GithubHelp home page GithubHelp logo

ghidra-minidump-loader's People

Contributors

rantanen avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

dobo90 inno157 justinbeckermsft mrexodia fluxany

ghidra-minidump-loader's Issues

loader not found by Import File

Steps to reproduce

  1. Clone this git repository
  2. Change the contents of extension.properties to the following:
name=MinidumpLoader
description=Tools for analyzing Windows Minidump files.
author=Mikko Rantanen
createdOn=
version=10.0
  1. Run File > Install Extension... on the MinidumpLoader directory
  2. Restart Ghidra
  3. Import a minidump file (begins with "MDMP")

Expected behavior

"Format:" shows "Windows Minidump"

Actual behavior

"Format:" shows "Raw Binary"

How do I install and use this plugin correctly?

EOF exception when reading minidump

Super cool project, I'm trying to load a binary that at run time unpacks itself into a new part of memory. The dump file gets correctly analysed with rizin but this project throws an eof error:

EOF
java.io.IOException: EOF
	at net.jubjubnest.minidump.loader.MinidumpMemoryProvider.readBytes(MinidumpMemoryProvider.java:81)
	at net.jubjubnest.minidump.loader.MinidumpMemoryProvider.readByte(MinidumpMemoryProvider.java:67)
	at ghidra.app.util.bin.ByteProviderWrapper.readByte(ByteProviderWrapper.java:106)
	at ghidra.app.util.bin.ByteProviderInputStream.read(ByteProviderInputStream.java:37)
	at java.base/java.io.InputStream.read(InputStream.java:284)
	at ghidra.util.MonitoredInputStream.read(MonitoredInputStream.java:128)
	at db.ChainedBuffer.fill(ChainedBuffer.java:1212)
	at db.DBBuffer.fill(DBBuffer.java:162)
	at ghidra.program.database.mem.FileBytesAdapterV0.createBuffers(FileBytesAdapterV0.java:177)
	at ghidra.program.database.mem.FileBytesAdapterV0.createFileBytes(FileBytesAdapterV0.java:76)
	at ghidra.program.database.mem.MemoryMapDB.createFileBytes(MemoryMapDB.java:2167)
	at ghidra.app.util.MemoryBlockUtils.createFileBytes(MemoryBlockUtils.java:353)
	at ghidra.app.util.MemoryBlockUtils.createFileBytes(MemoryBlockUtils.java:335)
	at net.jubjubnest.minidump.contrib.opinion.PeLoader.loadImage(PeLoader.java:150)
	at net.jubjubnest.minidump.loader.MinidumpLoader.loadPeImage(MinidumpLoader.java:269)
	at net.jubjubnest.minidump.loader.MinidumpLoader.loadModules(MinidumpLoader.java:248)
	at net.jubjubnest.minidump.loader.MinidumpLoader.load(MinidumpLoader.java:136)
	at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:347)
	at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:83)
	at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:112)
	at ghidra.plugin.importer.ImporterUtilities.importSingleFile(ImporterUtilities.java:400)
	at ghidra.plugin.importer.ImporterDialog.lambda$okCallback$7(ImporterDialog.java:351)
	at ghidra.util.task.TaskBuilder$TaskBuilderTask.run(TaskBuilder.java:306)
	at ghidra.util.task.Task.monitoredRun(Task.java:124)
	at ghidra.util.task.TaskRunner.lambda$startTaskThread$0(TaskRunner.java:106)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at java.base/java.lang.Thread.run(Thread.java:832)

---------------------------------------------------
Build Date: 2021-Aug-04 1256 EDT
Ghidra Version: 10.0.2
Java Home: C:\Program Files\Java\jdk-15.0.1
JVM Version: Oracle Corporation 15.0.1
OS: Windows 10 10.0 amd64

Support PDBs

Initial start in the 'pdb' branch. Seems using most of Ghidra's PDB implementation should work. All we seemingly need to do is have the user specify the PDB file and then matching it to a proper PE image offset. Once that's done, the rest of the load seems to work okay with Ghidra's own stuff.

The current plan is:

  • Implement a Modules list that displays all modules and their PDB status (very similar to VS Modules view).
  • The list also acts as a navigation to the modules themselves in the listing, which means the view knows the base addresses.
  • Allow loading PDBs through that list.
    • This attempts to find the PDB from the file path in the PE image (we could just as well do that since it's just a quick file check).
    • If the file isn't found, pop up a file chooser and have the user select the PDB.
    • All of this could be automated through the PdbLocator maybe?
    • Once we have path to (GUID/Signature verified) PDB, we feed that to Ghidra together with our module base address and have it do the rest.
  • Next step would be to figure out the symbol server APIs to have symbols loaded automatically for compatible modules.
  • Finally having all of this as part of code analysis and/or being able to tell Ghidra to not ask for code analysis would be great since we'll ideally want the PDBs loaded first before code analysis goes off.
    • Since we need to ask the user for PDBs in some cases, having this as part of code analysis might not be feasible.

Annotate kernel memory

The kernel memory space (0x7ffe0000...) has some static data addresses (or at least static for a specific OS-version..); These could be annotated with proper data types.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.