Error when reading user stream from dump file

OSR_Community_User · April 30, 2012, 3:06am

Hi all,

I use IDebugAdvanced2::Request with DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM to read user stream from a dump file but I get ERROR_FILE_CORRUPT. When I use MiniDumpReadDumpStream I read the data without a problem. I also see my user stream with dumpchk.exe utility. I am also able to open the dump file with windbg, so I know there is nothing wrong with it.

Any idea how to solve the issue? I saw a previous thread http://www.osronline.com/showthread.cfm?link=212262 that says it is possible to read at least the first user stream.

TIA

Ken_Johnson · April 30, 2012, 3:43am

Check that you are using the version of DbgEng that ships with the debugger, and not the (relatively old) version in system32, from the OS.

S (Msft)

From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] on behalf of xxxxx@yahoo.com [xxxxx@yahoo.com]
Sent: Monday, April 30, 2012 12:04 AM
To: Kernel Debugging Interest List
Subject: [windbg] Error when reading user stream from dump file

Hi all,

I use IDebugAdvanced2::Request with DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM to read user stream from a dump file but I get ERROR_FILE_CORRUPT. When I use MiniDumpReadDumpStream I read the data without a problem. I also see my user stream with dumpchk.exe utility. I am also able to open the dump file with windbg, so I know there is nothing wrong with it.

Any idea how to solve the issue? I saw a previous thread http://www.osronline.com/showthread.cfm?link=212262 that says it is possible to read at least the first user stream.

TIA

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · April 30, 2012, 7:38am

Hi Ken,

thank you for the quick answer. Indeed, I double checked it. I am using dbgeng.dll that comes with Debugging Tool for Windows. I can confirm that by looking in Modules window in Visual Studio (Debug->Windows->Modules menu). Same goes for dbghelp.dll. The files are loaded from C:\Program Files\Debugging Tools for Windows (x86) directory.

I can confirm that using IDebugAdvanced2::Request with DEBUG_REQUEST_TARGET_EXCEPTION_CONTEXT or DEBUG_REQUEST_GET_WIN32_MAJOR_MINOR_VERSIONS also works.

I found a guy that has the very same problem (http://stackoverflow.com/q/5487279). Is there something specific about DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM? The documentation is very scarce and I think I am doing something wrong.

Jen-Lung_Chiu-2 · April 30, 2012, 1:31pm

The DEBUG_READ_USER_MINIDUMP_STREA::StreamType value from DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM request could only be those standard MINIDUMP_STREAM_TYPE values, not user-defined stream types. This is known limitation.

I have no problem reading MiscInfoStream, SystemInfoStream, …

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Monday, April 30, 2012 04:38 AM
To: Kernel Debugging Interest List
Subject: RE:[windbg] Error when reading user stream from dump file

Hi Ken,

thank you for the quick answer. Indeed, I double checked it. I am using dbgeng.dll that comes with Debugging Tool for Windows. I can confirm that by looking in Modules window in Visual Studio (Debug->Windows->Modules menu). Same goes for dbghelp.dll. The files are loaded from C:\Program Files\Debugging Tools for Windows (x86) directory.

I can confirm that using IDebugAdvanced2::Request with DEBUG_REQUEST_TARGET_EXCEPTION_CONTEXT or DEBUG_REQUEST_GET_WIN32_MAJOR_MINOR_VERSIONS also works.

I found a guy that has the very same problem (http://stackoverflow.com/q/5487279). Is there something specific about DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM? The documentation is very scarce and I think I am doing something wrong.

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · April 30, 2012, 2:44pm

Hi Jen-Lung Chiu,

thank you very much for the clarification. I expected something like this, though I was not able to find it in the documentation. I will stick up with MiniDumpReadDumpStream function.

Once again, thank you for the quick answer.

raj_r · May 1, 2012, 5:17pm

not exactly related to ops question but it is regarding request of
streamtype MemoryListStream

on calling it like this

status = g_Advanced2->Request(

DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,

&InBuffer,

InBuffer.BufferSize,

OutBuffer,

OutBufferSize,

&OutSize

);

0:000> g
Breakpoint 2 hit
eax=0007ff48 ebx=00681438 ecx=002d8558 edx=0200964c esi=77c4186a edi=0007ff68
eip=01001578 esp=0007ff20 ebp=0007ff78 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
OpenDumpStream!TestDbgEng+0xfc:
01001578 ff5214 call dword ptr [edx+14h]
ds:0023:02009660={dbgeng!DebugClient::Request (020f7380)}

0:000> ?? InBuffer;dd @@c++(InBuffer.Buffer) l0xc

struct _DEBUG_READ_USER_MINIDUMP_STREAM
+0x000 StreamType : 5
+0x004 Flags : 0
+0x008 Offset : 0
+0x010 Buffer : 0x00681438 Void
+0x014 BufferSize : 0x20
+0x018 BufferUsed : 0
00681438 baadf00d baadf00d baadf00d baadf00d
00681448 baadf00d baadf00d baadf00d baadf00d
00681458 baadf00d baadf00d baadf00d baadf00d

0:000> p

eax=00000000 ebx=00681438 ecx=bb40e64f edx=0007fe78 esi=77c4186a edi=0007ff68
eip=0100157b esp=0007ff3c ebp=0007ff78 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
OpenDumpStream!TestDbgEng+0xff:
0100157b 50 push eax

0:000> ?? InBuffer;dd @@c++(InBuffer.Buffer) l0xc

struct _DEBUG_READ_USER_MINIDUMP_STREAM
+0x000 StreamType : 5
+0x004 Flags : 0
+0x008 Offset : 0
+0x010 Buffer : 0x00681438 Void
+0x014 BufferSize : 0x20
+0x018 BufferUsed : 0x20
00681438 00000009 0007df4c 00000000 000020b4
00681448 00004958 7c90e494 00000000 00000100
00681458 baadf00d baadf00d baadf00d baadf00d

i understand the first dword 9 is NumberofMemoryRanges

does the second QWORD7df4c point to MemoryRanges[0].StartofMemoryRange ??
and subsequent dwords point to …Datasize and … RVA ??

these seem to described as ULONG 64 in dbghelp.chm
but windbg doesnt seem to honor it

0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
+0x000 NumberOfMemoryRanges : 9
+0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
+0x000 StartOfMemoryRange : 0x7df4c
+0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
+0x000 DataSize : 0x20b4
+0x004 Rva : 0x4958

see the +4

if i print it to scree with

printf(
“Number of memory range = %08x\t\n”
“Start of Memory Range Is %I64x\t\n”
“Data Size is %I64x\t\n”
“Rva is %I64x\t\n”,
mml->NumberOfMemoryRanges,
mml->MemoryRanges[0].StartOfMemoryRange,
mml->MemoryRanges[0].Memory.DataSize,
mml->MemoryRanges[0].Memory.Rva

);

i get

IDebugAdvanced2 returned 0
Number of memory range = 00000009
Start of Memory Range Is 7df4c
Data Size is 4958000020b4 cobbled into one qword ??? and
probably right if declaration of ULONg64 HOLDS
Rva is 1001154 cant find where it gets this

can somebody shed some light
it must be some stupid mistake from my side but i am not able to get it

also

.dumpdebug result on same dump file

Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
9 memory ranges
range# RVA Address Size
0 00004958 0007df4c 000020b4
1 00006A0C 7c90e494 00000100
2 00006B0C 00ccff98 00000068

On 5/1/12, xxxxx@yahoo.com wrote:
> Hi Jen-Lung Chiu,
>
> thank you very much for the clarification. I expected something like this,
> though I was not able to find it in the documentation. I will stick up with
> MiniDumpReadDumpStream function.
>
> Once again, thank you for the quick answer.
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Tim_Roberts · May 1, 2012, 5:41pm

raj_r wrote:

not exactly related to ops question but it is regarding request of
streamtype MemoryListStream
…
00681438 00000009 0007df4c 00000000 000020b4
00681448 00004958 7c90e494 00000000 00000100
00681458 baadf00d baadf00d baadf00d baadf00d

i understand the first dword 9 is NumberofMemoryRanges

does the second QWORD7df4c point to MemoryRanges[0].StartofMemoryRange ??
and subsequent dwords point to …Datasize and … RVA ??

They don’t POINT to those things. They CONTAIN those things. The
MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges, followed by
an array of MINIDUMP_MEMORY_DESCRIPTOR. The MINIDUMP_MEMORY_DESCRIPTOR
has a 64-bit start of range, followed by a
MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
32-bit size and 32-bit RVA,

these seem to described as ULONG 64 in dbghelp.chm
but windbg doesnt seem to honor it

0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
+0x000 NumberOfMemoryRanges : 9
+0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
+0x000 StartOfMemoryRange : 0x7df4c
+0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
+0x000 DataSize : 0x20b4
+0x004 Rva : 0x4958

see the +4

Those are correct. StartOfMemoryRange is 64-bit. NumberOfMemoryRanges,
DataSize, and Rva are all 32-bit.

if i print it to scree with

printf(
“Number of memory range = %08x\t\n”
“Start of Memory Range Is %I64x\t\n”
“Data Size is %I64x\t\n”
“Rva is %I64x\t\n”,
mml->NumberOfMemoryRanges,
mml->MemoryRanges[0].StartOfMemoryRange,
mml->MemoryRanges[0].Memory.DataSize,
mml->MemoryRanges[0].Memory.Rva

);

“Data Size” and “Rva” should both be %08x.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

raj_r · May 1, 2012, 6:06pm

Thanks Tim

you wrote
MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
32-bit size and 32-bit RVA,

the debughelp.chm has this

MINIDUMP_LOCATION_DESCRIPTOR Structure

Contains information describing the location of a data stream within a
minidump file.

typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize; RVA64 Rva;
} MINIDUMP_LOCATION_DESCRIPTOR;
Members
DataSize
The size of the data stream, in bytes.

Rva
The relative virtual address (RVA) of the data. This is the byte
offset of the data stream from the beginning of the minidump file.

On 5/2/12, Tim Roberts wrote:
> raj_r wrote:
>> not exactly related to ops question but it is regarding request of
>> streamtype MemoryListStream
>> …
>> 00681438 00000009 0007df4c 00000000 000020b4
>> 00681448 00004958 7c90e494 00000000 00000100
>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>
>> i understand the first dword 9 is NumberofMemoryRanges
>>
>> does the second QWORD7df4c point to MemoryRanges[0].StartofMemoryRange
>> ??
>> and subsequent dwords point to …Datasize and … RVA ??
>
> They don’t POINT to those things. They CONTAIN those things. The
> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges, followed by
> an array of MINIDUMP_MEMORY_DESCRIPTOR. The MINIDUMP_MEMORY_DESCRIPTOR
> has a 64-bit start of range, followed by a
> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
> 32-bit size and 32-bit RVA,
>
>> these seem to described as ULONG 64 in dbghelp.chm
>> but windbg doesnt seem to honor it
>>
>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>> +0x000 NumberOfMemoryRanges : 9
>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>> +0x000 StartOfMemoryRange : 0x7df4c
>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>> +0x000 DataSize : 0x20b4
>> +0x004 Rva : 0x4958
>>
>> see the +4
>
> Those are correct. StartOfMemoryRange is 64-bit. NumberOfMemoryRanges,
> DataSize, and Rva are all 32-bit.
>
>> if i print it to scree with
>>
>> printf(
>> “Number of memory range = %08x\t\n”
>> “Start of Memory Range Is %I64x\t\n”
>> “Data Size is %I64x\t\n”
>> “Rva is %I64x\t\n”,
>> mml->NumberOfMemoryRanges,
>> mml->MemoryRanges[0].StartOfMemoryRange,
>> mml->MemoryRanges[0].Memory.DataSize,
>> mml->MemoryRanges[0].Memory.Rva
>>
>> );
>
> “Data Size” and “Rva” should both be %08x.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Tim_Roberts · May 1, 2012, 7:32pm

raj_r wrote:

Thanks Tim

you wrote
MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
32-bit size and 32-bit RVA,

the debughelp.chm has this

MINIDUMP_LOCATION_DESCRIPTOR Structure

Contains information describing the location of a data stream within a
minidump file.

typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
ULONG64 DataSize;
RVA64 Rva;
} MINIDUMP_LOCATION_DESCRIPTOR;

The online documentation describes a a MINIDUMP_LOCATION_DESCRIPTOR and
a MINIDUMP_LOCATION_DESCRIPTOR64. What you show there is the
MINIDUMP_LOCATION_DESCRIPTOR64.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

raj_r · May 1, 2012, 8:05pm

note to self
when in doubt refer header file do not refer chm or web or random
tidbits in obscure corners of internet

this seem to be a documentation glitch in debugger.chm

in debughelp.h it is dword

typedef DWORD RVA;
typedef ULONG64 RVA64;

typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
ULONG32 DataSize;
RVA Rva;
} MINIDUMP_LOCATION_DESCRIPTOR;

typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
ULONG64 DataSize;
RVA64 Rva;
} MINIDUMP_LOCATION_DESCRIPTOR64;

On 5/2/12, raj_r wrote:
> Thanks Tim
>
> you wrote
> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
> 32-bit size and 32-bit RVA,
>
> the debughelp.chm has this
>
>
>
> MINIDUMP_LOCATION_DESCRIPTOR Structure
>
> Contains information describing the location of a data stream within a
> minidump file.
>
>
> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize; RVA64
> Rva;
> } MINIDUMP_LOCATION_DESCRIPTOR;
> Members
> DataSize
> The size of the data stream, in bytes.
>
> Rva
> The relative virtual address (RVA) of the data. This is the byte
> offset of the data stream from the beginning of the minidump file.
>
>
>
> On 5/2/12, Tim Roberts wrote:
>> raj_r wrote:
>>> not exactly related to ops question but it is regarding request of
>>> streamtype MemoryListStream
>>> …
>>> 00681438 00000009 0007df4c 00000000 000020b4
>>> 00681448 00004958 7c90e494 00000000 00000100
>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>
>>> i understand the first dword 9 is NumberofMemoryRanges
>>>
>>> does the second QWORD7df4c point to MemoryRanges[0].StartofMemoryRange
>>> ??
>>> and subsequent dwords point to …Datasize and … RVA ??
>>
>> They don’t POINT to those things. They CONTAIN those things. The
>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges, followed by
>> an array of MINIDUMP_MEMORY_DESCRIPTOR. The MINIDUMP_MEMORY_DESCRIPTOR
>> has a 64-bit start of range, followed by a
>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>> 32-bit size and 32-bit RVA,
>>
>>> these seem to described as ULONG 64 in dbghelp.chm
>>> but windbg doesnt seem to honor it
>>>
>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>> +0x000 NumberOfMemoryRanges : 9
>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>> +0x000 StartOfMemoryRange : 0x7df4c
>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>> +0x000 DataSize : 0x20b4
>>> +0x004 Rva : 0x4958
>>>
>>> see the +4
>>
>> Those are correct. StartOfMemoryRange is 64-bit. NumberOfMemoryRanges,
>> DataSize, and Rva are all 32-bit.
>>
>>> if i print it to scree with
>>>
>>> printf(
>>> “Number of memory range = %08x\t\n”
>>> “Start of Memory Range Is %I64x\t\n”
>>> “Data Size is %I64x\t\n”
>>> “Rva is %I64x\t\n”,
>>> mml->NumberOfMemoryRanges,
>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>> mml->MemoryRanges[0].Memory.DataSize,
>>> mml->MemoryRanges[0].Memory.Rva
>>>
>>> );
>>
>> “Data Size” and “Rva” should both be %08x.
>>
>> –
>> Tim Roberts, xxxxx@probo.com
>> Providenza & Boekelheide, Inc.
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

raj_r · May 2, 2012, 5:42am

ok changing the ULONG64 of Debughelp.chm
to DWORD of Debughelp.h
it seems now i can dump the MemoryListStream
below is code and output
Dissections are Welcome

#include <stdio.h>

#include <engextcpp.hpp>

#include <dbghelp.h>

const ULONG MBUFFSIZE = 0x1000;

IDebugClient* g_Client;

IDebugControl* g_Control;

IDebugAdvanced2* g_Advanced2;

PVOID Buff;

void

Exit( in int Code,

in PCSTR Format,

…)

{

if (g_Client != NULL) {

g_Client->EndSession(DEBUG_END_DISCONNECT);

g_Client->Release();

g_Client = NULL;

}

if (g_Control != NULL) {

g_Control->Release();

g_Control = NULL;

}

if (g_Advanced2 !=NULL) {

g_Advanced2->Release();

g_Advanced2 = NULL;

}

if( Buff != NULL) {

free(Buff);

}

if (Format != NULL) {

va_list Args;

va_start(Args, Format);

vfprintf(stderr, Format, Args);

va_end(Args);

}

exit(Code);

}

int __cdecl DumpMemoryListStream(void){

HRESULT status;

if ( ( status = DebugCreate(

__uuidof(IDebugClient),

(void**)&g_Client

) ) !=S_OK) {

Exit(

FALSE,

“%s ( %s ) Failed %08x\n”,

“DebugCreate”,

“IDebugClient”,

status);

}

if ( ( status = g_Client->QueryInterface(

__uuidof(IDebugControl),

(void**)&g_Control

) ) != S_OK ) {

Exit(

FALSE,

“%s ( %s ) Failed %08x\n”,

“QueryInterface”,

“IDebugControl”,

status);

}

if ( ( status = g_Client->QueryInterface(

__uuidof(IDebugAdvanced2),

(void**)&g_Advanced2

)) != S_OK ) {

Exit(

FALSE,

“%s ( %s ) Failed %08x\n”,

“QueryInterface”,

“IDebugAdvanced2”,

status);

}

if (( status = g_Client->OpenDumpFile(

“test.dmp”

)) != S_OK ) {

Exit(

FALSE,

“%s ( %s ) Failed %08x\n”,

“g_Client”,

“OpenDumpFile”,

status);

}

if (( status = g_Control->WaitForEvent(

0,

INFINITE

) ) != S_OK ) {

Exit(

FALSE,

“%s ( %s ) Failed %08x\n”,

“g_Control”,

“WaitForEvent”,

status);

}

PVOID OutBuffer;

ULONG OutBufferSize;

ULONG OutSize;

PMINIDUMP_MEMORY_LIST mml;

DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;

InBuffer.StreamType = MemoryListStream;

InBuffer.Flags = 0;

InBuffer.Offset = 0;

InBuffer.Buffer = Buff;

InBuffer.BufferSize = MBUFFSIZE;

InBuffer.BufferUsed = 0;

OutBuffer = NULL;

OutBufferSize = NULL;

if (( status = g_Advanced2->Request(

DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,

&InBuffer,

sizeof(InBuffer),

OutBuffer,

OutBufferSize,

&OutSize

) ) != S_OK ) {

Exit(

FALSE,

“%s (\n”

“\t%s,\n”

“\t%s\n\t) Failed %08x\n”,

“g_Advanced2->Request”,

“DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,

“MemoryListStream”,

status);

}

mml = (PMINIDUMP_MEMORY_LIST)Buff;

printf (

" Number Of Memory ranges = %x\n\n"

" range# RVA Address Size\n",

mml->NumberOfMemoryRanges

);

for (ULONG i = 0; iNumberOfMemoryRanges;i++) {

printf(

" %d %08x %08I64x %08x\n",

i,

mml->MemoryRanges[i].Memory.Rva,

mml->MemoryRanges[i].StartOfMemoryRange,

mml->MemoryRanges[i].Memory.DataSize

);

}

Exit(

TRUE,

“%s (\n”

“\t%s,\n”

“\t%s\n\t) Succeeded %08x\n”,

“g_Advanced2->Request”,

“DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,

“MemoryListStream”,

status);

}

int __cdecl main (void){

Buff = (PVOID) malloc( MBUFFSIZE );

if(Buff == 0) {

printf(

“malloc failed\n”

);

Exit ( FALSE,“malloc Failed \n”);

}

printf(“\n\n -====Dumping MemoryListStream From Memory Dump====-\n\n”);

DumpMemoryListStream();

}

t>OpenDumpStream.exe

-====Dumping MemoryListStream From Memory Dump====-

Number Of Memory ranges = 9

range# RVA Address Size
0 00004958 0007df4c 000020b4
1 00006a0c 7c90e494 00000100
2 00006b0c 00ccff98 00000068
3 00006b74 7c90e494 00000100
4 00006c74 00f1bcac 00004354
5 0000afc8 7c90e494 00000100
6 0000b0c8 009cfe14 000001ec
7 0000b2b4 7c90e494 00000100
8 0000b3b4 00447000 000165a8
g_Advanced2->Request (
DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
MemoryListStream
) Succeeded 00000000

same dmp checked via dumpchk util
Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
9 memory ranges
range# RVA Address Size
0 00004958 0007df4c 000020b4
1 00006A0C 7c90e494 00000100
2 00006B0C 00ccff98 00000068
3 00006B74 7c90e494 00000100
4 00006C74 00f1bcac 00004354
5 0000AFC8 7c90e494 00000100
6 0000B0C8 009cfe14 000001ec
7 0000B2B4 7c90e494 00000100
8 0000B3B4 00447000 000165a8
Total memory: 1d004

one question remains
Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
i can get the 94 from outsize 1d004 from adding up all sizes
what should i use to get the rva 48c4 ?

On 5/2/12, raj_r wrote:
> note to self
> when in doubt refer header file do not refer chm or web or random
> tidbits in obscure corners of internet
>
> this seem to be a documentation glitch in debugger.chm
>
> in debughelp.h it is dword
>
> typedef DWORD RVA;
> typedef ULONG64 RVA64;
>
> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
> ULONG32 DataSize;
> RVA Rva;
> } MINIDUMP_LOCATION_DESCRIPTOR;
>
> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
> ULONG64 DataSize;
> RVA64 Rva;
> } MINIDUMP_LOCATION_DESCRIPTOR64;
>
> On 5/2/12, raj_r wrote:
>> Thanks Tim
>>
>> you wrote
>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>> 32-bit size and 32-bit RVA,
>>
>> the debughelp.chm has this
>>
>>
>>
>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>
>> Contains information describing the location of a data stream within a
>> minidump file.
>>
>>
>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize; RVA64
>> Rva;
>> } MINIDUMP_LOCATION_DESCRIPTOR;
>> Members
>> DataSize
>> The size of the data stream, in bytes.
>>
>> Rva
>> The relative virtual address (RVA) of the data. This is the byte
>> offset of the data stream from the beginning of the minidump file.
>>
>>
>>
>> On 5/2/12, Tim Roberts wrote:
>>> raj_r wrote:
>>>> not exactly related to ops question but it is regarding request of
>>>> streamtype MemoryListStream
>>>> …
>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>
>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>
>>>> does the second QWORD7df4c point to MemoryRanges[0].StartofMemoryRange
>>>> ??
>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>
>>> They don’t POINT to those things. They CONTAIN those things. The
>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges, followed by
>>> an array of MINIDUMP_MEMORY_DESCRIPTOR. The MINIDUMP_MEMORY_DESCRIPTOR
>>> has a 64-bit start of range, followed by a
>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>>> 32-bit size and 32-bit RVA,
>>>
>>>> these seem to described as ULONG 64 in dbghelp.chm
>>>> but windbg doesnt seem to honor it
>>>>
>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>> +0x000 NumberOfMemoryRanges : 9
>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>> +0x000 DataSize : 0x20b4
>>>> +0x004 Rva : 0x4958
>>>>
>>>> see the +4
>>>
>>> Those are correct. StartOfMemoryRange is 64-bit. NumberOfMemoryRanges,
>>> DataSize, and Rva are all 32-bit.
>>>
>>>> if i print it to scree with
>>>>
>>>> printf(
>>>> “Number of memory range = %08x\t\n”
>>>> “Start of Memory Range Is %I64x\t\n”
>>>> “Data Size is %I64x\t\n”
>>>> “Rva is %I64x\t\n”,
>>>> mml->NumberOfMemoryRanges,
>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>> mml->MemoryRanges[0].Memory.Rva
>>>>
>>>> );
>>>
>>> “Data Size” and “Rva” should both be %08x.
>>>
>>> –
>>> Tim Roberts, xxxxx@probo.com
>>> Providenza & Boekelheide, Inc.
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
></dbghelp.h></engextcpp.hpp></stdio.h>

Jen-Lung_Chiu-2 · May 2, 2012, 11:37am

You could check MSDN or dbghelp.h for user-mode minidump format, then use binary editor to browse the dump file.

The user-mode minidump starts with a MINIDUMP_HEADER structure, then follows a list of MINIDUMP_DIRECTORY structure (the number of MINIDUMP_DIRECTORY structures is MINIDUMP_HEADER::NumberOfStreams). The MINIDUMP_DIRECTORY block defines the type of the stream (in your case, MemoryListStream) as well as the RVA/size of the stream.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Wednesday, May 2, 2012 02:42 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Error when reading user stream from dump file

ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h it seems now i can dump the MemoryListStream below is code and output Dissections are Welcome

#include <stdio.h>

#include <engextcpp.hpp>

#include <dbghelp.h>

const ULONG MBUFFSIZE = 0x1000;

IDebugClient* g_Client;

IDebugControl* g_Control;

IDebugAdvanced2* g_Advanced2;

PVOID Buff;

void

Exit( in int Code,

in PCSTR Format,

…)

{

if (g_Client != NULL) {

g_Client->EndSession(DEBUG_END_DISCONNECT);

g_Client->Release();

g_Client = NULL;

}

if (g_Control != NULL) {

g_Control->Release();

g_Control = NULL;

}

if (g_Advanced2 !=NULL) {

g_Advanced2->Release();

g_Advanced2 = NULL;

}

if( Buff != NULL) {

free(Buff);

}

if (Format != NULL) {

va_list Args;

va_start(Args, Format);

vfprintf(stderr, Format, Args);

va_end(Args);

}

exit(Code);

}

int __cdecl DumpMemoryListStream(void){

HRESULT status;

if ( ( status = DebugCreate(

__uuidof(IDebugClient),

(void**)&g_Client

) ) !=S_OK) {

Exit(

FALSE,

“%s ( %s ) Failed %08x\n”,

“DebugCreate”,

“IDebugClient”,

status);

}

if ( ( status = g_Client->QueryInterface(

__uuidof(IDebugControl),

(void**)&g_Control

) ) != S_OK ) {

Exit(

FALSE,

“%s ( %s ) Failed %08x\n”,

“QueryInterface”,

“IDebugControl”,

status);

}

if ( ( status = g_Client->QueryInterface(

__uuidof(IDebugAdvanced2),

(void**)&g_Advanced2

)) != S_OK ) {

Exit(

FALSE,

“%s ( %s ) Failed %08x\n”,

“QueryInterface”,

“IDebugAdvanced2”,

status);

}

if (( status = g_Client->OpenDumpFile(

“test.dmp”

)) != S_OK ) {

Exit(

FALSE,

“%s ( %s ) Failed %08x\n”,

“g_Client”,

“OpenDumpFile”,

status);

}

if (( status = g_Control->WaitForEvent(

0,

INFINITE

) ) != S_OK ) {

Exit(

FALSE,

“%s ( %s ) Failed %08x\n”,

“g_Control”,

“WaitForEvent”,

status);

}

PVOID OutBuffer;

ULONG OutBufferSize;

ULONG OutSize;

PMINIDUMP_MEMORY_LIST mml;

DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;

InBuffer.StreamType = MemoryListStream;

InBuffer.Flags = 0;

InBuffer.Offset = 0;

InBuffer.Buffer = Buff;

InBuffer.BufferSize = MBUFFSIZE;

InBuffer.BufferUsed = 0;

OutBuffer = NULL;

OutBufferSize = NULL;

if (( status = g_Advanced2->Request(

DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,

&InBuffer,

sizeof(InBuffer),

OutBuffer,

OutBufferSize,

&OutSize

) ) != S_OK ) {

Exit(

FALSE,

“%s (\n”

“\t%s,\n”

“\t%s\n\t) Failed %08x\n”,

“g_Advanced2->Request”,

“DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,

“MemoryListStream”,

status);

}

mml = (PMINIDUMP_MEMORY_LIST)Buff;

printf (

" Number Of Memory ranges = %x\n\n"

" range# RVA Address Size\n",

mml->NumberOfMemoryRanges

);

for (ULONG i = 0; iNumberOfMemoryRanges;i++) {

printf(

" %d %08x %08I64x %08x\n",

i,

mml->MemoryRanges[i].Memory.Rva,

mml->MemoryRanges[i].StartOfMemoryRange,

mml->MemoryRanges[i].Memory.DataSize

);

}

Exit(

TRUE,

“%s (\n”

“\t%s,\n”

“\t%s\n\t) Succeeded %08x\n”,

“g_Advanced2->Request”,

“DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,

“MemoryListStream”,

status);

}

int __cdecl main (void){

Buff = (PVOID) malloc( MBUFFSIZE );

if(Buff == 0) {

printf(

“malloc failed\n”

);

Exit ( FALSE,“malloc Failed \n”);

}

printf(“\n\n -====Dumping MemoryListStream From Memory Dump====-\n\n”);

DumpMemoryListStream();

}

t>OpenDumpStream.exe

-====Dumping MemoryListStream From Memory Dump====-

Number Of Memory ranges = 9

range# RVA Address Size
0 00004958 0007df4c 000020b4
1 00006a0c 7c90e494 00000100
2 00006b0c 00ccff98 00000068
3 00006b74 7c90e494 00000100
4 00006c74 00f1bcac 00004354
5 0000afc8 7c90e494 00000100
6 0000b0c8 009cfe14 000001ec
7 0000b2b4 7c90e494 00000100
8 0000b3b4 00447000 000165a8
g_Advanced2->Request (
DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
MemoryListStream
) Succeeded 00000000

same dmp checked via dumpchk util
Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
9 memory ranges
range# RVA Address Size
0 00004958 0007df4c 000020b4
1 00006A0C 7c90e494 00000100
2 00006B0C 00ccff98 00000068
3 00006B74 7c90e494 00000100
4 00006C74 00f1bcac 00004354
5 0000AFC8 7c90e494 00000100
6 0000B0C8 009cfe14 000001ec
7 0000B2B4 7c90e494 00000100
8 0000B3B4 00447000 000165a8
Total memory: 1d004

one question remains
Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i can get the 94 from outsize 1d004 from adding up all sizes what should i use to get the rva 48c4 ?

On 5/2/12, raj_r wrote:
> note to self
> when in doubt refer header file do not refer chm or web or random
> tidbits in obscure corners of internet
>
> this seem to be a documentation glitch in debugger.chm
>
> in debughelp.h it is dword
>
> typedef DWORD RVA;
> typedef ULONG64 RVA64;
>
> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
> ULONG32 DataSize;
> RVA Rva;
> } MINIDUMP_LOCATION_DESCRIPTOR;
>
> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
> ULONG64 DataSize;
> RVA64 Rva;
> } MINIDUMP_LOCATION_DESCRIPTOR64;
>
> On 5/2/12, raj_r wrote:
>> Thanks Tim
>>
>> you wrote
>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>> 32-bit size and 32-bit RVA,
>>
>> the debughelp.chm has this
>>
>>
>>
>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>
>> Contains information describing the location of a data stream within
>> a minidump file.
>>
>>
>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize;
>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The size
>> of the data stream, in bytes.
>>
>> Rva
>> The relative virtual address (RVA) of the data. This is the byte
>> offset of the data stream from the beginning of the minidump file.
>>
>>
>>
>> On 5/2/12, Tim Roberts wrote:
>>> raj_r wrote:
>>>> not exactly related to ops question but it is regarding request of
>>>> streamtype MemoryListStream
>>>> …
>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>
>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>
>>>> does the second QWORD7df4c point to MemoryRanges[0].StartofMemoryRange
>>>> ??
>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>
>>> They don’t POINT to those things. They CONTAIN those things. The
>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges, followed by
>>> an array of MINIDUMP_MEMORY_DESCRIPTOR. The MINIDUMP_MEMORY_DESCRIPTOR
>>> has a 64-bit start of range, followed by a
>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>>> 32-bit size and 32-bit RVA,
>>>
>>>> these seem to described as ULONG 64 in dbghelp.chm
>>>> but windbg doesnt seem to honor it
>>>>
>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>> +0x000 NumberOfMemoryRanges : 9
>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>> +0x000 DataSize : 0x20b4
>>>> +0x004 Rva : 0x4958
>>>>
>>>> see the +4
>>>
>>> Those are correct. StartOfMemoryRange is 64-bit. NumberOfMemoryRanges,
>>> DataSize, and Rva are all 32-bit.
>>>
>>>> if i print it to scree with
>>>>
>>>> printf(
>>>> “Number of memory range = %08x\t\n”
>>>> “Start of Memory Range Is %I64x\t\n”
>>>> “Data Size is %I64x\t\n”
>>>> “Rva is %I64x\t\n”,
>>>> mml->NumberOfMemoryRanges,
>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>> mml->MemoryRanges[0].Memory.Rva
>>>>
>>>> );
>>>
>>> “Data Size” and “Rva” should both be %08x.
>>>
>>> –
>>> Tim Roberts, xxxxx@probo.com
>>> Providenza & Boekelheide, Inc.
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</dbghelp.h></engextcpp.hpp></stdio.h>

raj_r · May 2, 2012, 4:37pm

Thanks jen

So I Need To do Something Like below Myself
no request or interface exist ??

int __cdecl DumpDumpHeader(void) {

HRESULT status = S_OK;

PMINIDUMP_HEADER MiniHeader;

FILE * fp;

size_t result;

if (( fp = fopen(

“test.dmp”,

“rb”

) ) == 0 ) {

Exit (

FALSE,

“fopen ( %s ) Failed”,

“test.dmp”

);

}

if (( result = fread(

Buff,

1,

sizeof(MINIDUMP_HEADER),

fp

) ) != sizeof(MINIDUMP_HEADER)) {

Exit(

FALSE,

“fread(fp) failed\n”

);

}

MiniHeader = (PMINIDUMP_HEADER)Buff;

printf(

“Minidump Header Signature = %08x\n”

“MINIDUMP_VERSION = %08x\n”

“MINIDUMP_VERSION(Internal) = %08x\n”

“MINIDUMP_HEADER NumberofStreams = %08x\n”

“MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”

“MINIDUMP_HEADER CheckSum = %08x\n”

“MINIDUMP_HEADER reserved = %08x\n”

“MINIDUMP_HEADER TimeDateStamp = %08x\n”

“MINIDUMP_HEADER Flags = %08x\n”,

MiniHeader->Signature,

LOWORD(MiniHeader->Version),

HIWORD(MiniHeader->Version),

MiniHeader->NumberOfStreams,

MiniHeader->StreamDirectoryRva,

MiniHeader->CheckSum,

MiniHeader->Reserved,

MiniHeader->TimeDateStamp,

MiniHeader->Flags

);

fclose(fp);

return status;

}

-====Dumping DumpHeader From Memory Dump====-

Minidump Header Signature = 504d444d
MINIDUMP_VERSION = 0000a793
MINIDUMP_VERSION(Internal) = 00006003
MINIDUMP_HEADER NumberofStreams = 00000008
MINIDUMP_HEADER StreamDirectoryRVA = 00000020
MINIDUMP_HEADER CheckSum = 00000000
MINIDUMP_HEADER reserved = 4f70c8f0
MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
MINIDUMP_HEADER Flags = 00000021
Dump Header Dumped

----- User Mini Dump Analysis

MINIDUMP_HEADER:
Version A793 (6003)
NumberOfStreams 8
Flags 21
0001 MiniDumpWithDataSegs
0020 MiniDumpWithUnloadedModules

On 5/2/12, Jen-Lung Chiu wrote:
> You could check MSDN or dbghelp.h for user-mode minidump format, then use
> binary editor to browse the dump file.
>
> The user-mode minidump starts with a MINIDUMP_HEADER structure, then follows
> a list of MINIDUMP_DIRECTORY structure (the number of MINIDUMP_DIRECTORY
> structures is MINIDUMP_HEADER::NumberOfStreams). The MINIDUMP_DIRECTORY
> block defines the type of the stream (in your case, MemoryListStream) as
> well as the RVA/size of the stream.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Wednesday, May 2, 2012 02:42 AM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] Error when reading user stream from dump file
>
> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h it seems
> now i can dump the MemoryListStream below is code and output Dissections are
> Welcome
>
> #include <stdio.h>
>
> #include <engextcpp.hpp>
>
> #include <dbghelp.h>
>
> const ULONG MBUFFSIZE = 0x1000;
>
> IDebugClient* g_Client;
>
> IDebugControl* g_Control;
>
> IDebugAdvanced2* g_Advanced2;
>
> PVOID Buff;
>
> void
>
> Exit( in int Code,
>
> in PCSTR Format,
>
> …)
>
> {
>
> if (g_Client != NULL) {
>
> g_Client->EndSession(DEBUG_END_DISCONNECT);
>
> g_Client->Release();
>
> g_Client = NULL;
>
> }
>
> if (g_Control != NULL) {
>
> g_Control->Release();
>
> g_Control = NULL;
>
> }
>
> if (g_Advanced2 !=NULL) {
>
> g_Advanced2->Release();
>
> g_Advanced2 = NULL;
>
> }
>
> if( Buff != NULL) {
>
> free(Buff);
>
> }
>
> if (Format != NULL) {
>
> va_list Args;
>
> va_start(Args, Format);
>
> vfprintf(stderr, Format, Args);
>
> va_end(Args);
>
> }
>
> exit(Code);
>
> }
>
> int __cdecl DumpMemoryListStream(void){
>
> HRESULT status;
>
> if ( ( status = DebugCreate(
>
>__uuidof(IDebugClient),
>
> (void**)&g_Client
>
> ) ) !=S_OK) {
>
> Exit(
>
> FALSE,
>
> “%s ( %s ) Failed %08x\n”,
>
> “DebugCreate”,
>
> “IDebugClient”,
>
> status);
>
> }
>
> if ( ( status = g_Client->QueryInterface(
>
> __uuidof(IDebugControl),
>
> (void**)&g_Control
>
> ) ) != S_OK ) {
>
> Exit(
>
> FALSE,
>
> “%s ( %s ) Failed %08x\n”,
>
> “QueryInterface”,
>
> “IDebugControl”,
>
> status);
>
> }
>
> if ( ( status = g_Client->QueryInterface(
>
>__uuidof(IDebugAdvanced2),
>
> (void**)&g_Advanced2
>
> )) != S_OK ) {
>
> Exit(
>
> FALSE,
>
> “%s ( %s ) Failed %08x\n”,
>
> “QueryInterface”,
>
> “IDebugAdvanced2”,
>
> status);
>
> }
>
> if (( status = g_Client->OpenDumpFile(
>
> “test.dmp”
>
> )) != S_OK ) {
>
> Exit(
>
> FALSE,
>
> “%s ( %s ) Failed %08x\n”,
>
> “g_Client”,
>
> “OpenDumpFile”,
>
> status);
>
> }
>
> if (( status = g_Control->WaitForEvent(
>
> 0,
>
> INFINITE
>
> ) ) != S_OK ) {
>
> Exit(
>
> FALSE,
>
> “%s ( %s ) Failed %08x\n”,
>
> “g_Control”,
>
> “WaitForEvent”,
>
> status);
>
> }
>
> PVOID OutBuffer;
>
> ULONG OutBufferSize;
>
> ULONG OutSize;
>
> PMINIDUMP_MEMORY_LIST mml;
>
> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>
> InBuffer.StreamType = MemoryListStream;
>
> InBuffer.Flags = 0;
>
> InBuffer.Offset = 0;
>
> InBuffer.Buffer = Buff;
>
> InBuffer.BufferSize = MBUFFSIZE;
>
> InBuffer.BufferUsed = 0;
>
> OutBuffer = NULL;
>
> OutBufferSize = NULL;
>
> if (( status = g_Advanced2->Request(
>
> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>
> &InBuffer,
>
> sizeof(InBuffer),
>
> OutBuffer,
>
> OutBufferSize,
>
> &OutSize
>
> ) ) != S_OK ) {
>
> Exit(
>
> FALSE,
>
> “%s (\n”
>
> “\t%s,\n”
>
> “\t%s\n\t) Failed %08x\n”,
>
> “g_Advanced2->Request”,
>
> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>
> “MemoryListStream”,
>
> status);
>
> }
>
> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>
> printf (
>
> " Number Of Memory ranges = %x\n\n"
>
> " range# RVA Address Size\n",
>
> mml->NumberOfMemoryRanges
>
> );
>
> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>
> printf(
>
> " %d %08x %08I64x %08x\n",
>
> i,
>
> mml->MemoryRanges[i].Memory.Rva,
>
> mml->MemoryRanges[i].StartOfMemoryRange,
>
> mml->MemoryRanges[i].Memory.DataSize
>
> );
>
> }
>
> Exit(
>
> TRUE,
>
> “%s (\n”
>
> “\t%s,\n”
>
> “\t%s\n\t) Succeeded %08x\n”,
>
> “g_Advanced2->Request”,
>
> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>
> “MemoryListStream”,
>
> status);
>
> }
>
> int __cdecl main (void){
>
> Buff = (PVOID) malloc( MBUFFSIZE );
>
> if(Buff == 0) {
>
> printf(
>
> “malloc failed\n”
>
> );
>
> Exit ( FALSE,“malloc Failed \n”);
>
> }
>
> printf(“\n\n -====Dumping MemoryListStream From Memory Dump====-\n\n”);
>
> DumpMemoryListStream();
>
> }
>
> t>OpenDumpStream.exe
>
>
> -====Dumping MemoryListStream From Memory Dump====-
>
> Number Of Memory ranges = 9
>
> range# RVA Address Size
> 0 00004958 0007df4c 000020b4
> 1 00006a0c 7c90e494 00000100
> 2 00006b0c 00ccff98 00000068
> 3 00006b74 7c90e494 00000100
> 4 00006c74 00f1bcac 00004354
> 5 0000afc8 7c90e494 00000100
> 6 0000b0c8 009cfe14 000001ec
> 7 0000b2b4 7c90e494 00000100
> 8 0000b3b4 00447000 000165a8
> g_Advanced2->Request (
> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
> MemoryListStream
> ) Succeeded 00000000
>
> same dmp checked via dumpchk util
> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
> 9 memory ranges
> range# RVA Address Size
> 0 00004958 0007df4c 000020b4
> 1 00006A0C 7c90e494 00000100
> 2 00006B0C 00ccff98 00000068
> 3 00006B74 7c90e494 00000100
> 4 00006C74 00f1bcac 00004354
> 5 0000AFC8 7c90e494 00000100
> 6 0000B0C8 009cfe14 000001ec
> 7 0000B2B4 7c90e494 00000100
> 8 0000B3B4 00447000 000165a8
> Total memory: 1d004
>
> one question remains
> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i can get
> the 94 from outsize 1d004 from adding up all sizes what should i use to get
> the rva 48c4 ?
>
> On 5/2/12, raj_r wrote:
>> note to self
>> when in doubt refer header file do not refer chm or web or random
>> tidbits in obscure corners of internet
>>
>> this seem to be a documentation glitch in debugger.chm
>>
>> in debughelp.h it is dword
>>
>> typedef DWORD RVA;
>> typedef ULONG64 RVA64;
>>
>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>> ULONG32 DataSize;
>> RVA Rva;
>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>
>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>> ULONG64 DataSize;
>> RVA64 Rva;
>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>
>> On 5/2/12, raj_r wrote:
>>> Thanks Tim
>>>
>>> you wrote
>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>>> 32-bit size and 32-bit RVA,
>>>
>>> the debughelp.chm has this
>>>
>>>
>>>
>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>
>>> Contains information describing the location of a data stream within
>>> a minidump file.
>>>
>>>
>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize;
>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The size
>>> of the data stream, in bytes.
>>>
>>> Rva
>>> The relative virtual address (RVA) of the data. This is the byte
>>> offset of the data stream from the beginning of the minidump file.
>>>
>>>
>>>
>>> On 5/2/12, Tim Roberts wrote:
>>>> raj_r wrote:
>>>>> not exactly related to ops question but it is regarding request of
>>>>> streamtype MemoryListStream
>>>>> …
>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>
>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>
>>>>> does the second QWORD7df4c point to
>>>>> MemoryRanges[0].StartofMemoryRange
>>>>> ??
>>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>>
>>>> They don’t POINT to those things. They CONTAIN those things. The
>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges, followed by
>>>> an array of MINIDUMP_MEMORY_DESCRIPTOR. The MINIDUMP_MEMORY_DESCRIPTOR
>>>> has a 64-bit start of range, followed by a
>>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>>>> 32-bit size and 32-bit RVA,
>>>>
>>>>> these seem to described as ULONG 64 in dbghelp.chm
>>>>> but windbg doesnt seem to honor it
>>>>>
>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>>> +0x000 DataSize : 0x20b4
>>>>> +0x004 Rva : 0x4958
>>>>>
>>>>> see the +4
>>>>
>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>> NumberOfMemoryRanges,
>>>> DataSize, and Rva are all 32-bit.
>>>>
>>>>> if i print it to scree with
>>>>>
>>>>> printf(
>>>>> “Number of memory range = %08x\t\n”
>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>> “Data Size is %I64x\t\n”
>>>>> “Rva is %I64x\t\n”,
>>>>> mml->NumberOfMemoryRanges,
>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>
>>>>> );
>>>>
>>>> “Data Size” and “Rva” should both be %08x.
>>>>
>>>> –
>>>> Tim Roberts, xxxxx@probo.com
>>>> Providenza & Boekelheide, Inc.
>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></dbghelp.h></engextcpp.hpp></stdio.h>

Jen-Lung_Chiu-2 · May 2, 2012, 4:43pm

Yes no API support to get those data from dump headers.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Wednesday, May 2, 2012 01:37 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Error when reading user stream from dump file

Thanks jen

So I Need To do Something Like below Myself no request or interface exist ??

int __cdecl DumpDumpHeader(void) {

HRESULT status = S_OK;

PMINIDUMP_HEADER MiniHeader;

FILE * fp;

size_t result;

if (( fp = fopen(

“test.dmp”,

“rb”

) ) == 0 ) {

Exit (

FALSE,

“fopen ( %s ) Failed”,

“test.dmp”

);

}

if (( result = fread(

Buff,

1,

sizeof(MINIDUMP_HEADER),

fp

) ) != sizeof(MINIDUMP_HEADER)) {

Exit(

FALSE,

“fread(fp) failed\n”

);

}

MiniHeader = (PMINIDUMP_HEADER)Buff;

printf(

“Minidump Header Signature = %08x\n”

“MINIDUMP_VERSION = %08x\n”

“MINIDUMP_VERSION(Internal) = %08x\n”

“MINIDUMP_HEADER NumberofStreams = %08x\n”

“MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”

“MINIDUMP_HEADER CheckSum = %08x\n”

“MINIDUMP_HEADER reserved = %08x\n”

“MINIDUMP_HEADER TimeDateStamp = %08x\n”

“MINIDUMP_HEADER Flags = %08x\n”,

MiniHeader->Signature,

LOWORD(MiniHeader->Version),

HIWORD(MiniHeader->Version),

MiniHeader->NumberOfStreams,

MiniHeader->StreamDirectoryRva,

MiniHeader->CheckSum,

MiniHeader->Reserved,

MiniHeader->TimeDateStamp,

MiniHeader->Flags

);

fclose(fp);

return status;

}

-====Dumping DumpHeader From Memory Dump====-

Minidump Header Signature = 504d444d
MINIDUMP_VERSION = 0000a793
MINIDUMP_VERSION(Internal) = 00006003
MINIDUMP_HEADER NumberofStreams = 00000008
MINIDUMP_HEADER StreamDirectoryRVA = 00000020
MINIDUMP_HEADER CheckSum = 00000000
MINIDUMP_HEADER reserved = 4f70c8f0
MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
MINIDUMP_HEADER Flags = 00000021
Dump Header Dumped

----- User Mini Dump Analysis

MINIDUMP_HEADER:
Version A793 (6003)
NumberOfStreams 8
Flags 21
0001 MiniDumpWithDataSegs
0020 MiniDumpWithUnloadedModules

On 5/2/12, Jen-Lung Chiu wrote:
> You could check MSDN or dbghelp.h for user-mode minidump format, then
> use binary editor to browse the dump file.
>
> The user-mode minidump starts with a MINIDUMP_HEADER structure, then
> follows a list of MINIDUMP_DIRECTORY structure (the number of
> MINIDUMP_DIRECTORY structures is MINIDUMP_HEADER::NumberOfStreams).
> The MINIDUMP_DIRECTORY block defines the type of the stream (in your
> case, MemoryListStream) as well as the RVA/size of the stream.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Wednesday, May 2, 2012 02:42 AM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] Error when reading user stream from dump file
>
> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h it
> seems now i can dump the MemoryListStream below is code and output
> Dissections are Welcome
>
> #include <stdio.h>
>
> #include <engextcpp.hpp>
>
> #include <dbghelp.h>
>
> const ULONG MBUFFSIZE = 0x1000;
>
> IDebugClient* g_Client;
>
> IDebugControl* g_Control;
>
> IDebugAdvanced2* g_Advanced2;
>
> PVOID Buff;
>
> void
>
> Exit( in int Code,
>
> in PCSTR Format,
>
> …)
>
> {
>
> if (g_Client != NULL) {
>
> g_Client->EndSession(DEBUG_END_DISCONNECT);
>
> g_Client->Release();
>
> g_Client = NULL;
>
> }
>
> if (g_Control != NULL) {
>
> g_Control->Release();
>
> g_Control = NULL;
>
> }
>
> if (g_Advanced2 !=NULL) {
>
> g_Advanced2->Release();
>
> g_Advanced2 = NULL;
>
> }
>
> if( Buff != NULL) {
>
> free(Buff);
>
> }
>
> if (Format != NULL) {
>
> va_list Args;
>
> va_start(Args, Format);
>
> vfprintf(stderr, Format, Args);
>
> va_end(Args);
>
> }
>
> exit(Code);
>
> }
>
> int __cdecl DumpMemoryListStream(void){
>
> HRESULT status;
>
> if ( ( status = DebugCreate(
>
>__uuidof(IDebugClient),
>
> (void**)&g_Client
>
> ) ) !=S_OK) {
>
> Exit(
>
> FALSE,
>
> “%s ( %s ) Failed %08x\n”,
>
> “DebugCreate”,
>
> “IDebugClient”,
>
> status);
>
> }
>
> if ( ( status = g_Client->QueryInterface(
>
> __uuidof(IDebugControl),
>
> (void**)&g_Control
>
> ) ) != S_OK ) {
>
> Exit(
>
> FALSE,
>
> “%s ( %s ) Failed %08x\n”,
>
> “QueryInterface”,
>
> “IDebugControl”,
>
> status);
>
> }
>
> if ( ( status = g_Client->QueryInterface(
>
>__uuidof(IDebugAdvanced2),
>
> (void**)&g_Advanced2
>
> )) != S_OK ) {
>
> Exit(
>
> FALSE,
>
> “%s ( %s ) Failed %08x\n”,
>
> “QueryInterface”,
>
> “IDebugAdvanced2”,
>
> status);
>
> }
>
> if (( status = g_Client->OpenDumpFile(
>
> “test.dmp”
>
> )) != S_OK ) {
>
> Exit(
>
> FALSE,
>
> “%s ( %s ) Failed %08x\n”,
>
> “g_Client”,
>
> “OpenDumpFile”,
>
> status);
>
> }
>
> if (( status = g_Control->WaitForEvent(
>
> 0,
>
> INFINITE
>
> ) ) != S_OK ) {
>
> Exit(
>
> FALSE,
>
> “%s ( %s ) Failed %08x\n”,
>
> “g_Control”,
>
> “WaitForEvent”,
>
> status);
>
> }
>
> PVOID OutBuffer;
>
> ULONG OutBufferSize;
>
> ULONG OutSize;
>
> PMINIDUMP_MEMORY_LIST mml;
>
> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>
> InBuffer.StreamType = MemoryListStream;
>
> InBuffer.Flags = 0;
>
> InBuffer.Offset = 0;
>
> InBuffer.Buffer = Buff;
>
> InBuffer.BufferSize = MBUFFSIZE;
>
> InBuffer.BufferUsed = 0;
>
> OutBuffer = NULL;
>
> OutBufferSize = NULL;
>
> if (( status = g_Advanced2->Request(
>
> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>
> &InBuffer,
>
> sizeof(InBuffer),
>
> OutBuffer,
>
> OutBufferSize,
>
> &OutSize
>
> ) ) != S_OK ) {
>
> Exit(
>
> FALSE,
>
> “%s (\n”
>
> “\t%s,\n”
>
> “\t%s\n\t) Failed %08x\n”,
>
> “g_Advanced2->Request”,
>
> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>
> “MemoryListStream”,
>
> status);
>
> }
>
> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>
> printf (
>
> " Number Of Memory ranges = %x\n\n"
>
> " range# RVA Address Size\n",
>
> mml->NumberOfMemoryRanges
>
> );
>
> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>
> printf(
>
> " %d %08x %08I64x %08x\n",
>
> i,
>
> mml->MemoryRanges[i].Memory.Rva,
>
> mml->MemoryRanges[i].StartOfMemoryRange,
>
> mml->MemoryRanges[i].Memory.DataSize
>
> );
>
> }
>
> Exit(
>
> TRUE,
>
> “%s (\n”
>
> “\t%s,\n”
>
> “\t%s\n\t) Succeeded %08x\n”,
>
> “g_Advanced2->Request”,
>
> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>
> “MemoryListStream”,
>
> status);
>
> }
>
> int __cdecl main (void){
>
> Buff = (PVOID) malloc( MBUFFSIZE );
>
> if(Buff == 0) {
>
> printf(
>
> “malloc failed\n”
>
> );
>
> Exit ( FALSE,“malloc Failed \n”);
>
> }
>
> printf(“\n\n -====Dumping MemoryListStream From Memory
> Dump====-\n\n”);
>
> DumpMemoryListStream();
>
> }
>
> t>OpenDumpStream.exe
>
>
> -====Dumping MemoryListStream From Memory Dump====-
>
> Number Of Memory ranges = 9
>
> range# RVA Address Size
> 0 00004958 0007df4c 000020b4
> 1 00006a0c 7c90e494 00000100
> 2 00006b0c 00ccff98 00000068
> 3 00006b74 7c90e494 00000100
> 4 00006c74 00f1bcac 00004354
> 5 0000afc8 7c90e494 00000100
> 6 0000b0c8 009cfe14 000001ec
> 7 0000b2b4 7c90e494 00000100
> 8 0000b3b4 00447000 000165a8
> g_Advanced2->Request (
> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
> MemoryListStream
> ) Succeeded 00000000
>
> same dmp checked via dumpchk util
> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
> 9 memory ranges
> range# RVA Address Size
> 0 00004958 0007df4c 000020b4
> 1 00006A0C 7c90e494 00000100
> 2 00006B0C 00ccff98 00000068
> 3 00006B74 7c90e494 00000100
> 4 00006C74 00f1bcac 00004354
> 5 0000AFC8 7c90e494 00000100
> 6 0000B0C8 009cfe14 000001ec
> 7 0000B2B4 7c90e494 00000100
> 8 0000B3B4 00447000 000165a8
> Total memory: 1d004
>
> one question remains
> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i can
> get the 94 from outsize 1d004 from adding up all sizes what should i
> use to get the rva 48c4 ?
>
> On 5/2/12, raj_r wrote:
>> note to self
>> when in doubt refer header file do not refer chm or web or random
>> tidbits in obscure corners of internet
>>
>> this seem to be a documentation glitch in debugger.chm
>>
>> in debughelp.h it is dword
>>
>> typedef DWORD RVA;
>> typedef ULONG64 RVA64;
>>
>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>> ULONG32 DataSize;
>> RVA Rva;
>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>
>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>> ULONG64 DataSize;
>> RVA64 Rva;
>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>
>> On 5/2/12, raj_r wrote:
>>> Thanks Tim
>>>
>>> you wrote
>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>>> 32-bit size and 32-bit RVA,
>>>
>>> the debughelp.chm has this
>>>
>>>
>>>
>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>
>>> Contains information describing the location of a data stream within
>>> a minidump file.
>>>
>>>
>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize;
>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The size
>>> of the data stream, in bytes.
>>>
>>> Rva
>>> The relative virtual address (RVA) of the data. This is the byte
>>> offset of the data stream from the beginning of the minidump file.
>>>
>>>
>>>
>>> On 5/2/12, Tim Roberts wrote:
>>>> raj_r wrote:
>>>>> not exactly related to ops question but it is regarding request of
>>>>> streamtype MemoryListStream …
>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>
>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>
>>>>> does the second QWORD7df4c point to
>>>>> MemoryRanges[0].StartofMemoryRange
>>>>> ??
>>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>>
>>>> They don’t POINT to those things. They CONTAIN those things. The
>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges,
>>>> followed by an array of MINIDUMP_MEMORY_DESCRIPTOR. The
>>>> MINIDUMP_MEMORY_DESCRIPTOR has a 64-bit start of range, followed by
>>>> a MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>> has 32-bit size and 32-bit RVA,
>>>>
>>>>> these seem to described as ULONG 64 in dbghelp.chm but windbg
>>>>> doesnt seem to honor it
>>>>>
>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>>> +0x000 DataSize : 0x20b4
>>>>> +0x004 Rva : 0x4958
>>>>>
>>>>> see the +4
>>>>
>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>> NumberOfMemoryRanges,
>>>> DataSize, and Rva are all 32-bit.
>>>>
>>>>> if i print it to scree with
>>>>>
>>>>> printf(
>>>>> “Number of memory range = %08x\t\n”
>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>> “Data Size is %I64x\t\n”
>>>>> “Rva is %I64x\t\n”,
>>>>> mml->NumberOfMemoryRanges,
>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>
>>>>> );
>>>>
>>>> “Data Size” and “Rva” should both be %08x.
>>>>
>>>> –
>>>> Tim Roberts, xxxxx@probo.com
>>>> Providenza & Boekelheide, Inc.
>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</dbghelp.h></engextcpp.hpp></stdio.h>

raj_r · May 2, 2012, 5:15pm

thanks jen for answering fast
it seems i am able to get the directories and rvas with code below

ftell(fp);

ULONG NumberOfStreams = MiniHeader->NumberOfStreams;

for (ULONG i = 0; i {
fread(
Buff,
1,
sizeof(MINIDUMP_DIRECTORY),
fp
);
MiniDir = (PMINIDUMP_DIRECTORY) Buff;
printf(
“StreamType\t%08x\tSize\t%08x\tRva\t%08x\n”,
MiniDir->StreamType,
MiniDir->Location.DataSize,
MiniDir->Location.Rva
);
ftell(fp);
}

StreamType 00000003 Size 000000c4 Rva 00000160
StreamType 00000004 Size 00001a2c Rva 00000224
StreamType 0000000e Size 00000114 Rva 00001c50
StreamType 00000005 Size 00000094 Rva 000048c4
StreamType 00000006 Size 000000a8 Rva 000000b8
StreamType 00000007 Size 00000038 Rva 00000080
StreamType 00000000 Size 00000000 Rva 00000000
StreamType 00000000 Size 00000000 Rva 00000000
Dump Header Dumped

t>Dumpchk test.dmp | grep -i stream
Loading dump file test.dmp
NumberOfStreams 8
Streams:
Stream 0: type ThreadListStream (3), size 000000C4, RVA 00000160
Stream 1: type ModuleListStream (4), size 00001A2C, RVA 00000224
Stream 2: type UnloadedModuleListStream (14), size 00000114, RVA 00001C50
Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000B8
Stream 5: type SystemInfoStream (7), size 00000038, RVA 00000080
Stream 6: type UnusedStream (0), size 00000000, RVA 00000000
Stream 7: type UnusedStream (0), size 00000000, RVA 00000000

so all left is to parse and the remaining bytes

On 5/3/12, Jen-Lung Chiu wrote:
> Yes no API support to get those data from dump headers.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Wednesday, May 2, 2012 01:37 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] Error when reading user stream from dump file
>
> Thanks jen
>
> So I Need To do Something Like below Myself no request or interface exist
> ??
>
>
> int __cdecl DumpDumpHeader(void) {
>
> HRESULT status = S_OK;
>
> PMINIDUMP_HEADER MiniHeader;
>
> FILE * fp;
>
> size_t result;
>
> if (( fp = fopen(
>
> “test.dmp”,
>
> “rb”
>
> ) ) == 0 ) {
>
> Exit (
>
> FALSE,
>
> “fopen ( %s ) Failed”,
>
> “test.dmp”
>
> );
>
> }
>
> if (( result = fread(
>
> Buff,
>
> 1,
>
> sizeof(MINIDUMP_HEADER),
>
> fp
>
> ) ) != sizeof(MINIDUMP_HEADER)) {
>
> Exit(
>
> FALSE,
>
> “fread(fp) failed\n”
>
> );
>
> }
>
> MiniHeader = (PMINIDUMP_HEADER)Buff;
>
> printf(
>
> “Minidump Header Signature = %08x\n”
>
> “MINIDUMP_VERSION = %08x\n”
>
> “MINIDUMP_VERSION(Internal) = %08x\n”
>
> “MINIDUMP_HEADER NumberofStreams = %08x\n”
>
> “MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”
>
> “MINIDUMP_HEADER CheckSum = %08x\n”
>
> “MINIDUMP_HEADER reserved = %08x\n”
>
> “MINIDUMP_HEADER TimeDateStamp = %08x\n”
>
> “MINIDUMP_HEADER Flags = %08x\n”,
>
> MiniHeader->Signature,
>
> LOWORD(MiniHeader->Version),
>
> HIWORD(MiniHeader->Version),
>
> MiniHeader->NumberOfStreams,
>
> MiniHeader->StreamDirectoryRva,
>
> MiniHeader->CheckSum,
>
> MiniHeader->Reserved,
>
> MiniHeader->TimeDateStamp,
>
> MiniHeader->Flags
>
> );
>
> fclose(fp);
>
> return status;
>
> }
>
> -====Dumping DumpHeader From Memory Dump====-
>
> Minidump Header Signature = 504d444d
> MINIDUMP_VERSION = 0000a793
> MINIDUMP_VERSION(Internal) = 00006003
> MINIDUMP_HEADER NumberofStreams = 00000008
> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
> MINIDUMP_HEADER CheckSum = 00000000
> MINIDUMP_HEADER reserved = 4f70c8f0
> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
> MINIDUMP_HEADER Flags = 00000021
> Dump Header Dumped
>
>
> ----- User Mini Dump Analysis
>
> MINIDUMP_HEADER:
> Version A793 (6003)
> NumberOfStreams 8
> Flags 21
> 0001 MiniDumpWithDataSegs
> 0020 MiniDumpWithUnloadedModules
>
>
>
>
> On 5/2/12, Jen-Lung Chiu wrote:
>> You could check MSDN or dbghelp.h for user-mode minidump format, then
>> use binary editor to browse the dump file.
>>
>> The user-mode minidump starts with a MINIDUMP_HEADER structure, then
>> follows a list of MINIDUMP_DIRECTORY structure (the number of
>> MINIDUMP_DIRECTORY structures is MINIDUMP_HEADER::NumberOfStreams).
>> The MINIDUMP_DIRECTORY block defines the type of the stream (in your
>> case, MemoryListStream) as well as the RVA/size of the stream.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>> Sent: Wednesday, May 2, 2012 02:42 AM
>> To: Kernel Debugging Interest List
>> Subject: Re: [windbg] Error when reading user stream from dump file
>>
>> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h it
>> seems now i can dump the MemoryListStream below is code and output
>> Dissections are Welcome
>>
>> #include <stdio.h>
>>
>> #include <engextcpp.hpp>
>>
>> #include <dbghelp.h>
>>
>> const ULONG MBUFFSIZE = 0x1000;
>>
>> IDebugClient* g_Client;
>>
>> IDebugControl* g_Control;
>>
>> IDebugAdvanced2* g_Advanced2;
>>
>> PVOID Buff;
>>
>> void
>>
>> Exit(__in int Code,
>>
>> __in PCSTR Format,
>>
>> …)
>>
>> {
>>
>> if (g_Client != NULL) {
>>
>> g_Client->EndSession(DEBUG_END_DISCONNECT);
>>
>> g_Client->Release();
>>
>> g_Client = NULL;
>>
>> }
>>
>> if (g_Control != NULL) {
>>
>> g_Control->Release();
>>
>> g_Control = NULL;
>>
>> }
>>
>> if (g_Advanced2 !=NULL) {
>>
>> g_Advanced2->Release();
>>
>> g_Advanced2 = NULL;
>>
>> }
>>
>> if( Buff != NULL) {
>>
>> free(Buff);
>>
>> }
>>
>> if (Format != NULL) {
>>
>> va_list Args;
>>
>> va_start(Args, Format);
>>
>> vfprintf(stderr, Format, Args);
>>
>> va_end(Args);
>>
>> }
>>
>> exit(Code);
>>
>> }
>>
>> int__cdecl DumpMemoryListStream(void){
>>
>> HRESULT status;
>>
>> if ( ( status = DebugCreate(
>>
>> __uuidof(IDebugClient),
>>
>> (void**)&g_Client
>>
>> ) ) !=S_OK) {
>>
>> Exit(
>>
>> FALSE,
>>
>> “%s ( %s ) Failed %08x\n”,
>>
>> “DebugCreate”,
>>
>> “IDebugClient”,
>>
>> status);
>>
>> }
>>
>> if ( ( status = g_Client->QueryInterface(
>>
>>__uuidof(IDebugControl),
>>
>> (void**)&g_Control
>>
>> ) ) != S_OK ) {
>>
>> Exit(
>>
>> FALSE,
>>
>> “%s ( %s ) Failed %08x\n”,
>>
>> “QueryInterface”,
>>
>> “IDebugControl”,
>>
>> status);
>>
>> }
>>
>> if ( ( status = g_Client->QueryInterface(
>>
>> __uuidof(IDebugAdvanced2),
>>
>> (void**)&g_Advanced2
>>
>> )) != S_OK ) {
>>
>> Exit(
>>
>> FALSE,
>>
>> “%s ( %s ) Failed %08x\n”,
>>
>> “QueryInterface”,
>>
>> “IDebugAdvanced2”,
>>
>> status);
>>
>> }
>>
>> if (( status = g_Client->OpenDumpFile(
>>
>> “test.dmp”
>>
>> )) != S_OK ) {
>>
>> Exit(
>>
>> FALSE,
>>
>> “%s ( %s ) Failed %08x\n”,
>>
>> “g_Client”,
>>
>> “OpenDumpFile”,
>>
>> status);
>>
>> }
>>
>> if (( status = g_Control->WaitForEvent(
>>
>> 0,
>>
>> INFINITE
>>
>> ) ) != S_OK ) {
>>
>> Exit(
>>
>> FALSE,
>>
>> “%s ( %s ) Failed %08x\n”,
>>
>> “g_Control”,
>>
>> “WaitForEvent”,
>>
>> status);
>>
>> }
>>
>> PVOID OutBuffer;
>>
>> ULONG OutBufferSize;
>>
>> ULONG OutSize;
>>
>> PMINIDUMP_MEMORY_LIST mml;
>>
>> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>>
>> InBuffer.StreamType = MemoryListStream;
>>
>> InBuffer.Flags = 0;
>>
>> InBuffer.Offset = 0;
>>
>> InBuffer.Buffer = Buff;
>>
>> InBuffer.BufferSize = MBUFFSIZE;
>>
>> InBuffer.BufferUsed = 0;
>>
>> OutBuffer = NULL;
>>
>> OutBufferSize = NULL;
>>
>> if (( status = g_Advanced2->Request(
>>
>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>
>> &InBuffer,
>>
>> sizeof(InBuffer),
>>
>> OutBuffer,
>>
>> OutBufferSize,
>>
>> &OutSize
>>
>> ) ) != S_OK ) {
>>
>> Exit(
>>
>> FALSE,
>>
>> “%s (\n”
>>
>> “\t%s,\n”
>>
>> “\t%s\n\t) Failed %08x\n”,
>>
>> “g_Advanced2->Request”,
>>
>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>
>> “MemoryListStream”,
>>
>> status);
>>
>> }
>>
>> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>>
>> printf (
>>
>> " Number Of Memory ranges = %x\n\n"
>>
>> " range# RVA Address Size\n",
>>
>> mml->NumberOfMemoryRanges
>>
>> );
>>
>> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>>
>> printf(
>>
>> " %d %08x %08I64x %08x\n",
>>
>> i,
>>
>> mml->MemoryRanges[i].Memory.Rva,
>>
>> mml->MemoryRanges[i].StartOfMemoryRange,
>>
>> mml->MemoryRanges[i].Memory.DataSize
>>
>> );
>>
>> }
>>
>> Exit(
>>
>> TRUE,
>>
>> “%s (\n”
>>
>> “\t%s,\n”
>>
>> “\t%s\n\t) Succeeded %08x\n”,
>>
>> “g_Advanced2->Request”,
>>
>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>
>> “MemoryListStream”,
>>
>> status);
>>
>> }
>>
>> int__cdecl main (void){
>>
>> Buff = (PVOID) malloc( MBUFFSIZE );
>>
>> if(Buff == 0) {
>>
>> printf(
>>
>> “malloc failed\n”
>>
>> );
>>
>> Exit ( FALSE,“malloc Failed \n”);
>>
>> }
>>
>> printf(“\n\n -====Dumping MemoryListStream From Memory
>> Dump====-\n\n”);
>>
>> DumpMemoryListStream();
>>
>> }
>>
>> t>OpenDumpStream.exe
>>
>>
>> -====Dumping MemoryListStream From Memory Dump====-
>>
>> Number Of Memory ranges = 9
>>
>> range# RVA Address Size
>> 0 00004958 0007df4c 000020b4
>> 1 00006a0c 7c90e494 00000100
>> 2 00006b0c 00ccff98 00000068
>> 3 00006b74 7c90e494 00000100
>> 4 00006c74 00f1bcac 00004354
>> 5 0000afc8 7c90e494 00000100
>> 6 0000b0c8 009cfe14 000001ec
>> 7 0000b2b4 7c90e494 00000100
>> 8 0000b3b4 00447000 000165a8
>> g_Advanced2->Request (
>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>> MemoryListStream
>> ) Succeeded 00000000
>>
>> same dmp checked via dumpchk util
>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>> 9 memory ranges
>> range# RVA Address Size
>> 0 00004958 0007df4c 000020b4
>> 1 00006A0C 7c90e494 00000100
>> 2 00006B0C 00ccff98 00000068
>> 3 00006B74 7c90e494 00000100
>> 4 00006C74 00f1bcac 00004354
>> 5 0000AFC8 7c90e494 00000100
>> 6 0000B0C8 009cfe14 000001ec
>> 7 0000B2B4 7c90e494 00000100
>> 8 0000B3B4 00447000 000165a8
>> Total memory: 1d004
>>
>> one question remains
>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i can
>> get the 94 from outsize 1d004 from adding up all sizes what should i
>> use to get the rva 48c4 ?
>>
>> On 5/2/12, raj_r wrote:
>>> note to self
>>> when in doubt refer header file do not refer chm or web or random
>>> tidbits in obscure corners of internet
>>>
>>> this seem to be a documentation glitch in debugger.chm
>>>
>>> in debughelp.h it is dword
>>>
>>> typedef DWORD RVA;
>>> typedef ULONG64 RVA64;
>>>
>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>>> ULONG32 DataSize;
>>> RVA Rva;
>>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>>
>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>>> ULONG64 DataSize;
>>> RVA64 Rva;
>>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>>
>>> On 5/2/12, raj_r wrote:
>>>> Thanks Tim
>>>>
>>>> you wrote
>>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>>>> 32-bit size and 32-bit RVA,
>>>>
>>>> the debughelp.chm has this
>>>>
>>>>
>>>>
>>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>>
>>>> Contains information describing the location of a data stream within
>>>> a minidump file.
>>>>
>>>>
>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize;
>>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The size
>>>> of the data stream, in bytes.
>>>>
>>>> Rva
>>>> The relative virtual address (RVA) of the data. This is the byte
>>>> offset of the data stream from the beginning of the minidump file.
>>>>
>>>>
>>>>
>>>> On 5/2/12, Tim Roberts wrote:
>>>>> raj_r wrote:
>>>>>> not exactly related to ops question but it is regarding request of
>>>>>> streamtype MemoryListStream …
>>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>>
>>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>>
>>>>>> does the second QWORD7df4c point to
>>>>>> MemoryRanges[0].StartofMemoryRange
>>>>>> ??
>>>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>>>
>>>>> They don’t POINT to those things. They CONTAIN those things. The
>>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges,
>>>>> followed by an array of MINIDUMP_MEMORY_DESCRIPTOR. The
>>>>> MINIDUMP_MEMORY_DESCRIPTOR has a 64-bit start of range, followed by
>>>>> a MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>> has 32-bit size and 32-bit RVA,
>>>>>
>>>>>> these seem to described as ULONG 64 in dbghelp.chm but windbg
>>>>>> doesnt seem to honor it
>>>>>>
>>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>>>> +0x000 DataSize : 0x20b4
>>>>>> +0x004 Rva : 0x4958
>>>>>>
>>>>>> see the +4
>>>>>
>>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>>> NumberOfMemoryRanges,
>>>>> DataSize, and Rva are all 32-bit.
>>>>>
>>>>>> if i print it to scree with
>>>>>>
>>>>>> printf(
>>>>>> “Number of memory range = %08x\t\n”
>>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>>> “Data Size is %I64x\t\n”
>>>>>> “Rva is %I64x\t\n”,
>>>>>> mml->NumberOfMemoryRanges,
>>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>>
>>>>>> );
>>>>>
>>>>> “Data Size” and “Rva” should both be %08x.
>>>>>
>>>>> –
>>>>> Tim Roberts, xxxxx@probo.com
>>>>> Providenza & Boekelheide, Inc.
>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></dbghelp.h></engextcpp.hpp></stdio.h>

raj_r · May 3, 2012, 11:06am

THIS must be a STUPID c 101 QUESTION
still i will ask it

dbghelp.h has this declared

typedef enum _MINIDUMP_STREAM_TYPE {

UnusedStream = 0,
ReservedStream0 = 1,
ReservedStream1 = 2,
ThreadListStream = 3,
ModuleListStream = 4, … s ON }

now if i want to printf

MiniDir = (PMINIDUMP_DIRECTORY) Buff; MiniDir->StreamType,

say if 3 printf (“ThreadListStream”);

should i be doing it like this ?? error prone copy paste modify by
hand of the enum from dbghelp.h ?? like below

PSTR

__cdecl

MiniStreamTypeName (
int StreamType
)
{
PSTR Ministr = {

“UnusedStream”,
“ReservedStream0”,
“ReservedStream1”,
“ThreadListStream”,
“ModuleListStream”,
…
…
…

};
return Ministr[StreamType];
}

and call it with say

printf(
“%7d %08x\x20\x20\x20\x20 %-30s %08x %08x\n”,
i,
MiniDir->StreamType,
MiniStreamTypeName(MiniDir->StreamType),
MiniDir->Location.DataSize,
MiniDir->Location.Rva
);

this seems to work though i feel this must really not be the way to go about

-====Dumping DumpHeader From Memory Dump====-

Minidump Header Signature = 504d444d
MINIDUMP_VERSION = 0000a793
MINIDUMP_VERSION(Internal) = 00006003
MINIDUMP_HEADER NumberofStreams = 00000008
MINIDUMP_HEADER StreamDirectoryRVA = 00000020
MINIDUMP_HEADER CheckSum = 00000000
MINIDUMP_HEADER reserved = 4f70c8f0
MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
MINIDUMP_HEADER Flags = 00000021
Stream# StreamType StreamName Size RVA
0 00000003 ThreadListStream 000000c4 00000160
1 00000004 ModuleListStream 00001a2c 00000224
2 0000000e UnloadedModuleListStream 00000114 00001c50
3 00000005 MemoryListStream 00000094 000048c4
4 00000006 ExceptionStream 000000a8 000000b8
5 00000007 SystemInfoStream 00000038 00000080
6 00000000 UnusedStream 00000000 00000000
7 00000000 UnusedStream 00000000 00000000
Dump Header Dumped

On 5/3/12, raj_r wrote:
> thanks jen for answering fast
> it seems i am able to get the directories and rvas with code below
>
> ftell(fp);
>
> ULONG NumberOfStreams = MiniHeader->NumberOfStreams;
>
> for (ULONG i = 0; i> {
> fread(
> Buff,
> 1,
> sizeof(MINIDUMP_DIRECTORY),
> fp
> );
> MiniDir = (PMINIDUMP_DIRECTORY) Buff;
> printf(
> “StreamType\t%08x\tSize\t%08x\tRva\t%08x\n”,
> MiniDir->StreamType,
> MiniDir->Location.DataSize,
> MiniDir->Location.Rva
> );
> ftell(fp);
> }
>
> StreamType 00000003 Size 000000c4 Rva 00000160
> StreamType 00000004 Size 00001a2c Rva 00000224
> StreamType 0000000e Size 00000114 Rva 00001c50
> StreamType 00000005 Size 00000094 Rva 000048c4
> StreamType 00000006 Size 000000a8 Rva 000000b8
> StreamType 00000007 Size 00000038 Rva 00000080
> StreamType 00000000 Size 00000000 Rva 00000000
> StreamType 00000000 Size 00000000 Rva 00000000
> Dump Header Dumped
>
>
> t>Dumpchk test.dmp | grep -i stream
> Loading dump file test.dmp
> NumberOfStreams 8
> Streams:
> Stream 0: type ThreadListStream (3), size 000000C4, RVA 00000160
> Stream 1: type ModuleListStream (4), size 00001A2C, RVA 00000224
> Stream 2: type UnloadedModuleListStream (14), size 00000114, RVA 00001C50
> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
> Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000B8
> Stream 5: type SystemInfoStream (7), size 00000038, RVA 00000080
> Stream 6: type UnusedStream (0), size 00000000, RVA 00000000
> Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
>
>
> so all left is to parse and the remaining bytes
>
>
> On 5/3/12, Jen-Lung Chiu wrote:
>> Yes no API support to get those data from dump headers.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>> Sent: Wednesday, May 2, 2012 01:37 PM
>> To: Kernel Debugging Interest List
>> Subject: Re: [windbg] Error when reading user stream from dump file
>>
>> Thanks jen
>>
>> So I Need To do Something Like below Myself no request or interface exist
>> ??
>>
>>
>> int __cdecl DumpDumpHeader(void) {
>>
>> HRESULT status = S_OK;
>>
>> PMINIDUMP_HEADER MiniHeader;
>>
>> FILE * fp;
>>
>> size_t result;
>>
>> if (( fp = fopen(
>>
>> “test.dmp”,
>>
>> “rb”
>>
>> ) ) == 0 ) {
>>
>> Exit (
>>
>> FALSE,
>>
>> “fopen ( %s ) Failed”,
>>
>> “test.dmp”
>>
>> );
>>
>> }
>>
>> if (( result = fread(
>>
>> Buff,
>>
>> 1,
>>
>> sizeof(MINIDUMP_HEADER),
>>
>> fp
>>
>> ) ) != sizeof(MINIDUMP_HEADER)) {
>>
>> Exit(
>>
>> FALSE,
>>
>> “fread(fp) failed\n”
>>
>> );
>>
>> }
>>
>> MiniHeader = (PMINIDUMP_HEADER)Buff;
>>
>> printf(
>>
>> “Minidump Header Signature = %08x\n”
>>
>> “MINIDUMP_VERSION = %08x\n”
>>
>> “MINIDUMP_VERSION(Internal) = %08x\n”
>>
>> “MINIDUMP_HEADER NumberofStreams = %08x\n”
>>
>> “MINIDUMP_HEADER StreamDirectoryRVA = %08x\n”
>>
>> “MINIDUMP_HEADER CheckSum = %08x\n”
>>
>> “MINIDUMP_HEADER reserved = %08x\n”
>>
>> “MINIDUMP_HEADER TimeDateStamp = %08x\n”
>>
>> “MINIDUMP_HEADER Flags = %08x\n”,
>>
>> MiniHeader->Signature,
>>
>> LOWORD(MiniHeader->Version),
>>
>> HIWORD(MiniHeader->Version),
>>
>> MiniHeader->NumberOfStreams,
>>
>> MiniHeader->StreamDirectoryRva,
>>
>> MiniHeader->CheckSum,
>>
>> MiniHeader->Reserved,
>>
>> MiniHeader->TimeDateStamp,
>>
>> MiniHeader->Flags
>>
>> );
>>
>> fclose(fp);
>>
>> return status;
>>
>> }
>>
>> -====Dumping DumpHeader From Memory Dump====-
>>
>> Minidump Header Signature = 504d444d
>> MINIDUMP_VERSION = 0000a793
>> MINIDUMP_VERSION(Internal) = 00006003
>> MINIDUMP_HEADER NumberofStreams = 00000008
>> MINIDUMP_HEADER StreamDirectoryRVA = 00000020
>> MINIDUMP_HEADER CheckSum = 00000000
>> MINIDUMP_HEADER reserved = 4f70c8f0
>> MINIDUMP_HEADER TimeDateStamp = 4f70c8f0
>> MINIDUMP_HEADER Flags = 00000021
>> Dump Header Dumped
>>
>>
>> ----- User Mini Dump Analysis
>>
>> MINIDUMP_HEADER:
>> Version A793 (6003)
>> NumberOfStreams 8
>> Flags 21
>> 0001 MiniDumpWithDataSegs
>> 0020 MiniDumpWithUnloadedModules
>>
>>
>>
>>
>> On 5/2/12, Jen-Lung Chiu wrote:
>>> You could check MSDN or dbghelp.h for user-mode minidump format, then
>>> use binary editor to browse the dump file.
>>>
>>> The user-mode minidump starts with a MINIDUMP_HEADER structure, then
>>> follows a list of MINIDUMP_DIRECTORY structure (the number of
>>> MINIDUMP_DIRECTORY structures is MINIDUMP_HEADER::NumberOfStreams).
>>> The MINIDUMP_DIRECTORY block defines the type of the stream (in your
>>> case, MemoryListStream) as well as the RVA/size of the stream.
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>> Sent: Wednesday, May 2, 2012 02:42 AM
>>> To: Kernel Debugging Interest List
>>> Subject: Re: [windbg] Error when reading user stream from dump file
>>>
>>> ok changing the ULONG64 of Debughelp.chm to DWORD of Debughelp.h it
>>> seems now i can dump the MemoryListStream below is code and output
>>> Dissections are Welcome
>>>
>>> #include <stdio.h>
>>>
>>> #include <engextcpp.hpp>
>>>
>>> #include <dbghelp.h>
>>>
>>> const ULONG MBUFFSIZE = 0x1000;
>>>
>>> IDebugClient* g_Client;
>>>
>>> IDebugControl* g_Control;
>>>
>>> IDebugAdvanced2* g_Advanced2;
>>>
>>> PVOID Buff;
>>>
>>> void
>>>
>>> Exit(__in int Code,
>>>
>>> __in PCSTR Format,
>>>
>>> …)
>>>
>>> {
>>>
>>> if (g_Client != NULL) {
>>>
>>> g_Client->EndSession(DEBUG_END_DISCONNECT);
>>>
>>> g_Client->Release();
>>>
>>> g_Client = NULL;
>>>
>>> }
>>>
>>> if (g_Control != NULL) {
>>>
>>> g_Control->Release();
>>>
>>> g_Control = NULL;
>>>
>>> }
>>>
>>> if (g_Advanced2 !=NULL) {
>>>
>>> g_Advanced2->Release();
>>>
>>> g_Advanced2 = NULL;
>>>
>>> }
>>>
>>> if( Buff != NULL) {
>>>
>>> free(Buff);
>>>
>>> }
>>>
>>> if (Format != NULL) {
>>>
>>> va_list Args;
>>>
>>> va_start(Args, Format);
>>>
>>> vfprintf(stderr, Format, Args);
>>>
>>> va_end(Args);
>>>
>>> }
>>>
>>> exit(Code);
>>>
>>> }
>>>
>>> int__cdecl DumpMemoryListStream(void){
>>>
>>> HRESULT status;
>>>
>>> if ( ( status = DebugCreate(
>>>
>>> __uuidof(IDebugClient),
>>>
>>> (void**)&g_Client
>>>
>>> ) ) !=S_OK) {
>>>
>>> Exit(
>>>
>>> FALSE,
>>>
>>> “%s ( %s ) Failed %08x\n”,
>>>
>>> “DebugCreate”,
>>>
>>> “IDebugClient”,
>>>
>>> status);
>>>
>>> }
>>>
>>> if ( ( status = g_Client->QueryInterface(
>>>
>>>__uuidof(IDebugControl),
>>>
>>> (void**)&g_Control
>>>
>>> ) ) != S_OK ) {
>>>
>>> Exit(
>>>
>>> FALSE,
>>>
>>> “%s ( %s ) Failed %08x\n”,
>>>
>>> “QueryInterface”,
>>>
>>> “IDebugControl”,
>>>
>>> status);
>>>
>>> }
>>>
>>> if ( ( status = g_Client->QueryInterface(
>>>
>>> __uuidof(IDebugAdvanced2),
>>>
>>> (void**)&g_Advanced2
>>>
>>> )) != S_OK ) {
>>>
>>> Exit(
>>>
>>> FALSE,
>>>
>>> “%s ( %s ) Failed %08x\n”,
>>>
>>> “QueryInterface”,
>>>
>>> “IDebugAdvanced2”,
>>>
>>> status);
>>>
>>> }
>>>
>>> if (( status = g_Client->OpenDumpFile(
>>>
>>> “test.dmp”
>>>
>>> )) != S_OK ) {
>>>
>>> Exit(
>>>
>>> FALSE,
>>>
>>> “%s ( %s ) Failed %08x\n”,
>>>
>>> “g_Client”,
>>>
>>> “OpenDumpFile”,
>>>
>>> status);
>>>
>>> }
>>>
>>> if (( status = g_Control->WaitForEvent(
>>>
>>> 0,
>>>
>>> INFINITE
>>>
>>> ) ) != S_OK ) {
>>>
>>> Exit(
>>>
>>> FALSE,
>>>
>>> “%s ( %s ) Failed %08x\n”,
>>>
>>> “g_Control”,
>>>
>>> “WaitForEvent”,
>>>
>>> status);
>>>
>>> }
>>>
>>> PVOID OutBuffer;
>>>
>>> ULONG OutBufferSize;
>>>
>>> ULONG OutSize;
>>>
>>> PMINIDUMP_MEMORY_LIST mml;
>>>
>>> DEBUG_READ_USER_MINIDUMP_STREAM InBuffer;
>>>
>>> InBuffer.StreamType = MemoryListStream;
>>>
>>> InBuffer.Flags = 0;
>>>
>>> InBuffer.Offset = 0;
>>>
>>> InBuffer.Buffer = Buff;
>>>
>>> InBuffer.BufferSize = MBUFFSIZE;
>>>
>>> InBuffer.BufferUsed = 0;
>>>
>>> OutBuffer = NULL;
>>>
>>> OutBufferSize = NULL;
>>>
>>> if (( status = g_Advanced2->Request(
>>>
>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>>
>>> &InBuffer,
>>>
>>> sizeof(InBuffer),
>>>
>>> OutBuffer,
>>>
>>> OutBufferSize,
>>>
>>> &OutSize
>>>
>>> ) ) != S_OK ) {
>>>
>>> Exit(
>>>
>>> FALSE,
>>>
>>> “%s (\n”
>>>
>>> “\t%s,\n”
>>>
>>> “\t%s\n\t) Failed %08x\n”,
>>>
>>> “g_Advanced2->Request”,
>>>
>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>
>>> “MemoryListStream”,
>>>
>>> status);
>>>
>>> }
>>>
>>> mml = (PMINIDUMP_MEMORY_LIST)Buff;
>>>
>>> printf (
>>>
>>> " Number Of Memory ranges = %x\n\n"
>>>
>>> " range# RVA Address Size\n",
>>>
>>> mml->NumberOfMemoryRanges
>>>
>>> );
>>>
>>> for (ULONG i = 0; iNumberOfMemoryRanges;i++) {
>>>
>>> printf(
>>>
>>> " %d %08x %08I64x %08x\n",
>>>
>>> i,
>>>
>>> mml->MemoryRanges[i].Memory.Rva,
>>>
>>> mml->MemoryRanges[i].StartOfMemoryRange,
>>>
>>> mml->MemoryRanges[i].Memory.DataSize
>>>
>>> );
>>>
>>> }
>>>
>>> Exit(
>>>
>>> TRUE,
>>>
>>> “%s (\n”
>>>
>>> “\t%s,\n”
>>>
>>> “\t%s\n\t) Succeeded %08x\n”,
>>>
>>> “g_Advanced2->Request”,
>>>
>>> “DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM”,
>>>
>>> “MemoryListStream”,
>>>
>>> status);
>>>
>>> }
>>>
>>> int__cdecl main (void){
>>>
>>> Buff = (PVOID) malloc( MBUFFSIZE );
>>>
>>> if(Buff == 0) {
>>>
>>> printf(
>>>
>>> “malloc failed\n”
>>>
>>> );
>>>
>>> Exit ( FALSE,“malloc Failed \n”);
>>>
>>> }
>>>
>>> printf(“\n\n -====Dumping MemoryListStream From Memory
>>> Dump====-\n\n”);
>>>
>>> DumpMemoryListStream();
>>>
>>> }
>>>
>>> t>OpenDumpStream.exe
>>>
>>>
>>> -====Dumping MemoryListStream From Memory Dump====-
>>>
>>> Number Of Memory ranges = 9
>>>
>>> range# RVA Address Size
>>> 0 00004958 0007df4c 000020b4
>>> 1 00006a0c 7c90e494 00000100
>>> 2 00006b0c 00ccff98 00000068
>>> 3 00006b74 7c90e494 00000100
>>> 4 00006c74 00f1bcac 00004354
>>> 5 0000afc8 7c90e494 00000100
>>> 6 0000b0c8 009cfe14 000001ec
>>> 7 0000b2b4 7c90e494 00000100
>>> 8 0000b3b4 00447000 000165a8
>>> g_Advanced2->Request (
>>> DEBUG_REQUEST_READ_USER_MINIDUMP_STREAM,
>>> MemoryListStream
>>> ) Succeeded 00000000
>>>
>>> same dmp checked via dumpchk util
>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4
>>> 9 memory ranges
>>> range# RVA Address Size
>>> 0 00004958 0007df4c 000020b4
>>> 1 00006A0C 7c90e494 00000100
>>> 2 00006B0C 00ccff98 00000068
>>> 3 00006B74 7c90e494 00000100
>>> 4 00006C74 00f1bcac 00004354
>>> 5 0000AFC8 7c90e494 00000100
>>> 6 0000B0C8 009cfe14 000001ec
>>> 7 0000B2B4 7c90e494 00000100
>>> 8 0000B3B4 00447000 000165a8
>>> Total memory: 1d004
>>>
>>> one question remains
>>> Stream 3: type MemoryListStream (5), size 00000094, RVA 000048C4 i can
>>> get the 94 from outsize 1d004 from adding up all sizes what should i
>>> use to get the rva 48c4 ?
>>>
>>> On 5/2/12, raj_r wrote:
>>>> note to self
>>>> when in doubt refer header file do not refer chm or web or random
>>>> tidbits in obscure corners of internet
>>>>
>>>> this seem to be a documentation glitch in debugger.chm
>>>>
>>>> in debughelp.h it is dword
>>>>
>>>> typedef DWORD RVA;
>>>> typedef ULONG64 RVA64;
>>>>
>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
>>>> ULONG32 DataSize;
>>>> RVA Rva;
>>>> } MINIDUMP_LOCATION_DESCRIPTOR;
>>>>
>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
>>>> ULONG64 DataSize;
>>>> RVA64 Rva;
>>>> } MINIDUMP_LOCATION_DESCRIPTOR64;
>>>>
>>>> On 5/2/12, raj_r wrote:
>>>>> Thanks Tim
>>>>>
>>>>> you wrote
>>>>> MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR has
>>>>> 32-bit size and 32-bit RVA,
>>>>>
>>>>> the debughelp.chm has this
>>>>>
>>>>>
>>>>>
>>>>> MINIDUMP_LOCATION_DESCRIPTOR Structure
>>>>>
>>>>> Contains information describing the location of a data stream within
>>>>> a minidump file.
>>>>>
>>>>>
>>>>> typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG64 DataSize;
>>>>> RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR; Members DataSize The size
>>>>> of the data stream, in bytes.
>>>>>
>>>>> Rva
>>>>> The relative virtual address (RVA) of the data. This is the byte
>>>>> offset of the data stream from the beginning of the minidump file.
>>>>>
>>>>>
>>>>>
>>>>> On 5/2/12, Tim Roberts wrote:
>>>>>> raj_r wrote:
>>>>>>> not exactly related to ops question but it is regarding request of
>>>>>>> streamtype MemoryListStream …
>>>>>>> 00681438 00000009 0007df4c 00000000 000020b4
>>>>>>> 00681448 00004958 7c90e494 00000000 00000100
>>>>>>> 00681458 baadf00d baadf00d baadf00d baadf00d
>>>>>>>
>>>>>>> i understand the first dword 9 is NumberofMemoryRanges
>>>>>>>
>>>>>>> does the second QWORD7df4c point to
>>>>>>> MemoryRanges[0].StartofMemoryRange
>>>>>>> ??
>>>>>>> and subsequent dwords point to …Datasize and … RVA ??
>>>>>>
>>>>>> They don’t POINT to those things. They CONTAIN those things. The
>>>>>> MINIDUMP_MEMORY_LIST has a DWORD with the number of ranges,
>>>>>> followed by an array of MINIDUMP_MEMORY_DESCRIPTOR. The
>>>>>> MINIDUMP_MEMORY_DESCRIPTOR has a 64-bit start of range, followed by
>>>>>> a MINIDUMP_LOCATION_DESCRIPTOR. The MINIDUMP_LOCATION_DESCRIPTOR
>>>>>> has 32-bit size and 32-bit RVA,
>>>>>>
>>>>>>> these seem to described as ULONG 64 in dbghelp.chm but windbg
>>>>>>> doesnt seem to honor it
>>>>>>>
>>>>>>> 0:000> dt -r OpenDumpStream!_MINIDUMP_MEMORY_LIST 0x00681438
>>>>>>> +0x000 NumberOfMemoryRanges : 9
>>>>>>> +0x004 MemoryRanges : [0] _MINIDUMP_MEMORY_DESCRIPTOR
>>>>>>> +0x000 StartOfMemoryRange : 0x7df4c
>>>>>>> +0x008 Memory : _MINIDUMP_LOCATION_DESCRIPTOR
>>>>>>> +0x000 DataSize : 0x20b4
>>>>>>> +0x004 Rva : 0x4958
>>>>>>>
>>>>>>> see the +4
>>>>>>
>>>>>> Those are correct. StartOfMemoryRange is 64-bit.
>>>>>> NumberOfMemoryRanges,
>>>>>> DataSize, and Rva are all 32-bit.
>>>>>>
>>>>>>> if i print it to scree with
>>>>>>>
>>>>>>> printf(
>>>>>>> “Number of memory range = %08x\t\n”
>>>>>>> “Start of Memory Range Is %I64x\t\n”
>>>>>>> “Data Size is %I64x\t\n”
>>>>>>> “Rva is %I64x\t\n”,
>>>>>>> mml->NumberOfMemoryRanges,
>>>>>>> mml->MemoryRanges[0].StartOfMemoryRange,
>>>>>>> mml->MemoryRanges[0].Memory.DataSize,
>>>>>>> mml->MemoryRanges[0].Memory.Rva
>>>>>>>
>>>>>>> );
>>>>>>
>>>>>> “Data Size” and “Rva” should both be %08x.
>>>>>>
>>>>>> –
>>>>>> Tim Roberts, xxxxx@probo.com
>>>>>> Providenza & Boekelheide, Inc.
>>>>>>
>>>>>>
>>>>>> —
>>>>>> WINDBG is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>
>>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
></dbghelp.h></engextcpp.hpp></stdio.h>

Tim_Roberts · May 3, 2012, 12:58pm

raj_r wrote:

THIS must be a STUPID c 101 QUESTION
still i will ask it

dbghelp.h has this declared

typedef enum _MINIDUMP_STREAM_TYPE {

UnusedStream = 0,
ReservedStream0 = 1,
ReservedStream1 = 2,
ThreadListStream = 3,
ModuleListStream = 4, … s ON }

now if i want to printf

MiniDir = (PMINIDUMP_DIRECTORY) Buff; MiniDir->StreamType,

say if 3 printf (“ThreadListStream”);

should i be doing it like this ?? error prone copy paste modify by
hand of the enum from dbghelp.h ?? like below

Here’s how I would do it, if I wanted it to be robust.

#define MAKE_LOOKUP(x) { x, #x },

struct Lookup {
unsigned int Value;
const unsigned char * Str;
} MyLookupTable = {
MAKE_LOOKUP(UnusedStream),
MAKE_LOOKUP(ReservedStream0),
MAKE_LOOKUP(ReservedStream1),
…
{ 0, NULL }
};

PSTR MiniStreamTypeName( int StreamType )
{
for( struct Lookup * lk = MyLookupTable; lk->Str; lk++ )
{
if( lk->Value == StreamType )
return lk->Str;
}
}

Remember that the values for MINIDUMP_STREAM_TYPE are not continuous.
It jumps from 19 to 0x8000. You don’t want a single-lookup array for that.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim_Roberts · May 3, 2012, 1:00pm

Tim Roberts wrote:

Here’s how I would do it, if I wanted it to be robust.

#define MAKE_LOOKUP(x) { x, #x },

I should not have added that final comma. That’s what I get for sending
sample code without compiling first.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

raj_r · May 3, 2012, 6:28pm

Thanks Tim

so i still have to copy paste and hand modify the entries inside
MAKE_LOOKUP(x) ok i will grep sed script it so that if there is a
mistake there will be a pattern atleast

i removed the comma wrapped your #define into main and compiled with /W4 /WX

i got a few warnings

for 2440 i changed the unsigned char * to PSTR

for 4389 i changed the unsigned int to int

now with /w4 wx i get 4510 and 4512 (def constructor & assignemnt
opertor cannot be generated)
with /W3 /WX i get 4715 not all control paths return a value

if compiled without wx it gets compiled and seems to work ok
so are these warnings ignorable or is there an alternative ?

paste of compiling follows

C:\preproc>dir /b
dbghelp.h
preproc.cpp

C:\preproc>type preproc.cpp
#include <stdio.h>

#include <windows.h>

#include “dbghelp.h”

#define MAKE_LOOKUP(x) { x, #x }

struct Lookup {

unsigned int Value;

const unsigned char * Str;

} MyLookupTable = {

MAKE_LOOKUP(UnusedStream),

MAKE_LOOKUP(ReservedStream0),

MAKE_LOOKUP(ReservedStream1),

{ 0, NULL }

};

PSTR MiniStreamTypeName( int StreamType )

{

for( struct Lookup * lk = MyLookupTable; lk->Str; lk++ )

{

if( lk->Value == StreamType )

return lk->Str;

}

}

int main (void)

{

printf(“enum #define macro test\n”);

printf(“%s\n”,MiniStreamTypeName(2));

return 1;

}
C:\preproc>cl /W4 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
preproc.cpp(17) : error C2440: ‘initializing’ : cannot convert from ‘const char
[13]’ to ‘const unsigned char *’
Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
preproc.cpp(19) : error C2440: ‘initializing’ : cannot convert from ‘const char
[16]’ to ‘const unsigned char *’
Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
preproc.cpp(21) : error C2440: ‘initializing’ : cannot convert from ‘const char
[16]’ to ‘const unsigned char *’
Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
preproc.cpp(35) : warning C4389: ‘==’ : signed/unsigned mismatch
preproc.cpp(37) : error C2440: ‘return’ : cannot convert from ‘const unsigned ch
ar *’ to ‘PSTR’
Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast

C:\preproc>

change the struct as follows

struct Lookup {

int Value;

const PSTR Str;

} MyLookupTable = {

now the warnings as follows

C:\preproc>cl /W4 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
preproc.cpp(15) : error C2220: warning treated as error - no ‘object’ file gener
ated
preproc.cpp(15) : warning C4510: ‘Lookup’ : default constructor could not be gen
erated
preproc.cpp(9) : see declaration of ‘Lookup’
preproc.cpp(15) : warning C4512: ‘Lookup’ : assignment operator could not be gen
erated
preproc.cpp(9) : see declaration of ‘Lookup’
preproc.cpp(15) : warning C4610: struct ‘Lookup’ can never be instantiated - use
r defined constructor required

C:\preproc>cl /W3 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no ‘object’
file generated
c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all contr
ol paths return a value

C:\preproc>cl /W2 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no ‘object’
file generated
c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all contr
ol paths return a value

C:\preproc>cl /W1 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no ‘object’
file generated
c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all contr
ol paths return a value

C:\preproc>cl /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no ‘object’
file generated
c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all contr
ol paths return a value

C:\preproc>cl preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all contr
ol paths return a value
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.

/out:preproc.exe
preproc.obj

C:\preproc>preproc.exe
enum #define macro test
ReservedStream1

C:\preproc>

On 5/3/12, Tim Roberts wrote:
> Tim Roberts wrote:
>>
>> Here’s how I would do it, if I wanted it to be robust.
>>
>> #define MAKE_LOOKUP(x) { x, #x },
>
> I should not have added that final comma. That’s what I get for sending
> sample code without compiling first.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></windows.h></stdio.h>

Phil_Barila · May 3, 2012, 6:58pm

Change the Str member from const unsigned char * to const char *.
Explicitly test (0 != lk->Value), rather than treating lk->Str as a boolean.

That will cover most of it.

Phil
Not speaking for LogRhythm (but here’s the obligatory .sig, anyway)
Philip D Barila | Senior Software Engineer
720.881.5364 (w)
WINNER of SC Magazine’s Readers Trust Award Best SIEM Solution
Innovator of the Year & 2012 SIEM Best Buy

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Thursday, May 03, 2012 4:27 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Error when reading user stream from dump file

Thanks Tim

so i still have to copy paste and hand modify the entries inside
MAKE_LOOKUP(x) ok i will grep sed script it so that if there is a
mistake there will be a pattern atleast

i removed the comma wrapped your #define into main and compiled with /W4 /WX

i got a few warnings

for 2440 i changed the unsigned char * to PSTR

for 4389 i changed the unsigned int to int

now with /w4 wx i get 4510 and 4512 (def constructor & assignemnt
opertor cannot be generated)
with /W3 /WX i get 4715 not all control paths return a value

if compiled without wx it gets compiled and seems to work ok
so are these warnings ignorable or is there an alternative ?

paste of compiling follows

C:\preproc>dir /b
dbghelp.h
preproc.cpp

C:\preproc>type preproc.cpp
#include <stdio.h>

#include <windows.h>

#include “dbghelp.h”

#define MAKE_LOOKUP(x) { x, #x }

struct Lookup {

unsigned int Value;

const unsigned char * Str;

} MyLookupTable = {

MAKE_LOOKUP(UnusedStream),

MAKE_LOOKUP(ReservedStream0),

MAKE_LOOKUP(ReservedStream1),

{ 0, NULL }

};

PSTR MiniStreamTypeName( int StreamType )

{

for( struct Lookup * lk = MyLookupTable; lk->Str; lk++ )

{

if( lk->Value == StreamType )

return lk->Str;

}

}

int main (void)

{

printf(“enum #define macro test\n”);

printf(“%s\n”,MiniStreamTypeName(2));

return 1;

}
C:\preproc>cl /W4 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
preproc.cpp(17) : error C2440: ‘initializing’ : cannot convert from ‘const char
[13]’ to ‘const unsigned char *’
Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
preproc.cpp(19) : error C2440: ‘initializing’ : cannot convert from ‘const char
[16]’ to ‘const unsigned char *’
Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
preproc.cpp(21) : error C2440: ‘initializing’ : cannot convert from ‘const char
[16]’ to ‘const unsigned char *’
Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
preproc.cpp(35) : warning C4389: ‘==’ : signed/unsigned mismatch
preproc.cpp(37) : error C2440: ‘return’ : cannot convert from ‘const unsigned ch
ar *’ to ‘PSTR’
Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast

C:\preproc>

change the struct as follows

struct Lookup {

int Value;

const PSTR Str;

} MyLookupTable = {

now the warnings as follows

C:\preproc>cl /W4 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
preproc.cpp(15) : error C2220: warning treated as error - no ‘object’ file gener
ated
preproc.cpp(15) : warning C4510: ‘Lookup’ : default constructor could not be gen
erated
preproc.cpp(9) : see declaration of ‘Lookup’
preproc.cpp(15) : warning C4512: ‘Lookup’ : assignment operator could not be gen
erated
preproc.cpp(9) : see declaration of ‘Lookup’
preproc.cpp(15) : warning C4610: struct ‘Lookup’ can never be instantiated - use
r defined constructor required

C:\preproc>cl /W3 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no ‘object’
file generated
c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all contr
ol paths return a value

C:\preproc>cl /W2 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no ‘object’
file generated
c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all contr
ol paths return a value

C:\preproc>cl /W1 /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no ‘object’
file generated
c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all contr
ol paths return a value

C:\preproc>cl /WX preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
c:\preproc\preproc.cpp(41) : error C2220: warning treated as error - no ‘object’
file generated
c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all contr
ol paths return a value

C:\preproc>cl preproc.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

preproc.cpp
c:\preproc\preproc.cpp(41) : warning C4715: ‘MiniStreamTypeName’ : not all contr
ol paths return a value
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.

/out:preproc.exe
preproc.obj

C:\preproc>preproc.exe
enum #define macro test
ReservedStream1

C:\preproc>

On 5/3/12, Tim Roberts wrote:
> Tim Roberts wrote:
>>
>> Here’s how I would do it, if I wanted it to be robust.
>>
>> #define MAKE_LOOKUP(x) { x, #x },
>
> I should not have added that final comma. That’s what I get for sending
> sample code without compiling first.</windows.h></stdio.h>