Today’s a new day: win32dd 1.2 out!

Posted by Matthieu Suiche on Wednesday, November 5, 2008 · 4 Comments 


Download win32dd v1.2.20081105 now!


New features coming into this version — but the most notable feature is the capacity to generate Microsoft crash dump file without rebooting or generating a BSOD. This mean you can load your memory snapshot into WinDbg.

Here is a sample of output using WinDbg

  1. Symbol search path is: SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
  2. Executable search path is:
  3. Windows Server 2008 Kernel Version 6001 (Service Pack 1) UP Free x86 compatible
  4. Product: WinNt, suite: TerminalServer SingleUserTS
  5. Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
  6. Kernel base = 0×81818000 PsLoadedModuleList = 0×8192fc70
  7. Debug session time: Wed Nov  5 01:43:02.460 2008 (GMT-8)
  8. System Uptime: 0 days 0:10:45.293
  9. WARNING: Process directory table base 3DA26440 doesn‘t match CR3 00122000
  10. WARNING: Process directory table base 3DA26440 doesn’t match CR3 00122000
  11. Loading Kernel Symbols
  12. …………………………………………………………………………………………………………………….
  13. Loading User Symbols
  14. …………
  15. Loading unloaded module list
  16. …..
  17. kd> !process 0 0
  18. **** NT ACTIVE PROCESS DUMP ****
  19. PROCESS 82f58910  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
  20.     DirBase: 00122000  ObjectTable: 862000b8  HandleCount: 512.
  21.     Image: System
  22.  
  23. PROCESS 852032d0  SessionId: none  Cid: 0190    Peb: 7ffdf000  ParentCid: 0004
  24.     DirBase: 3da26020  ObjectTable: 87bd8008  HandleCount:  28.
  25.     Image: smss.exe
  26.  
  27. PROCESS 84b58b68  SessionId: 0  Cid: 0200    Peb: 7ffd8000  ParentCid: 01f4
  28.     DirBase: 3da26060  ObjectTable: 8c954fc8  HandleCount: 406.
  29.     Image: csrss.exe
  30. [..]
  31. kd> lm
  32. start    end        module name
  33. 00400000 00413000   win32dd_400000   (deferred)            
  34. 77290000 7733a000   msvcrt     (deferred)            
  35. 77340000 77403000   RPCRT4     (deferred)            
  36. 77410000 7748d000   USP10      (deferred)            
  37. 77720000 777e6000   ADVAPI32   (deferred)            
  38. 777f0000 7788d000   USER32     (deferred)            
  39. 77890000 7796b000   kernel32   (deferred)            
  40. 77b50000 77c18000   MSCTF      (deferred)            
  41. 77c20000 77d47000   ntdll      (pdb symbols)          C:\WINDOWS\Symbols\ntdll.pdb\B958B2F91A5A46B889DAFAB4D140CF252\ntdll.pdb
  42. 77d50000 77d59000   LPK        (deferred)            
  43. 77d80000 77d9e000   IMM32      (deferred)            
  44. 77e30000 77e7b000   GDI32      (deferred)            
  45. 80406000 8040e000   kdcom      (deferred)            
  46. 8040e000 8041f000   PSHED      (deferred)            
  47. 8041f000 80427000   BOOTVID    (deferred)            
  48. 80427000 80468000   CLFS       (deferred)      
  49. [..]

In addition to \\Device\\PhysicalMemory reading, win32dd 1.2 provides an option (level) to directly use physical memory address mapping (Microsoft API) to avoid to access the physical memory device.

The crashdump generation take care of the previous blogpost. And works from Windows 2000 to Windows 2008 and probably Windows Seven.

Feel free to give some feedback!

I’d like to thanks Aaron for his positive influence on win32dd developement :)

Filed under Windows · Tagged with

About Matthieu Suiche

Comments

4 Responses to “Today’s a new day: win32dd 1.2 out!”
  1. xsoliman says:
    December 2, 2008 at 6:25 pm

    But 32bit only

    Works by dynamically loading a device driver (like livekd etc)

    For x64:
    livekd (x64) will work on w2k3 x64
    and can do .dump /f memory.dmp
    although the dump with have some inconsistencies due to live data structures changing as it dumps

    livekd x64 will work on Vista/W2008 if booted in bypass driver signing mode

  2. Matthieu Suiche says:
    December 4, 2008 at 7:49 pm

    That’s why the name is actually win32dd and not win64dd.

  3. JimmyW says:
    December 31, 2008 at 10:51 pm

    Matthieu, do you plan to build an x64 driver? FWIW, I tried to run ManTech’s MDD on XP64, SP2, and it crashed the system. My system has 8GB RAM, and the documentation does say MDD creates a 4GB snapshot, so perhaps the crash should not be surprising. In Vista 64, I have to get around the driver signing issue. Thanks.

  4. Matthieu Suiche says:
    January 6, 2009 at 2:27 pm

    @xsoliman: http://support.microsoft.com/kb/274598/ “Complete memory dumps are not available on computers that have 2 or more gigabytes of RAM” I guess this also apply to Windbg/livekd option.