776 lines
23 KiB
C
776 lines
23 KiB
C
|
/*++
|
||
|
|
||
|
Copyright (c) Microsoft Corporation. All rights reserved.
|
||
|
|
||
|
Module Name:
|
||
|
|
||
|
ntiodump.h
|
||
|
|
||
|
Abstract:
|
||
|
|
||
|
This is the include file that defines all constants and types for
|
||
|
accessing memory dump files.
|
||
|
|
||
|
Revision History:
|
||
|
|
||
|
|
||
|
--*/
|
||
|
|
||
|
#ifndef _NTIODUMP_
|
||
|
#define _NTIODUMP_
|
||
|
|
||
|
#if _MSC_VER > 1000
|
||
|
#pragma once
|
||
|
#endif
|
||
|
|
||
|
#ifndef MIDL_PASS
|
||
|
#if _MSC_VER >= 1200
|
||
|
#pragma warning(push)
|
||
|
#endif
|
||
|
#pragma warning( disable : 4200 ) // nonstandard extension used : zero-sized array in struct/union
|
||
|
#endif // MIDL_PASS
|
||
|
|
||
|
#ifdef __cplusplus
|
||
|
extern "C" {
|
||
|
#endif
|
||
|
|
||
|
|
||
|
#define USERMODE_CRASHDUMP_SIGNATURE 'RESU'
|
||
|
#define USERMODE_CRASHDUMP_VALID_DUMP32 'PMUD'
|
||
|
#define USERMODE_CRASHDUMP_VALID_DUMP64 '46UD'
|
||
|
|
||
|
typedef struct _USERMODE_CRASHDUMP_HEADER {
|
||
|
ULONG Signature;
|
||
|
ULONG ValidDump;
|
||
|
ULONG MajorVersion;
|
||
|
ULONG MinorVersion;
|
||
|
ULONG MachineImageType;
|
||
|
ULONG ThreadCount;
|
||
|
ULONG ModuleCount;
|
||
|
ULONG MemoryRegionCount;
|
||
|
ULONG_PTR ThreadOffset;
|
||
|
ULONG_PTR ModuleOffset;
|
||
|
ULONG_PTR DataOffset;
|
||
|
ULONG_PTR MemoryRegionOffset;
|
||
|
ULONG_PTR DebugEventOffset;
|
||
|
ULONG_PTR ThreadStateOffset;
|
||
|
ULONG_PTR VersionInfoOffset;
|
||
|
ULONG_PTR Spare1;
|
||
|
} USERMODE_CRASHDUMP_HEADER, *PUSERMODE_CRASHDUMP_HEADER;
|
||
|
|
||
|
typedef struct _USERMODE_CRASHDUMP_HEADER32 {
|
||
|
ULONG Signature;
|
||
|
ULONG ValidDump;
|
||
|
ULONG MajorVersion;
|
||
|
ULONG MinorVersion;
|
||
|
ULONG MachineImageType;
|
||
|
ULONG ThreadCount;
|
||
|
ULONG ModuleCount;
|
||
|
ULONG MemoryRegionCount;
|
||
|
ULONG ThreadOffset;
|
||
|
ULONG ModuleOffset;
|
||
|
ULONG DataOffset;
|
||
|
ULONG MemoryRegionOffset;
|
||
|
ULONG DebugEventOffset;
|
||
|
ULONG ThreadStateOffset;
|
||
|
ULONG VersionInfoOffset;
|
||
|
ULONG Spare1;
|
||
|
} USERMODE_CRASHDUMP_HEADER32, *PUSERMODE_CRASHDUMP_HEADER32;
|
||
|
|
||
|
typedef struct _USERMODE_CRASHDUMP_HEADER64 {
|
||
|
ULONG Signature;
|
||
|
ULONG ValidDump;
|
||
|
ULONG MajorVersion;
|
||
|
ULONG MinorVersion;
|
||
|
ULONG MachineImageType;
|
||
|
ULONG ThreadCount;
|
||
|
ULONG ModuleCount;
|
||
|
ULONG MemoryRegionCount;
|
||
|
ULONGLONG ThreadOffset;
|
||
|
ULONGLONG ModuleOffset;
|
||
|
ULONGLONG DataOffset;
|
||
|
ULONGLONG MemoryRegionOffset;
|
||
|
ULONGLONG DebugEventOffset;
|
||
|
ULONGLONG ThreadStateOffset;
|
||
|
ULONGLONG VersionInfoOffset;
|
||
|
ULONGLONG Spare1;
|
||
|
} USERMODE_CRASHDUMP_HEADER64, *PUSERMODE_CRASHDUMP_HEADER64;
|
||
|
|
||
|
typedef struct _CRASH_MODULE {
|
||
|
ULONG_PTR BaseOfImage;
|
||
|
ULONG SizeOfImage;
|
||
|
ULONG ImageNameLength;
|
||
|
CHAR ImageName[0];
|
||
|
} CRASH_MODULE, *PCRASH_MODULE;
|
||
|
|
||
|
typedef struct _CRASH_MODULE32 {
|
||
|
ULONG BaseOfImage;
|
||
|
ULONG SizeOfImage;
|
||
|
ULONG ImageNameLength;
|
||
|
CHAR ImageName[0];
|
||
|
} CRASH_MODULE32, *PCRASH_MODULE32;
|
||
|
|
||
|
typedef struct _CRASH_MODULE64 {
|
||
|
ULONGLONG BaseOfImage;
|
||
|
ULONG SizeOfImage;
|
||
|
ULONG ImageNameLength;
|
||
|
CHAR ImageName[0];
|
||
|
} CRASH_MODULE64, *PCRASH_MODULE64;
|
||
|
|
||
|
typedef struct _CRASH_THREAD {
|
||
|
ULONG ThreadId;
|
||
|
ULONG SuspendCount;
|
||
|
ULONG PriorityClass;
|
||
|
ULONG Priority;
|
||
|
ULONG_PTR Teb;
|
||
|
ULONG_PTR Spare0;
|
||
|
ULONG_PTR Spare1;
|
||
|
ULONG_PTR Spare2;
|
||
|
ULONG_PTR Spare3;
|
||
|
ULONG_PTR Spare4;
|
||
|
ULONG_PTR Spare5;
|
||
|
ULONG_PTR Spare6;
|
||
|
} CRASH_THREAD, *PCRASH_THREAD;
|
||
|
|
||
|
typedef struct _CRASH_THREAD32 {
|
||
|
ULONG ThreadId;
|
||
|
ULONG SuspendCount;
|
||
|
ULONG PriorityClass;
|
||
|
ULONG Priority;
|
||
|
ULONG Teb;
|
||
|
ULONG Spare0;
|
||
|
ULONG Spare1;
|
||
|
ULONG Spare2;
|
||
|
ULONG Spare3;
|
||
|
ULONG Spare4;
|
||
|
ULONG Spare5;
|
||
|
ULONG Spare6;
|
||
|
} CRASH_THREAD32, *PCRASH_THREAD32;
|
||
|
|
||
|
typedef struct _CRASH_THREAD64 {
|
||
|
ULONG ThreadId;
|
||
|
ULONG SuspendCount;
|
||
|
ULONG PriorityClass;
|
||
|
ULONG Priority;
|
||
|
ULONGLONG Teb;
|
||
|
ULONGLONG Spare0;
|
||
|
ULONGLONG Spare1;
|
||
|
ULONGLONG Spare2;
|
||
|
ULONGLONG Spare3;
|
||
|
ULONGLONG Spare4;
|
||
|
ULONGLONG Spare5;
|
||
|
ULONGLONG Spare6;
|
||
|
} CRASH_THREAD64, *PCRASH_THREAD64;
|
||
|
|
||
|
|
||
|
typedef struct _CRASHDUMP_VERSION_INFO {
|
||
|
int IgnoreGuardPages; // Whether we should ignore GuardPages or not
|
||
|
ULONG PointerSize; // 32, 64 bit pointers
|
||
|
} CRASHDUMP_VERSION_INFO, *PCRASHDUMP_VERSION_INFO;
|
||
|
|
||
|
//
|
||
|
// usermode crash dump data types
|
||
|
//
|
||
|
#define DMP_EXCEPTION 1 // obsolete
|
||
|
#define DMP_MEMORY_BASIC_INFORMATION 2
|
||
|
#define DMP_THREAD_CONTEXT 3
|
||
|
#define DMP_MODULE 4
|
||
|
#define DMP_MEMORY_DATA 5
|
||
|
#define DMP_DEBUG_EVENT 6
|
||
|
#define DMP_THREAD_STATE 7
|
||
|
#define DMP_DUMP_FILE_HANDLE 8
|
||
|
|
||
|
//
|
||
|
// usermode crashdump callback function
|
||
|
//
|
||
|
typedef int (__stdcall *PDMP_CREATE_DUMP_CALLBACK)(
|
||
|
ULONG DataType,
|
||
|
PVOID* DumpData,
|
||
|
PULONG DumpDataLength,
|
||
|
PVOID UserData
|
||
|
);
|
||
|
|
||
|
|
||
|
//
|
||
|
// Define the information required to process memory dumps.
|
||
|
//
|
||
|
|
||
|
|
||
|
typedef enum _DUMP_TYPES {
|
||
|
DUMP_TYPE_INVALID = -1,
|
||
|
DUMP_TYPE_UNKNOWN = 0,
|
||
|
DUMP_TYPE_FULL = 1,
|
||
|
DUMP_TYPE_SUMMARY = 2,
|
||
|
DUMP_TYPE_HEADER = 3,
|
||
|
DUMP_TYPE_TRIAGE = 4,
|
||
|
} DUMP_TYPE;
|
||
|
|
||
|
|
||
|
//
|
||
|
// Signature and Valid fields.
|
||
|
//
|
||
|
|
||
|
#define DUMP_SIGNATURE32 ('EGAP')
|
||
|
#define DUMP_VALID_DUMP32 ('PMUD')
|
||
|
|
||
|
#define DUMP_SIGNATURE64 ('EGAP')
|
||
|
#define DUMP_VALID_DUMP64 ('46UD')
|
||
|
|
||
|
#define DUMP_SUMMARY_SIGNATURE ('PMDS')
|
||
|
#define DUMP_SUMMARY_VALID ('PMUD')
|
||
|
|
||
|
#define DUMP_SUMMARY_VALID_KERNEL_VA (1)
|
||
|
#define DUMP_SUMMARY_VALID_CURRENT_USER_VA (2)
|
||
|
|
||
|
//
|
||
|
//
|
||
|
// NOTE: The definition of PHYISCAL_MEMORY_RUN and PHYSICAL_MEMORY_DESCRIPTOR
|
||
|
// MUST be the same as in mm.h. The kernel portion of crashdump will
|
||
|
// verify that these structs are the same.
|
||
|
//
|
||
|
|
||
|
typedef struct _PHYSICAL_MEMORY_RUN32 {
|
||
|
ULONG BasePage;
|
||
|
ULONG PageCount;
|
||
|
} PHYSICAL_MEMORY_RUN32, *PPHYSICAL_MEMORY_RUN32;
|
||
|
|
||
|
typedef struct _PHYSICAL_MEMORY_DESCRIPTOR32 {
|
||
|
ULONG NumberOfRuns;
|
||
|
ULONG NumberOfPages;
|
||
|
PHYSICAL_MEMORY_RUN32 Run[1];
|
||
|
} PHYSICAL_MEMORY_DESCRIPTOR32, *PPHYSICAL_MEMORY_DESCRIPTOR32;
|
||
|
|
||
|
typedef struct _PHYSICAL_MEMORY_RUN64 {
|
||
|
ULONG64 BasePage;
|
||
|
ULONG64 PageCount;
|
||
|
} PHYSICAL_MEMORY_RUN64, *PPHYSICAL_MEMORY_RUN64;
|
||
|
|
||
|
typedef struct _PHYSICAL_MEMORY_DESCRIPTOR64 {
|
||
|
ULONG NumberOfRuns;
|
||
|
ULONG64 NumberOfPages;
|
||
|
PHYSICAL_MEMORY_RUN64 Run[1];
|
||
|
} PHYSICAL_MEMORY_DESCRIPTOR64, *PPHYSICAL_MEMORY_DESCRIPTOR64;
|
||
|
|
||
|
|
||
|
typedef struct _UNLOADED_DRIVERS32 {
|
||
|
UNICODE_STRING32 Name;
|
||
|
ULONG StartAddress;
|
||
|
ULONG EndAddress;
|
||
|
LARGE_INTEGER CurrentTime;
|
||
|
} UNLOADED_DRIVERS32, *PUNLOADED_DRIVERS32;
|
||
|
|
||
|
typedef struct _UNLOADED_DRIVERS64 {
|
||
|
UNICODE_STRING64 Name;
|
||
|
ULONG64 StartAddress;
|
||
|
ULONG64 EndAddress;
|
||
|
LARGE_INTEGER CurrentTime;
|
||
|
} UNLOADED_DRIVERS64, *PUNLOADED_DRIVERS64;
|
||
|
|
||
|
#define MAX_UNLOADED_NAME_LENGTH 24
|
||
|
|
||
|
typedef struct _DUMP_UNLOADED_DRIVERS32
|
||
|
{
|
||
|
UNICODE_STRING32 Name;
|
||
|
WCHAR DriverName[MAX_UNLOADED_NAME_LENGTH / sizeof (WCHAR)];
|
||
|
ULONG StartAddress;
|
||
|
ULONG EndAddress;
|
||
|
} DUMP_UNLOADED_DRIVERS32, *PDUMP_UNLOADED_DRIVERS32;
|
||
|
|
||
|
typedef struct _DUMP_UNLOADED_DRIVERS64
|
||
|
{
|
||
|
UNICODE_STRING64 Name;
|
||
|
WCHAR DriverName[MAX_UNLOADED_NAME_LENGTH / sizeof (WCHAR)];
|
||
|
ULONG64 StartAddress;
|
||
|
ULONG64 EndAddress;
|
||
|
} DUMP_UNLOADED_DRIVERS64, *PDUMP_UNLOADED_DRIVERS64;
|
||
|
|
||
|
typedef struct _DUMP_MM_STORAGE32
|
||
|
{
|
||
|
ULONG Version;
|
||
|
ULONG Size;
|
||
|
ULONG MmSpecialPoolTag;
|
||
|
ULONG MiTriageActionTaken;
|
||
|
|
||
|
ULONG MmVerifyDriverLevel;
|
||
|
ULONG KernelVerifier;
|
||
|
ULONG MmMaximumNonPagedPool;
|
||
|
ULONG MmAllocatedNonPagedPool;
|
||
|
|
||
|
ULONG PagedPoolMaximum;
|
||
|
ULONG PagedPoolAllocated;
|
||
|
|
||
|
ULONG CommittedPages;
|
||
|
ULONG CommittedPagesPeak;
|
||
|
ULONG CommitLimitMaximum;
|
||
|
} DUMP_MM_STORAGE32, *PDUMP_MM_STORAGE32;
|
||
|
|
||
|
typedef struct _DUMP_MM_STORAGE64
|
||
|
{
|
||
|
ULONG Version;
|
||
|
ULONG Size;
|
||
|
ULONG MmSpecialPoolTag;
|
||
|
ULONG MiTriageActionTaken;
|
||
|
|
||
|
ULONG MmVerifyDriverLevel;
|
||
|
ULONG KernelVerifier;
|
||
|
ULONG64 MmMaximumNonPagedPool;
|
||
|
ULONG64 MmAllocatedNonPagedPool;
|
||
|
|
||
|
ULONG64 PagedPoolMaximum;
|
||
|
ULONG64 PagedPoolAllocated;
|
||
|
|
||
|
ULONG64 CommittedPages;
|
||
|
ULONG64 CommittedPagesPeak;
|
||
|
ULONG64 CommitLimitMaximum;
|
||
|
} DUMP_MM_STORAGE64, *PDUMP_MM_STORAGE64;
|
||
|
|
||
|
|
||
|
//
|
||
|
// Define the dump header structure. You cannot change these
|
||
|
// defines without breaking the debuggers, so don't.
|
||
|
//
|
||
|
|
||
|
#define DMP_PHYSICAL_MEMORY_BLOCK_SIZE_32 (700)
|
||
|
#define DMP_CONTEXT_RECORD_SIZE_32 (1200)
|
||
|
#define DMP_RESERVED_0_SIZE_32 (1768)
|
||
|
#define DMP_RESERVED_2_SIZE_32 (16)
|
||
|
#define DMP_RESERVED_3_SIZE_32 (56)
|
||
|
|
||
|
#define DMP_PHYSICAL_MEMORY_BLOCK_SIZE_64 (700)
|
||
|
#define DMP_CONTEXT_RECORD_SIZE_64 (3000)
|
||
|
#define DMP_RESERVED_0_SIZE_64 (4020)
|
||
|
|
||
|
#define DMP_HEADER_COMMENT_SIZE (128)
|
||
|
|
||
|
// Unset WriterStatus value from the header fill.
|
||
|
#define DUMP_WRITER_STATUS_UNINITIALIZED DUMP_SIGNATURE32
|
||
|
|
||
|
// WriterStatus codes for the dbgeng.dll dump writers.
|
||
|
enum
|
||
|
{
|
||
|
DUMP_DBGENG_SUCCESS,
|
||
|
DUMP_DBGENG_NO_MODULE_LIST,
|
||
|
DUMP_DBGENG_CORRUPT_MODULE_LIST,
|
||
|
};
|
||
|
|
||
|
//
|
||
|
// The 32-bit memory dump structure requires 4-byte alignment.
|
||
|
//
|
||
|
|
||
|
#include <pshpack4.h>
|
||
|
|
||
|
typedef struct _DUMP_HEADER32 {
|
||
|
ULONG Signature;
|
||
|
ULONG ValidDump;
|
||
|
ULONG MajorVersion;
|
||
|
ULONG MinorVersion;
|
||
|
ULONG DirectoryTableBase;
|
||
|
ULONG PfnDataBase;
|
||
|
ULONG PsLoadedModuleList;
|
||
|
ULONG PsActiveProcessHead;
|
||
|
ULONG MachineImageType;
|
||
|
ULONG NumberProcessors;
|
||
|
ULONG BugCheckCode;
|
||
|
ULONG BugCheckParameter1;
|
||
|
ULONG BugCheckParameter2;
|
||
|
ULONG BugCheckParameter3;
|
||
|
ULONG BugCheckParameter4;
|
||
|
CHAR VersionUser[32];
|
||
|
UCHAR PaeEnabled; // Present only for Win2k and better
|
||
|
UCHAR Spare3[3];
|
||
|
ULONG KdDebuggerDataBlock; // Present only for Win2k SP1 and better.
|
||
|
|
||
|
union {
|
||
|
PHYSICAL_MEMORY_DESCRIPTOR32 PhysicalMemoryBlock;
|
||
|
UCHAR PhysicalMemoryBlockBuffer [ DMP_PHYSICAL_MEMORY_BLOCK_SIZE_32 ];
|
||
|
};
|
||
|
UCHAR ContextRecord [ DMP_CONTEXT_RECORD_SIZE_32 ];
|
||
|
EXCEPTION_RECORD32 Exception;
|
||
|
CHAR Comment [ DMP_HEADER_COMMENT_SIZE ]; // May not be present.
|
||
|
UCHAR _reserved0 [ DMP_RESERVED_0_SIZE_32 ];
|
||
|
ULONG DumpType; // Present for Win2k and better.
|
||
|
ULONG MiniDumpFields;
|
||
|
ULONG SecondaryDataState;
|
||
|
ULONG ProductType;
|
||
|
ULONG SuiteMask;
|
||
|
ULONG WriterStatus;
|
||
|
LARGE_INTEGER RequiredDumpSpace; // Present for Win2k and better.
|
||
|
UCHAR _reserved2 [ DMP_RESERVED_2_SIZE_32 ];
|
||
|
LARGE_INTEGER SystemUpTime; // Present only for Whistler and better.
|
||
|
LARGE_INTEGER SystemTime; // Present only for Win2k and better.
|
||
|
UCHAR _reserved3 [ DMP_RESERVED_3_SIZE_32 ];
|
||
|
} DUMP_HEADER32, *PDUMP_HEADER32;
|
||
|
|
||
|
|
||
|
typedef struct _FULL_DUMP32 {
|
||
|
CHAR Memory [1]; // Variable length to the end of the dump file.
|
||
|
} FULL_DUMP32, *PFULL_DUMP32;
|
||
|
|
||
|
typedef struct _SUMMARY_DUMP32 {
|
||
|
ULONG Signature;
|
||
|
ULONG ValidDump;
|
||
|
ULONG DumpOptions; // Summary Dump Options
|
||
|
ULONG HeaderSize; // Offset to the start of actual memory dump
|
||
|
ULONG BitmapSize; // Total bitmap size (i.e., maximum #bits)
|
||
|
ULONG Pages; // Total bits set in bitmap (i.e., total pages in sdump)
|
||
|
|
||
|
//
|
||
|
// These next three fields essentially form an on-disk RTL_BITMAP structure.
|
||
|
// The RESERVED field is stupidness introduced by the way the data is
|
||
|
// serialized to disk.
|
||
|
//
|
||
|
|
||
|
struct {
|
||
|
ULONG SizeOfBitMap;
|
||
|
ULONG _reserved0;
|
||
|
ULONG Buffer[];
|
||
|
} Bitmap;
|
||
|
|
||
|
} SUMMARY_DUMP32, * PSUMMARY_DUMP32;
|
||
|
|
||
|
|
||
|
typedef struct _TRIAGE_DUMP32 {
|
||
|
ULONG ServicePackBuild; // What service pack of NT was this ?
|
||
|
ULONG SizeOfDump; // Size in bytes of the dump
|
||
|
ULONG ValidOffset; // Offset valid ULONG
|
||
|
ULONG ContextOffset; // Offset of CONTEXT record
|
||
|
ULONG ExceptionOffset; // Offset of EXCEPTION record
|
||
|
ULONG MmOffset; // Offset of Mm information
|
||
|
ULONG UnloadedDriversOffset; // Offset of Unloaded Drivers
|
||
|
ULONG PrcbOffset; // Offset of KPRCB
|
||
|
ULONG ProcessOffset; // Offset of EPROCESS
|
||
|
ULONG ThreadOffset; // Offset of ETHREAD
|
||
|
ULONG CallStackOffset; // Offset of CallStack Pages
|
||
|
ULONG SizeOfCallStack; // Size in bytes of CallStack
|
||
|
ULONG DriverListOffset; // Offset of Driver List
|
||
|
ULONG DriverCount; // Number of Drivers in list
|
||
|
ULONG StringPoolOffset; // Offset to the string pool
|
||
|
ULONG StringPoolSize; // Size of the string pool
|
||
|
ULONG BrokenDriverOffset; // Offset into the driver of the driver that crashed
|
||
|
ULONG TriageOptions; // Triage options in effect at crashtime
|
||
|
ULONG TopOfStack; // The top (highest address) of the call stack
|
||
|
|
||
|
ULONG DataPageAddress;
|
||
|
ULONG DataPageOffset;
|
||
|
ULONG DataPageSize;
|
||
|
|
||
|
ULONG DebuggerDataOffset;
|
||
|
ULONG DebuggerDataSize;
|
||
|
|
||
|
ULONG DataBlocksOffset;
|
||
|
ULONG DataBlocksCount;
|
||
|
|
||
|
} TRIAGE_DUMP32, * PTRIAGE_DUMP32;
|
||
|
|
||
|
|
||
|
typedef struct _MEMORY_DUMP32 {
|
||
|
DUMP_HEADER32 Header;
|
||
|
|
||
|
union {
|
||
|
FULL_DUMP32 Full; // DumpType == DUMP_TYPE_FULL
|
||
|
SUMMARY_DUMP32 Summary; // DumpType == DUMP_TYPE_SUMMARY
|
||
|
TRIAGE_DUMP32 Triage; // DumpType == DUMP_TYPE_TRIAGE
|
||
|
};
|
||
|
|
||
|
} MEMORY_DUMP32, *PMEMORY_DUMP32;
|
||
|
|
||
|
|
||
|
#include <poppack.h>
|
||
|
|
||
|
typedef struct _DUMP_HEADER64 {
|
||
|
ULONG Signature;
|
||
|
ULONG ValidDump;
|
||
|
ULONG MajorVersion;
|
||
|
ULONG MinorVersion;
|
||
|
ULONG64 DirectoryTableBase;
|
||
|
ULONG64 PfnDataBase;
|
||
|
ULONG64 PsLoadedModuleList;
|
||
|
ULONG64 PsActiveProcessHead;
|
||
|
ULONG MachineImageType;
|
||
|
ULONG NumberProcessors;
|
||
|
ULONG BugCheckCode;
|
||
|
ULONG64 BugCheckParameter1;
|
||
|
ULONG64 BugCheckParameter2;
|
||
|
ULONG64 BugCheckParameter3;
|
||
|
ULONG64 BugCheckParameter4;
|
||
|
CHAR VersionUser[32];
|
||
|
ULONG64 KdDebuggerDataBlock;
|
||
|
|
||
|
union {
|
||
|
PHYSICAL_MEMORY_DESCRIPTOR64 PhysicalMemoryBlock;
|
||
|
UCHAR PhysicalMemoryBlockBuffer [ DMP_PHYSICAL_MEMORY_BLOCK_SIZE_64 ];
|
||
|
};
|
||
|
UCHAR ContextRecord [ DMP_CONTEXT_RECORD_SIZE_64 ];
|
||
|
EXCEPTION_RECORD64 Exception;
|
||
|
ULONG DumpType;
|
||
|
LARGE_INTEGER RequiredDumpSpace;
|
||
|
LARGE_INTEGER SystemTime;
|
||
|
CHAR Comment [ DMP_HEADER_COMMENT_SIZE ]; // May not be present.
|
||
|
LARGE_INTEGER SystemUpTime;
|
||
|
ULONG MiniDumpFields;
|
||
|
ULONG SecondaryDataState;
|
||
|
ULONG ProductType;
|
||
|
ULONG SuiteMask;
|
||
|
ULONG WriterStatus;
|
||
|
UCHAR _reserved0[ DMP_RESERVED_0_SIZE_64 ];
|
||
|
} DUMP_HEADER64, *PDUMP_HEADER64;
|
||
|
|
||
|
typedef struct _FULL_DUMP64 {
|
||
|
CHAR Memory[1]; // Variable length to the end of the dump file.
|
||
|
} FULL_DUMP64, *PFULL_DUMP64;
|
||
|
|
||
|
//
|
||
|
// ISSUE - 2000/02/17 - math: NT64 Summary dump.
|
||
|
//
|
||
|
// This is broken. The 64 bit summary dump should have a ULONG64 for
|
||
|
// the BitmapSize to match the size of the PFN_NUMBER.
|
||
|
//
|
||
|
|
||
|
typedef struct _SUMMARY_DUMP64 {
|
||
|
ULONG Signature;
|
||
|
ULONG ValidDump;
|
||
|
ULONG DumpOptions; // Summary Dump Options
|
||
|
ULONG HeaderSize; // Offset to the start of actual memory dump
|
||
|
ULONG BitmapSize; // Total bitmap size (i.e., maximum #bits)
|
||
|
ULONG Pages; // Total bits set in bitmap (i.e., total pages in sdump)
|
||
|
|
||
|
//
|
||
|
// ISSUE - 2000/02/17 - math: Win64
|
||
|
//
|
||
|
// With a 64-bit PFN, we should not have a 32-bit bitmap.
|
||
|
//
|
||
|
|
||
|
//
|
||
|
// These next three fields essentially form an on-disk RTL_BITMAP structure.
|
||
|
// The RESERVED field is stupidness introduced by the way the data is
|
||
|
// serialized to disk.
|
||
|
//
|
||
|
|
||
|
struct {
|
||
|
ULONG SizeOfBitMap;
|
||
|
ULONG64 _reserved0;
|
||
|
ULONG Buffer[];
|
||
|
} Bitmap;
|
||
|
|
||
|
} SUMMARY_DUMP64, * PSUMMARY_DUMP64;
|
||
|
|
||
|
|
||
|
typedef struct _TRIAGE_DUMP64 {
|
||
|
ULONG ServicePackBuild; // What service pack of NT was this ?
|
||
|
ULONG SizeOfDump; // Size in bytes of the dump
|
||
|
ULONG ValidOffset; // Offset valid ULONG
|
||
|
ULONG ContextOffset; // Offset of CONTEXT record
|
||
|
ULONG ExceptionOffset; // Offset of EXCEPTION record
|
||
|
ULONG MmOffset; // Offset of Mm information
|
||
|
ULONG UnloadedDriversOffset; // Offset of Unloaded Drivers
|
||
|
ULONG PrcbOffset; // Offset of KPRCB
|
||
|
ULONG ProcessOffset; // Offset of EPROCESS
|
||
|
ULONG ThreadOffset; // Offset of ETHREAD
|
||
|
ULONG CallStackOffset; // Offset of CallStack Pages
|
||
|
ULONG SizeOfCallStack; // Size in bytes of CallStack
|
||
|
ULONG DriverListOffset; // Offset of Driver List
|
||
|
ULONG DriverCount; // Number of Drivers in list
|
||
|
ULONG StringPoolOffset; // Offset to the string pool
|
||
|
ULONG StringPoolSize; // Size of the string pool
|
||
|
ULONG BrokenDriverOffset; // Offset into the driver of the driver that crashed
|
||
|
ULONG TriageOptions; // Triage options in effect at crashtime
|
||
|
ULONG64 TopOfStack; // The top (highest address) of the callstack
|
||
|
|
||
|
//
|
||
|
// Architecture Specific fields.
|
||
|
//
|
||
|
|
||
|
union {
|
||
|
|
||
|
//
|
||
|
// For IA64 we need to store the BStore as well.
|
||
|
//
|
||
|
|
||
|
struct {
|
||
|
ULONG BStoreOffset; // Offset of BStore region.
|
||
|
ULONG SizeOfBStore; // The size of the BStore region.
|
||
|
ULONG64 LimitOfBStore; // The limit (highest memory address)
|
||
|
} Ia64; // of the BStore region.
|
||
|
|
||
|
} ArchitectureSpecific;
|
||
|
|
||
|
ULONG64 DataPageAddress;
|
||
|
ULONG DataPageOffset;
|
||
|
ULONG DataPageSize;
|
||
|
|
||
|
ULONG DebuggerDataOffset;
|
||
|
ULONG DebuggerDataSize;
|
||
|
|
||
|
ULONG DataBlocksOffset;
|
||
|
ULONG DataBlocksCount;
|
||
|
|
||
|
} TRIAGE_DUMP64, * PTRIAGE_DUMP64;
|
||
|
|
||
|
|
||
|
typedef struct _MEMORY_DUMP64 {
|
||
|
DUMP_HEADER64 Header;
|
||
|
|
||
|
union {
|
||
|
FULL_DUMP64 Full; // DumpType == DUMP_TYPE_FULL
|
||
|
SUMMARY_DUMP64 Summary; // DumpType == DUMP_TYPE_SUMMARY
|
||
|
TRIAGE_DUMP64 Triage; // DumpType == DUMP_TYPE_TRIAGE
|
||
|
};
|
||
|
|
||
|
} MEMORY_DUMP64, *PMEMORY_DUMP64;
|
||
|
|
||
|
|
||
|
typedef struct _TRIAGE_DATA_BLOCK {
|
||
|
ULONG64 Address;
|
||
|
ULONG Offset;
|
||
|
ULONG Size;
|
||
|
} TRIAGE_DATA_BLOCK, *PTRIAGE_DATA_BLOCK;
|
||
|
|
||
|
//
|
||
|
// In the triage dump ValidFields field what portions of the triage-dump have
|
||
|
// been turned on.
|
||
|
//
|
||
|
|
||
|
#define TRIAGE_DUMP_CONTEXT (0x0001)
|
||
|
#define TRIAGE_DUMP_EXCEPTION (0x0002)
|
||
|
#define TRIAGE_DUMP_PRCB (0x0004)
|
||
|
#define TRIAGE_DUMP_PROCESS (0x0008)
|
||
|
#define TRIAGE_DUMP_THREAD (0x0010)
|
||
|
#define TRIAGE_DUMP_STACK (0x0020)
|
||
|
#define TRIAGE_DUMP_DRIVER_LIST (0x0040)
|
||
|
#define TRIAGE_DUMP_BROKEN_DRIVER (0x0080)
|
||
|
#define TRIAGE_DUMP_BASIC_INFO (0x00FF)
|
||
|
#define TRIAGE_DUMP_MMINFO (0x0100)
|
||
|
#define TRIAGE_DUMP_DATAPAGE (0x0200)
|
||
|
#define TRIAGE_DUMP_DEBUGGER_DATA (0x0400)
|
||
|
#define TRIAGE_DUMP_DATA_BLOCKS (0x0800)
|
||
|
|
||
|
#define TRIAGE_OPTION_OVERFLOWED (0x0100)
|
||
|
|
||
|
#define TRIAGE_DUMP_VALID ( 'DGRT' )
|
||
|
#define TRIAGE_DUMP_SIZE32 ( 0x1000 * 16 )
|
||
|
#define TRIAGE_DUMP_SIZE64 ( 0x2000 * 16 )
|
||
|
|
||
|
#ifdef _NTLDRAPI_
|
||
|
|
||
|
typedef struct _DUMP_DRIVER_ENTRY32 {
|
||
|
ULONG DriverNameOffset;
|
||
|
KLDR_DATA_TABLE_ENTRY32 LdrEntry;
|
||
|
} DUMP_DRIVER_ENTRY32, * PDUMP_DRIVER_ENTRY32;
|
||
|
|
||
|
typedef struct _DUMP_DRIVER_ENTRY64 {
|
||
|
ULONG DriverNameOffset;
|
||
|
ULONG __alignment;
|
||
|
KLDR_DATA_TABLE_ENTRY64 LdrEntry;
|
||
|
} DUMP_DRIVER_ENTRY64, * PDUMP_DRIVER_ENTRY64;
|
||
|
|
||
|
#endif // _NTLDRAPI
|
||
|
|
||
|
//
|
||
|
// The DUMP_STRING is guaranteed to be both NULL terminated and length prefixed
|
||
|
// (prefix does not include the NULL).
|
||
|
//
|
||
|
|
||
|
typedef struct _DUMP_STRING {
|
||
|
ULONG Length; // Length IN BYTES of the string.
|
||
|
WCHAR Buffer [0]; // Buffer.
|
||
|
} DUMP_STRING, * PDUMP_STRING;
|
||
|
|
||
|
|
||
|
//
|
||
|
// Secondary dumps can be generated at bugcheck time after
|
||
|
// the primary dump has been generated. The data in these
|
||
|
// dumps is arbitrary and not interpretable, so the file
|
||
|
// format is just a sequence of tagged blobs.
|
||
|
//
|
||
|
// Each blob header is aligned on an eight-byte boundary
|
||
|
// and the data immediately follows it. Padding
|
||
|
// may precede and/or follow the data for alignment purposes.
|
||
|
//
|
||
|
// Blobs are streamed into the file so there is no overall count.
|
||
|
//
|
||
|
|
||
|
#define DUMP_BLOB_SIGNATURE1 'pmuD'
|
||
|
#define DUMP_BLOB_SIGNATURE2 'bolB'
|
||
|
|
||
|
typedef struct _DUMP_BLOB_FILE_HEADER {
|
||
|
ULONG Signature1;
|
||
|
ULONG Signature2;
|
||
|
ULONG HeaderSize;
|
||
|
ULONG BuildNumber;
|
||
|
} DUMP_BLOB_FILE_HEADER, *PDUMP_BLOB_FILE_HEADER;
|
||
|
|
||
|
typedef struct _DUMP_BLOB_HEADER {
|
||
|
ULONG HeaderSize;
|
||
|
GUID Tag;
|
||
|
ULONG DataSize;
|
||
|
ULONG PrePad;
|
||
|
ULONG PostPad;
|
||
|
} DUMP_BLOB_HEADER, *PDUMP_BLOB_HEADER;
|
||
|
|
||
|
#ifdef __cplusplus
|
||
|
}
|
||
|
#endif
|
||
|
|
||
|
//
|
||
|
// These defines should be used only by components
|
||
|
// that know the architecture of the dump matches
|
||
|
// the architecture of the machine they are on; i.e.,
|
||
|
// the kernel and savedump. In particular, the debugger
|
||
|
// should always explicitly use either the 32 or
|
||
|
// 64 bit versions of the headers.
|
||
|
//
|
||
|
|
||
|
#ifndef __NTSDP_HPP__
|
||
|
#if defined (_WIN64)
|
||
|
|
||
|
typedef DUMP_HEADER64 DUMP_HEADER;
|
||
|
typedef PDUMP_HEADER64 PDUMP_HEADER;
|
||
|
typedef MEMORY_DUMP64 MEMORY_DUMP;
|
||
|
typedef PMEMORY_DUMP64 PMEMORY_DUMP;
|
||
|
typedef SUMMARY_DUMP64 SUMMARY_DUMP;
|
||
|
typedef PSUMMARY_DUMP64 PSUMMARY_DUMP;
|
||
|
typedef TRIAGE_DUMP64 TRIAGE_DUMP;
|
||
|
typedef PTRIAGE_DUMP64 PTRIAGE_DUMP;
|
||
|
#ifdef _NTLDRAPI_
|
||
|
typedef DUMP_DRIVER_ENTRY64 DUMP_DRIVER_ENTRY;
|
||
|
typedef PDUMP_DRIVER_ENTRY64 PDUMP_DRIVER_ENTRY;
|
||
|
#endif
|
||
|
#define DUMP_SIGNATURE DUMP_SIGNATURE64
|
||
|
#define DUMP_VALID_DUMP DUMP_VALID_DUMP64
|
||
|
#define TRIAGE_DUMP_SIZE TRIAGE_DUMP_SIZE64
|
||
|
typedef PPHYSICAL_MEMORY_RUN64 PPHYSICAL_MEMORYRUN;
|
||
|
typedef PPHYSICAL_MEMORY_DESCRIPTOR64 PPHYSICAL_MEMORYDESCRIPTOR;
|
||
|
|
||
|
#else
|
||
|
|
||
|
typedef DUMP_HEADER32 DUMP_HEADER;
|
||
|
typedef PDUMP_HEADER32 PDUMP_HEADER;
|
||
|
typedef MEMORY_DUMP32 MEMORY_DUMP;
|
||
|
typedef PMEMORY_DUMP32 PMEMORY_DUMP;
|
||
|
typedef SUMMARY_DUMP32 SUMMARY_DUMP;
|
||
|
typedef PSUMMARY_DUMP32 PSUMMARY_DUMP;
|
||
|
typedef TRIAGE_DUMP32 TRIAGE_DUMP;
|
||
|
typedef PTRIAGE_DUMP32 PTRIAGE_DUMP;
|
||
|
#ifdef _NTLDRAPI_
|
||
|
typedef DUMP_DRIVER_ENTRY32 DUMP_DRIVER_ENTRY;
|
||
|
typedef PDUMP_DRIVER_ENTRY32 PDUMP_DRIVER_ENTRY;
|
||
|
#endif
|
||
|
#define DUMP_SIGNATURE DUMP_SIGNATURE32
|
||
|
#define DUMP_VALID_DUMP DUMP_VALID_DUMP32
|
||
|
#define TRIAGE_DUMP_SIZE TRIAGE_DUMP_SIZE32
|
||
|
typedef PPHYSICAL_MEMORY_RUN32 PPHYSICAL_MEMORYRUN;
|
||
|
typedef PPHYSICAL_MEMORY_DESCRIPTOR32 PPHYSICAL_MEMORYDESCRIPTOR;
|
||
|
|
||
|
#endif
|
||
|
#endif
|
||
|
|
||
|
#ifndef MIDL_PASS
|
||
|
#if _MSC_VER >= 1200
|
||
|
#pragma warning(pop)
|
||
|
#else
|
||
|
#pragma warning( default : 4200 ) // nonstandard extension used : zero-sized array in struct/union
|
||
|
#endif
|
||
|
#endif // MIDL_PASS
|
||
|
|
||
|
#endif // _NTIODUMP_
|