qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 3/4] include/qemu: add 32-bit Windows dump structures

From: Viktor Prutyanov
Subject: Re: [PATCH v3 3/4] include/qemu: add 32-bit Windows dump structures
Date: Wed, 6 Apr 2022 18:15:49 +0300 
Hi

On Wed, Apr 6, 2022 at 10:51 AM Marc-André Lureau
<marcandre.lureau@redhat.com> wrote:
>
> Hi
>
> On Fri, Mar 25, 2022 at 11:51 PM Viktor Prutyanov
> <viktor.prutyanov@redhat.com> wrote:
> >
> > These structures are required to produce 32-bit guest Windows Complete
> > Memory Dump. Add 32-bit Windows dump header, CPU context and physical
> > memory descriptor structures along with corresponding definitions.
> >
> > Signed-off-by: Viktor Prutyanov <viktor.prutyanov@redhat.com>
> > Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
>
> Back when the initial support was introduced, I guess I thought those
> structures were defined by the fwcfg driver. I realize they are
> actually Windows structures. What's your reference for them? It's hard
> to find a good source, it seemed it was reverse-engineered by various
> projects.

The various structures presented here have different sources of varying
degrees of completeness.

As for WinContext*, WIN_CTX_* definitions, they are fully available as
I386_CONTEXT, AMD64_CONTEXT, CONTEXT_* definitions in the Wine project:
https://github.com/wine-mirror/wine/blob/master/include/winnt.h

As for the Complete Memory Dump header, the main fully open source of
this structure is the Volatility project:
https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/overlays/windows/crash_vtypes.py

Besides of that, this information can be revealed experimentally by
comparing dumps between them and by analyzing manually constructed
dumps in WinDbg and noticing which of the data is available and which
is not. It is also possible because some fields of the header are also
presented as debug symbols provided by Microsoft in PDB and because
WinDbg sometimes provides verbose output on error. For example, this is
how the logic of win_dump.c was made.

So that, no reverse-engineering at least from my side is involved, all
of the information was obtained from scattered but open sources.

>
> Otherwise lgtm,
> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>

Best regards,
Viktor Prutyanov

> > ---
> >  include/qemu/win_dump_defs.h | 107 +++++++++++++++++++++++++++++++++++
> >  1 file changed, 107 insertions(+)
> >
> > diff --git a/include/qemu/win_dump_defs.h b/include/qemu/win_dump_defs.h
> > index 5a5e5a5e09..73a44e2408 100644
> > --- a/include/qemu/win_dump_defs.h
> > +++ b/include/qemu/win_dump_defs.h
> > @@ -11,11 +11,22 @@
> >  #ifndef QEMU_WIN_DUMP_DEFS_H
> >  #define QEMU_WIN_DUMP_DEFS_H
> >
> > +typedef struct WinDumpPhyMemRun32 {
> > +    uint32_t BasePage;
> > +    uint32_t PageCount;
> > +} QEMU_PACKED WinDumpPhyMemRun32;
> > +
> >  typedef struct WinDumpPhyMemRun64 {
> >      uint64_t BasePage;
> >      uint64_t PageCount;
> >  } QEMU_PACKED WinDumpPhyMemRun64;
> >
> > +typedef struct WinDumpPhyMemDesc32 {
> > +    uint32_t NumberOfRuns;
> > +    uint32_t NumberOfPages;
> > +    WinDumpPhyMemRun32 Run[86];
> > +} QEMU_PACKED WinDumpPhyMemDesc32;
> > +
> >  typedef struct WinDumpPhyMemDesc64 {
> >      uint32_t NumberOfRuns;
> >      uint32_t unused;
> > @@ -33,6 +44,39 @@ typedef struct WinDumpExceptionRecord {
> >      uint64_t ExceptionInformation[15];
> >  } QEMU_PACKED WinDumpExceptionRecord;
> >
> > +typedef struct WinDumpHeader32 {
> > +    char Signature[4];
> > +    char ValidDump[4];
> > +    uint32_t MajorVersion;
> > +    uint32_t MinorVersion;
> > +    uint32_t DirectoryTableBase;
> > +    uint32_t PfnDatabase;
> > +    uint32_t PsLoadedModuleList;
> > +    uint32_t PsActiveProcessHead;
> > +    uint32_t MachineImageType;
> > +    uint32_t NumberProcessors;
> > +    union {
> > +        struct {
> > +            uint32_t BugcheckCode;
> > +            uint32_t BugcheckParameter1;
> > +            uint32_t BugcheckParameter2;
> > +            uint32_t BugcheckParameter3;
> > +            uint32_t BugcheckParameter4;
> > +        };
> > +        uint8_t BugcheckData[20];
> > +    };
> > +    uint8_t VersionUser[32];
> > +    uint32_t reserved0;
> > +    uint32_t KdDebuggerDataBlock;
> > +    union {
> > +        WinDumpPhyMemDesc32 PhysicalMemoryBlock;
> > +        uint8_t PhysicalMemoryBlockBuffer[700];
> > +    };
> > +    uint8_t reserved1[3200];
> > +    uint32_t RequiredDumpSpace;
> > +    uint8_t reserved2[92];
> > +} QEMU_PACKED WinDumpHeader32;
> > +
> >  typedef struct WinDumpHeader64 {
> >      char Signature[4];
> >      char ValidDump[4];
> > @@ -81,25 +125,49 @@ typedef struct WinDumpHeader64 {
> >      uint8_t reserved[4018];
> >  } QEMU_PACKED WinDumpHeader64;
> >
> > +typedef union WinDumpHeader {
> > +    struct {
> > +        char Signature[4];
> > +        char ValidDump[4];
> > +    };
> > +    WinDumpHeader32 x32;
> > +    WinDumpHeader64 x64;
> > +} WinDumpHeader;
> > +
> >  #define KDBG_OWNER_TAG_OFFSET64             0x10
> >  #define KDBG_MM_PFN_DATABASE_OFFSET64       0xC0
> >  #define KDBG_KI_BUGCHECK_DATA_OFFSET64      0x88
> >  #define KDBG_KI_PROCESSOR_BLOCK_OFFSET64    0x218
> >  #define KDBG_OFFSET_PRCB_CONTEXT_OFFSET64   0x338
> >
> > +#define KDBG_OWNER_TAG_OFFSET           KDBG_OWNER_TAG_OFFSET64
> > +#define KDBG_MM_PFN_DATABASE_OFFSET     KDBG_MM_PFN_DATABASE_OFFSET64
> > +#define KDBG_KI_BUGCHECK_DATA_OFFSET    KDBG_KI_BUGCHECK_DATA_OFFSET64
> > +#define KDBG_KI_PROCESSOR_BLOCK_OFFSET  KDBG_KI_PROCESSOR_BLOCK_OFFSET64
> > +#define KDBG_OFFSET_PRCB_CONTEXT_OFFSET KDBG_OFFSET_PRCB_CONTEXT_OFFSET64
> > +
> >  #define VMCOREINFO_ELF_NOTE_HDR_SIZE    24
> > +#define VMCOREINFO_WIN_DUMP_NOTE_SIZE64 (sizeof(WinDumpHeader64) + \
> > +                                         VMCOREINFO_ELF_NOTE_HDR_SIZE)
> > +#define VMCOREINFO_WIN_DUMP_NOTE_SIZE32 (sizeof(WinDumpHeader32) + \
> > +                                         VMCOREINFO_ELF_NOTE_HDR_SIZE)
> >
> >  #define WIN_CTX_X64 0x00100000L
> > +#define WIN_CTX_X86 0x00010000L
> >
> >  #define WIN_CTX_CTL 0x00000001L
> >  #define WIN_CTX_INT 0x00000002L
> >  #define WIN_CTX_SEG 0x00000004L
> >  #define WIN_CTX_FP  0x00000008L
> >  #define WIN_CTX_DBG 0x00000010L
> > +#define WIN_CTX_EXT 0x00000020L
> >
> >  #define WIN_CTX64_FULL  (WIN_CTX_X64 | WIN_CTX_CTL | WIN_CTX_INT | 
> > WIN_CTX_FP)
> >  #define WIN_CTX64_ALL   (WIN_CTX64_FULL | WIN_CTX_SEG | WIN_CTX_DBG)
> >
> > +#define WIN_CTX32_FULL (WIN_CTX_X86 | WIN_CTX_CTL | WIN_CTX_INT | 
> > WIN_CTX_SEG)
> > +#define WIN_CTX32_ALL (WIN_CTX32_FULL | WIN_CTX_FP | WIN_CTX_DBG | 
> > WIN_CTX_EXT)
> > +
> >  #define LIVE_SYSTEM_DUMP    0x00000161
> >
> >  typedef struct WinM128A {
> > @@ -107,6 +175,40 @@ typedef struct WinM128A {
> >      int64_t high;
> >  } QEMU_ALIGNED(16) WinM128A;
> >
> > +typedef struct WinContext32 {
> > +    uint32_t ContextFlags;
> > +
> > +    uint32_t Dr0;
> > +    uint32_t Dr1;
> > +    uint32_t Dr2;
> > +    uint32_t Dr3;
> > +    uint32_t Dr6;
> > +    uint32_t Dr7;
> > +
> > +    uint8_t  FloatSave[112];
> > +
> > +    uint32_t SegGs;
> > +    uint32_t SegFs;
> > +    uint32_t SegEs;
> > +    uint32_t SegDs;
> > +
> > +    uint32_t Edi;
> > +    uint32_t Esi;
> > +    uint32_t Ebx;
> > +    uint32_t Edx;
> > +    uint32_t Ecx;
> > +    uint32_t Eax;
> > +
> > +    uint32_t Ebp;
> > +    uint32_t Eip;
> > +    uint32_t SegCs;
> > +    uint32_t EFlags;
> > +    uint32_t Esp;
> > +    uint32_t SegSs;
> > +
> > +    uint8_t ExtendedRegisters[512];
> > +} QEMU_ALIGNED(16) WinContext32;
> > +
> >  typedef struct WinContext64 {
> >      uint64_t PHome[6];
> >
> > @@ -176,4 +278,9 @@ typedef struct WinContext64 {
> >      uint64_t LastExceptionFromRip;
> >  } QEMU_ALIGNED(16) WinContext64;
> >
> > +typedef union WinContext {
> > +    WinContext32 x32;
> > +    WinContext64 x64;
> > +} WinContext;
> > +
> >  #endif /* QEMU_WIN_DUMP_DEFS_H */
> > --
> > 2.35.1
> >
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]