kdmp-parser

Python building for kdmp-parser

This C++ library parses Windows kernel full dumps (.dump /f in WinDbg), BMP dumps (.dump /ka in WinDbg) as well as more recent dump types that were introduced in ~2022.

The library supports loading 64-bit dumps and provides read access to things like:

• The context record,
• The exception record,
• The bugcheck parameters,
• The physical memory.

The Python bindings were authored by hugsy & masthoon. Refer to the project page on Github for documentation, issues and pull requests.

Installing from PyPI

The easiest way is simply to:

pip install kdmp_parser

Installing using PIP

Run the following after installing CMake and Python 3.8+ / pip:

cd src/python
pip install requirements.txt
pip install .

To create a wheel pacakge:

cd src/python
pip wheel .

Usage

Get context, print the program counter

import kdmp_parser
dmp = kdmp_parser.KernelDumpParser("full.dmp")
assert dmp.type == kdmp_parser.DumpType.FullDump
print(f"Dump RIP={dmp.context.Rip:#x}")

Read a virtual memory page at address pointed by RIP

import kdmp_parser
dmp = kdmp_parser.KernelDumpParser("full.dmp")
dmp.read_virtual_page(dmp.context.Rip)

Explore the physical memory

import kdmp_parser
dmp = kdmp_parser.KernelDumpParser("full.dmp")
pml4 = dmp.directory_table_base
print(f"{pml4=:#x}")
dmp.read_physical_page(pml4)

Translate a virtual address into a physical address

import kdmp_parser
dmp = kdmp_parser.KernelDumpParser("full.dmp")
VA = dmp.context.Rip
PA = dmp.translate_virtual(VA)
print(f"{VA=:#x} -> {PA=:#x}")

Authors

• Axel '@0vercl0k' Souchet

Contributors