In this article we look at a python library that can parse and read Microsoft minidump file format. Can create minidumps on Windows machines using the windows API (implemented with ctypes).
You can use various tools such as Windbg to analyse a minidump and then you require to enter a variety of commands to analyse the minidump.
You can also use python though with the minidump library.
What is a minidump
Applications can produce user-mode minidump files, which contain a useful subset of the information contained in a crash dump file.
Applications can create minidump files very quickly and efficiently. Because minidump files are small, they can be easily sent over the internet to technical support for the application.
A minidump file does not contain as much information as a full crash dump file, but it contains enough information to perform basic debugging operations.
To read a minidump file, you must have the binaries and symbol files available for the debugger.
Installation
pip install minidump
Basic Usage
This module is primarily intended to be used as a library, however for the sake of demonstarting its capabilities there is a command line tool implemented called minidump
.
This tool has the following modes of operation.
Console
One-shot parsing and information retrieval.
minidump.py --all <mindidump file>
See help for possible options.
Shell
There is and interactive command shell to get all info (modules, threads, excetpions etc) and browse the virtual memory of the process dumped (read/read int/read uint/move/peek/tell)
minidump.py -i <mindidump file>
Once in the shell, all commands are documented. Use the ?
command to see all options. This is from the source code
parser.add_argument(‘minidumpfile', help=‘path to the minidump file of lsass.exe') |
parser.add_argument(‘-v', ‘–verbose', action=‘count', default=0) |
parser.add_argument(‘-i', ‘–interactive', action=‘store_true', help=‘Interactive minidump shell') |
parser.add_argument(‘–header', action=‘store_true', help=‘File header info') |
parser.add_argument(‘–modules', action=‘store_true', help=‘List modules') |
parser.add_argument(‘–threads', action=‘store_true', help=‘List threads') |
parser.add_argument(‘–memory', action=‘store_true', help=‘List memory') |
parser.add_argument(‘–sysinfo', action=‘store_true', help=‘Show sysinfo') |
parser.add_argument(‘–comments', action=‘store_true', help=‘Show comments') |
parser.add_argument(‘–exception', action=‘store_true', help=‘Show exception records') |
parser.add_argument(‘–handles', action=‘store_true', help=‘List handles') |
parser.add_argument(‘–misc', action=‘store_true', help=‘Show misc info') |
parser.add_argument(‘–all', action=‘store_true', help=‘Show all info') |
parser.add_argument(‘-r', ‘–read-addr', type=lambda x: int(x,0), help=‘Dump a memory region from the process\'s addres space') |
parser.add_argument(‘-s', ‘–read-size', type=lambda x: int(x,0), default = 0x20, help=‘Dump a memory region from the process\'s addres space') |
Advanced usage
After parsing the minidump file, you can use the MinidumpFileReader and MinidumpBufferedReader objects to perform various searches/reads in the dumped process' address space.
Those objects will be able to read and search the VA of the dumped process and have a notion on integer sizes based on the CPU arch.
Creating minidump file
The createminidump.py
script in the utils folder uses the Windows API to create minidump files. This script can also dump processes running on a different user context by enabling SeDebugPrivilege
.
Of course it only works if you are running it as administrator or a use that has SeDebugPrivilege
.