How to use minidump - 10 common examples

To help you get started, we’ve selected a few minidump examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github skelsec / pypykatz / pypykatz / commons / readers / local / live_reader.py View on Github external
def read_uint(self):
		"""
		Reads an integer. The size depends on the architecture. 
		Reads a 4 byte small-endian unsinged int on 32 bit arch
		Reads an 8 byte small-endian unsinged int on 64 bit arch
		"""
		if self.reader.processor_architecture == PROCESSOR_ARCHITECTURE.AMD64:
			return int.from_bytes(self.read(8), byteorder = 'little', signed = False)
		else:
			return int.from_bytes(self.read(4), byteorder = 'little', signed = False)
github skelsec / minidump / minidump / minidumpreader.py View on Github external
else:
			self.memory_segments = minidumpfile.memory_segments.memory_segments
			self.is_fulldump = False

		self.filename = minidumpfile.filename
		self.file_handle = minidumpfile.file_handle

		#reader params
		self.sizeof_long = 4
		self.unpack_long = '
github Coalfire-Research / Slackor / pypykatz / pypykatz / commons / readers / local / live_reader.py View on Github external
def read_uint(self):
		"""
		Reads an integer. The size depends on the architecture. 
		Reads a 4 byte small-endian unsinged int on 32 bit arch
		Reads an 8 byte small-endian unsinged int on 64 bit arch
		"""
		if self.reader.processor_architecture == PROCESSOR_ARCHITECTURE.AMD64:
			return int.from_bytes(self.read(8), byteorder = 'little', signed = False)
		else:
			return int.from_bytes(self.read(4), byteorder = 'little', signed = False)
github skelsec / minidump / minidump / minidumpreader.py View on Github external
if minidumpfile.memory_segments_64:
			self.memory_segments = minidumpfile.memory_segments_64.memory_segments
			self.is_fulldump = True

		else:
			self.memory_segments = minidumpfile.memory_segments.memory_segments
			self.is_fulldump = False

		self.filename = minidumpfile.filename
		self.file_handle = minidumpfile.file_handle

		#reader params
		self.sizeof_long = 4
		self.unpack_long = '
github skelsec / pypykatz / pypykatz / commons / readers / local / live_reader.py View on Github external
def setup(self):
		logging.log(1, 'Enabling debug privilege')
		enable_debug_privilege()
		logging.log(1, 'Getting generic system info')
		sysinfo = GetSystemInfo()
		self.processor_architecture = PROCESSOR_ARCHITECTURE(sysinfo.id.w.wProcessorArchitecture)
		
		logging.log(1, 'Getting build number')
		#self.BuildNumber = GetVersionEx().dwBuildNumber #this one doesnt work reliably on frozen binaries :(((
		key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\')
		buildnumber, t = winreg.QueryValueEx(key, 'CurrentBuildNumber')
		self.BuildNumber = int(buildnumber)
		
		
		logging.log(1, 'Searching for lsass.exe')
		pid = get_lsass_pid()
		logging.log(1, 'Lsass.exe found at PID %d' % pid)
		logging.log(1, 'Opening lsass.exe')
		self.lsass_process_handle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
		if self.lsass_process_handle is None:
			raise Exception('Failed to open lsass.exe Reason: %s' % WinError(get_last_error()))
github skelsec / minidump / minidump / streams / SystemInfoStream.py View on Github external
def parse(buff):
		msi = MINIDUMP_SYSTEM_INFO()
		msi.ProcessorArchitecture = PROCESSOR_ARCHITECTURE(int.from_bytes(buff.read(2), byteorder = 'little', signed = False))
		msi.ProcessorLevel = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
		msi.ProcessorRevision = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
		#the below field is present in the documentation from MSDN, however is not present in the actual dump
		#msi.Reserved0 = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
		msi.NumberOfProcessors = int.from_bytes(buff.read(1), byteorder = 'little', signed = False)
		msi.ProductType = PRODUCT_TYPE(int.from_bytes(buff.read(1), byteorder = 'little', signed = False))
		msi.MajorVersion = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
		msi.MinorVersion = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
		msi.BuildNumber = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
		msi.PlatformId = PLATFORM_ID(int.from_bytes(buff.read(4), byteorder = 'little', signed = False))
		msi.CSDVersionRva = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
		#msi.Reserved1 = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
		msi.SuiteMask = SUITE_MASK(int.from_bytes(buff.read(2), byteorder = 'little', signed = False))
		msi.Reserved2 = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
		if msi.ProcessorArchitecture == PROCESSOR_ARCHITECTURE.INTEL:
			for _ in range(3):
github Coalfire-Research / Slackor / pypykatz / pypykatz / commons / readers / local / live_reader.py View on Github external
def setup(self):
		logging.log(1, 'Enabling debug privilege')
		enable_debug_privilege()
		logging.log(1, 'Getting generic system info')
		sysinfo = GetSystemInfo()
		self.processor_architecture = PROCESSOR_ARCHITECTURE(sysinfo.id.w.wProcessorArchitecture)
		
		logging.log(1, 'Getting build number')
		#self.BuildNumber = GetVersionEx().dwBuildNumber #this one doesnt work reliably on frozen binaries :(((
		key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\')
		buildnumber, t = winreg.QueryValueEx(key, 'CurrentBuildNumber')
		self.BuildNumber = int(buildnumber)
		
		
		logging.log(1, 'Searching for lsass.exe')
		pid = get_lsass_pid()
		logging.log(1, 'Lsass.exe found at PID %d' % pid)
		logging.log(1, 'Opening lsass.exe')
		self.lsass_process_handle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
		if self.lsass_process_handle is None:
			raise Exception('Failed to open lsass.exe Reason: %s' % WinError(get_last_error()))
github skelsec / minidump / minidump / minidumpreader.py View on Github external
self.is_fulldump = True

		else:
			self.memory_segments = minidumpfile.memory_segments.memory_segments
			self.is_fulldump = False

		self.filename = minidumpfile.filename
		self.file_handle = minidumpfile.file_handle

		#reader params
		self.sizeof_long = 4
		self.unpack_long = '
github skelsec / pypykatz / pypykatz / commons / readers / local / live_reader.py View on Github external
def read_uint(self):
		"""
		Reads an integer. The size depends on the architecture. 
		Reads a 4 byte small-endian unsinged int on 32 bit arch
		Reads an 8 byte small-endian unsinged int on 64 bit arch
		"""
		if self.reader.processor_architecture == PROCESSOR_ARCHITECTURE.AMD64:
			return int.from_bytes(self.read(8), byteorder = 'little', signed = False)
		else:
			return int.from_bytes(self.read(4), byteorder = 'little', signed = False)
github skelsec / minidump / minidump / win_datatypes.py View on Github external
def __init__(self, reader):
		self.value = int.from_bytes(reader.read(4), byteorder = 'little', signed = False)
		
class ULONGLONG:
	def __init__(self, reader):
		self.value = int.from_bytes(reader.read(8), byteorder = 'little', signed = False)

class ULONG32:
	def __init__(self, reader):
		self.value = int.from_bytes(reader.read(4), byteorder = 'little', signed = False)
		
class ULONG64:
	def __init__(self, reader):
		self.value = int.from_bytes(reader.read(8), byteorder = 'little', signed = False)
		
class PWSTR(POINTER):
	def __init__(self, reader):
		super().__init__(reader, None)
		
class PCHAR(POINTER):
	def __init__(self, reader):
		super().__init__(reader, CHAR)
		
class USHORT:
	def __init__(self, reader):
		self.value = int.from_bytes(reader.read(2), byteorder = 'little', signed = False)
		
class SHORT:
	def __init__(self, reader):
		self.value = int.from_bytes(reader.read(2), byteorder = 'little', signed = True)
		
#https://msdn.microsoft.com/en-us/library/windows/hardware/ff554296(v=vs.85).aspx