
}

WinCrashStatus defines all of the information returned from the system probe to the caller

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL