volatilityfoundation
Plugins: Initial prototype crashdump writer
This is just a placeholder but has most of the code for creating a valid crashdump file. The things it's currently missing are:
- Proper version numbers as extracted from the structure preceding the
KD_DEBUGGER_DATAstructure and also anything to do with the KPCR (setting dummy values, decoding it, etc).
@iMHLv2 This isn't done yet, but I figure this gives us visibility of the branch. I know that writing seems less simple than in volatility 2 (.write() rather than =) but it turns out there's time want to change the programmatic structure without writing it back to the file (for example, some tricks we play generating structures in pdbconv). It's also not clear whether assignment should fail if the file is unwritable for some reason (whereas write failed is to be expected). I think that's ok, but if you can think of something simpler that still allows us to differentiate between in-memory assignment and physical rewriting then I'm all for it... 5:)
I think this is very rudimentary/may not do everything it needs to, but it feels like it's starting to get stale. @iMHLv2 or @awalters could either of you take a look and make sure that it's doing what it's supposed? If it is I'll get it merged so it gets updated if/when anything else does...