Make dumps of type CompleteMemoryDump trust TotalNumberOfPages he…

…ader field instead of just `MetadataSize` (#28) --------- Co-authored-by: 0vercl0k <1476421+0vercl0k@users.noreply.github.com>
0vercl0k · Mar 5, 2024 · 87f9668 · 87f9668
1 parent 1d18e53
commit 87f9668
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -17,6 +17,8 @@ The library supports loading 64-bit dumps and provides read access to things lik
 Compiled binaries are available in the [releases](https://github.com/0vercl0k/kdmp-parser/releases) section.
 
 Special thanks to:
+- [hugsy](https://github.com/hugsy) for numerous contributions: the new Python bindings, CI improvements, new dump types, etc.,
+- [masthoon](https://github.com/masthoon) for the initial version of the Python bindings,
 - [yrp604](https://github.com/yrp604) for being knowledgeable about the format,
 - the [rekall](https://github.com/google/rekall) project and their [Python implementation](https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/overlays/windows/crashdump.py) (most of the structures in [kdmp-parser-structs.h](https://github.com/0vercl0k/kdmp-parser/blob/master/src/kdmp-parser/kdmp-parser-structs.h) have been adapted from it).
 

diff --git a/src/lib/kdmp-parser.h b/src/lib/kdmp-parser.h
@@ -585,6 +585,8 @@ class KernelDumpParser {
  uint8_t *Page = nullptr;
  uint64_t MetadataSize = 0;
  uint8_t *Bitmap = nullptr;
+ uint64_t TotalNumberOfPages = 0;
+ uint64_t CurrentPageCount = 0;
 
  switch (Type) {
  case DumpType_t::KernelMemoryDump:
@@ -597,10 +599,11 @@ class KernelDumpParser {
  }
 
  case DumpType_t::CompleteMemoryDump: {
- FirstPageOffset = DmpHdr_->u3.RdmpHeader.Hdr.FirstPageOffset;
+ FirstPageOffset = DmpHdr_->u3.FullRdmpHeader.Hdr.FirstPageOffset;
  Page = (uint8_t *)DmpHdr_ + FirstPageOffset;
  MetadataSize = DmpHdr_->u3.FullRdmpHeader.Hdr.MetadataSize;
  Bitmap = DmpHdr_->u3.FullRdmpHeader.Bitmap.data();
+ TotalNumberOfPages = DmpHdr_->u3.FullRdmpHeader.TotalNumberOfPages;
  break;
  }
 
@@ -626,13 +629,33 @@ class KernelDumpParser {
  uint64_t NumberOfPages;
  };
 
+ // Sanity check
+ if (MetadataSize % sizeof(PfnRange)) {
+ return false;
+ }
+
  for (uint64_t Offset = 0; Offset < MetadataSize;
  Offset += sizeof(PfnRange)) {
+
+ if (Type == DumpType_t::CompleteMemoryDump) {
+ // `CompleteMemoryDump` type seems to be bound by the
+ // `TotalNumberOfPages` field, *not* by `MetadataSize`.
+ if (CurrentPageCount == TotalNumberOfPages) {
+ break;
+ }
+
+ if (CurrentPageCount > TotalNumberOfPages) {
+ return false;
+ }
+ }
+
  const PfnRange &Entry = (PfnRange &)Bitmap[Offset];
  if (!FileMap_.InBounds(&Entry, sizeof(Entry))) {
  return false;
  }
 
+ CurrentPageCount += Entry.NumberOfPages;
+
  const uint64_t Pfn = Entry.PageFileNumber;
  if (!Pfn) {
  break;