Crates.io | kdmp-parser |
lib.rs | kdmp-parser |
version | |
source | src |
created_at | 2024-03-21 03:58:47.308971 |
updated_at | 2025-02-04 15:55:46.433832 |
description | A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger. |
homepage | |
repository | https://github.com/0vercl0k/kdmp-parser-rs |
max_upload_size | |
id | 1181190 |
Cargo.toml error: | TOML parse error at line 26, column 1 | 26 | autolib = false | ^^^^^^^ unknown field `autolib`, expected one of `name`, `version`, `edition`, `authors`, `description`, `readme`, `license`, `repository`, `homepage`, `documentation`, `build`, `resolver`, `links`, `default-run`, `default_dash_run`, `rust-version`, `rust_dash_version`, `rust_version`, `license-file`, `license_dash_file`, `license_file`, `licenseFile`, `license_capital_file`, `forced-target`, `forced_dash_target`, `autobins`, `autotests`, `autoexamples`, `autobenches`, `publish`, `metadata`, `keywords`, `categories`, `exclude`, `include` |
size | 0 |
kdmp-parser
A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
This is a cross-platform crate that parses Windows kernel crash-dumps that Windows / WinDbg generates. It exposes read-only access to the physical memory pages as well as the register / exception context. It can also read virtual memory addresses by walking the page tables.
Compiled binaries are available in the releases section.
The parser application is a small utility to show-case how to use the library and demonstrate its features. You can use it to dump memory, etc.
Here are the options supported:
A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
Usage: parser.exe [OPTIONS] <DUMP_PATH>
Arguments:
<DUMP_PATH>
The dump path
Options:
--dump-headers
Dump the dump headers
-c, --context-record
Dump the context record
-e, --exception-record
Dump the exception record
-m, --mem[=<MEM>]
Dump the first `len` bytes of every physical pages, unless an address is specified
--virt
The address specified is interpreted as a virtual address, not a physical address
--len <LEN>
The number of bytes to dump out
[default: 16]
-r, --reader <READER>
Reader mode
[default: mmap]
Possible values:
- mmap: The crash-dump is memory-mapped
- file: The crash-dump is read as a file on disk
--modules
Dump the list of kernel & user modules
-h, --help
Print help (see a summary with '-h')
-V, --version
Print version