public MiniDumpMemoryReader(string path) { if (string.IsNullOrWhiteSpace(path)) { throw new ArgumentNullException("path"); } _fileStream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read); var mem = new FileMemoryReader(path); var header = mem.Read <MiniDump.Header>(0x00); var dirs = mem.Read <MiniDump.Directory>(header.StreamDirectoryRva, (int)header.NumberOfStreams); var moduleList = dirs.SingleOrDefault(a => a.StreamType == MiniDump.StreamType.ModuleListStream); if (moduleList.StreamType != MiniDump.StreamType.ModuleListStream) { throw new InvalidOperationException("The minidump file does not contain a module list."); } var modules = mem.Read <MiniDump.List <MiniDump.Module> >(moduleList.Location.Rva).Items; var mainModule = modules.FirstOrDefault(a => a.VersionInfo.FileType == 1); var mainModuleNameLength = mem.Read <int>(mainModule.ModuleNameRva); var mainModuleNameBuffer = mem.ReadBytes(mainModule.ModuleNameRva + sizeof(int), mainModuleNameLength); var mainModuleName = Encoding.Unicode.GetString(mainModuleNameBuffer); MainModuleName = System.IO.Path.GetFileNameWithoutExtension(mainModuleName); MainModuleVersion = mainModule.VersionInfo.FileVersion; ImageBase = mainModule.BaseOfImage; var memory64ListDir = dirs.SingleOrDefault(a => a.StreamType == MiniDump.StreamType.Memory64ListStream); if (memory64ListDir.StreamType != MiniDump.StreamType.Memory64ListStream) { throw new InvalidOperationException("The minidump file does not contain a full memory dump."); } var memory64List = mem.Read <MiniDump.Memory64List>(memory64ListDir.Location.Rva); var rva = memory64List.BaseRva; var ranges = memory64List.MemoryRanges; var pages = new List <Page>(); for (int i = 0; i < ranges.Length; i++) { pages.Add(new Page { StartOfMemoryRange = (uint)ranges[i].StartOfMemoryRange, DataSize = (uint)ranges[i].DataSize, Rva = (uint)rva }); rva += ranges[i].DataSize; } _pages = pages; _pageStarts = _pages.Select(a => a.StartOfMemoryRange).ToList(); _minValidAddress = _pages[0].StartOfMemoryRange; _maxValidAddress = _pages[_pages.Count - 1].StartOfMemoryRange + _pages[_pages.Count - 1].DataSize; _pointerSize = 4; // TODO: Get 32-bit vs 64-bit info from the minidump somewhere.. }
public static DateTime RetrieveLinkerTimestamp(this Process process) { using (var reader = new FileMemoryReader(process.MainModule.FileName)) { if (reader.Read<short>(0x00) != 0x5A4D) throw new InvalidDataException("No MZ header."); int peHeaderLocation = reader.Read<int>(0x3C); int unixTimestamp = reader.Read<int>(peHeaderLocation + 0x08); return new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc).AddSeconds(unixTimestamp); } }
public static DateTime RetrieveLinkerTimestamp(this Process process) { using (var reader = new FileMemoryReader(process.MainModule.FileName)) { if (reader.Read <short>(0x00) != 0x5A4D) { throw new InvalidDataException("No MZ header."); } int peHeaderLocation = reader.Read <int>(0x3C); int unixTimestamp = reader.Read <int>(peHeaderLocation + 0x08); return(new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc).AddSeconds(unixTimestamp)); } }
public MiniDumpMemoryReader(string path) { if (string.IsNullOrWhiteSpace(path)) { throw new ArgumentNullException("path"); } _fileStream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read); var mem = new FileMemoryReader(path); var header = mem.Read <MiniDump.Header>(0x00); var dirs = mem.Read <MiniDump.Directory>(header.StreamDirectoryRva, (int)header.NumberOfStreams); var moduleList = dirs.SingleOrDefault(a => a.StreamType == MiniDump.StreamType.ModuleListStream); if (moduleList.StreamType != MiniDump.StreamType.ModuleListStream) { throw new InvalidOperationException("The minidump file does not contain a module list."); } var modules = mem.Read <MiniDump.List <MiniDump.Module> >(moduleList.Location.Rva).Items; var threadList = dirs.SingleOrDefault(x => x.StreamType == MiniDump.StreamType.ThreadListStream); if (threadList.StreamType == MiniDump.StreamType.ThreadListStream) { _threads = mem.Read <MiniDump.List <MiniDump.Thread> >(threadList.Location.Rva).Items; } var mainModule = modules.FirstOrDefault(a => a.VersionInfo.FileType == 1); MainModuleVersion = mainModule.VersionInfo.FileVersion; ImageBase = mainModule.BaseOfImage; var memory64ListDir = dirs.SingleOrDefault(a => a.StreamType == MiniDump.StreamType.Memory64ListStream); if (memory64ListDir.StreamType != MiniDump.StreamType.Memory64ListStream) { throw new InvalidOperationException("The minidump file does not contain a full memory dump."); } var memory64List = mem.Read <MiniDump.Memory64List>(memory64ListDir.Location.Rva); var rva = memory64List.BaseRva; var ranges = memory64List.MemoryRanges; var pages = new List <Page>(); for (int i = 0; i < ranges.Length; i++) { pages.Add(new Page { StartOfMemoryRange = ranges[i].StartOfMemoryRange, DataSize = ranges[i].DataSize, Rva = rva }); rva += ranges[i].DataSize; } _pages = pages; _pageStarts = _pages.Select(a => a.StartOfMemoryRange).ToList(); _minValidAddress = _pages[0].StartOfMemoryRange; _maxValidAddress = _pages[_pages.Count - 1].StartOfMemoryRange + _pages[_pages.Count - 1].DataSize; var pe = new PEHeaderReader(ReadBytes(ImageBase, 2048)); _pointerSize = pe.Is32BitHeader ? 4 : 8; }