-
|
Hey, what does it mean and how does it work? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 3 replies
-
|
Gonna have to defer to @d-millar for this one. |
Beta Was this translation helpful? Give feedback.
-
|
@bukowa Apologies - didn't put two and two together. You're importing a dump file, correct? Dump files are potentially composite. For example, if you have a full dump for a system crash, it potentially has a PE for every process running on the system at the time of the crash. When you load it, you get the "Modules To Apply" dialog, which allows you to choose which processes you want to analyze. More often than not, "all" is NOT the answer you want, as that will tie up your computer for days. |
Beta Was this translation helpful? Give feedback.
-
I batch imported all folder and yes indeed it could have the dump files in there :) |
Beta Was this translation helpful? Give feedback.
-
|
@bukowa By extra, I assume you mean information not in the static executable, and, yes, depending on the type of dump, there can be considerable information about the dynamic state of the execution at the time the dump was taken. |
Beta Was this translation helpful? Give feedback.
-
|
But ghidra isn't made to parse that? |
Beta Was this translation helpful? Give feedback.
-
|
Ghidra parses all of it. For example, I'm looking at a dump of notepad.exe right now generated using the .dump command from the Ghidra dbgeng debugger (i.e. equivalent to windbg's .dump command). When I imported it, I selected "C:\Windows\notepad.exe", "Memory", and "Dump Headers". The first gives me a Ghidra program similar to what I would have gotten had I imported notepad.exe from the disk image. The primary difference is it's relocated to the address it was running at in memory. Also, though not as important for PEs, it has whatever fixups/relocations the loader would have applied. The second gives me basically a linear dump of loaded memory. The third gives me a nested tree of the other information in the dump, which, I believe, is what your question alludes to. If you navigate through the MINIDUMP_HEADER to the MINIDUMP_DIRECTORY, you find a number of streams describing different aspects of the running process. Mine has a lists for threads, thread info, modules, tokens, memory ranges, memory info, system info, misc info, handles, and counters. What gets dumped depends on how the event was generated, the kind of dump, and the level of detail requested for the dump. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you. |
Beta Was this translation helpful? Give feedback.
@bukowa Apologies - didn't put two and two together. You're importing a dump file, correct? Dump files are potentially composite. For example, if you have a full dump for a system crash, it potentially has a PE for every process running on the system at the time of the crash. When you load it, you get the "Modules To Apply" dialog, which allows you to choose which processes you want to analyze. More often than not, "all" is NOT the answer you want, as that will tie up your computer for days.