kdmp-parser
kdmp-parser copied to clipboard
0vercl0k
Unknown Type 0x6
I crashed Windows via notmyfault.exe with debugging file option [Automatic memory dump].
The generated dump file is passed through the
. \parser.exe -c -e -p 0x1000 D:\vmware_share\MEMORY.DMP
Execution, hint:
Unknown Type 0x6. The header looks wrong. ParseDmpHeader failed. Parsing of the dump failed, exiting.
So this dump format itself won't be supported? How is it different from other types?
When I debug parser.exe to parse a dmp file with dumptype 6 via windbg, I found that it is able to parse it. Does that mean it's supported?
Indeed, the type '6' isn't supported; here are the ones currently supported:
enum class DumpType_t : uint32_t {
// Old dump types from dbgeng.dll
FullDump = 0x1,
KernelDump = 0x2,
BMPDump = 0x5,
// New stuff
MiniDump = 0x4, // Produced by `.dump /m`
KernelMemoryDump = 0x8, // Produced by `.dump /k`
KernelAndUserMemoryDump = 0x9, // Produced by `.dump /ka`
CompleteMemoryDump = 0xa, // Produced by `.dump /f`
};
I don't think I have ever ran into a type 6 dump yet 😅
What you are saying is the first header of the dump file which is the same across dumps, but then it is followed by other header / data that depends on the type of dump it is. Because kdmp-parser doesn't know about this type 6, it doesn't know how to handle what follow the main header.
I'll leave this issue opened in case somebody feels like reverse-engineering / implementing it!
Thank you for your report :)
Cheers
Thank you for your reply.
I've searched the web and haven't found a specific meaning for dumptype being BMPDump. What is the source of the various types of dumptype, please?
Sorry I am not sure I understood the question - I believe 'BMP' means 'Bitmap' and refer to the way the physical memory is stored in the dump if I remember correctly.
Cheers
On Tue, Feb 20, 2024 at 10:29 PM frendguo @.***> wrote:
Thank you for your reply.
I've searched the web and haven't found a specific meaning for dumptype being BMPDump. What is the source of the various types of dumptype, please?
— Reply to this email directly, view it on GitHub https://github.com/0vercl0k/kdmp-parser/issues/26#issuecomment-1955979098, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORK7MBF77KK7FY23EH3YUWH25AVCNFSM6AAAAABDQXHKN6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJVHE3TSMBZHA . You are receiving this because you commented.Message ID: @.***>
@frendguo I don't think I've ever seen a type 6 dump. How did you generate it?
I came across this error.
Type 6 is a live kernel dump. We can create this with the task manager. On the process list view, right click on the System process -> Create live kernel memory dump file. You see two options but both generate a type 6 dump file.
Type 6 is a live kernel dump. We can create this with the task manager. On the process list view, right click on the System process -> Create live kernel memory dump file. You see two options but both generate a type 6 dump file.
Thanks for that update @tandasat I can reproduce on Win11 22H2 and up. I will look into it!
Thank you for sharing the repro information @tandasat, and thank you @hugsy for implementing it 🫡