- Find the modules in the Minidump and load each module separately with the PE loader.
- Position the modules to their correct runtime addresses.
- Replace the use of
ImageBaseOffset..data types withModuleBaseOffset... - Store the module boundaries in the
UserData. - Load the private memory as its own fragment.
- Parse the thread information and separate the thread stacks as their own fragments.
- Find the thread information from the dump and store that into
UserData.
- Display threads and their RSP/RIP registers.
- Implement stack walking based on exception handling
UNWIND_INFO-
UNWIND_CODEbased walking. - Chained
RUNTIME_FUNCTIONsupport. - Frame register support.
- 32-bit support.
-
See open issues on GitHub.
The implementation depends heavily on the built-in PeLoader and
PortableExecutable but required some changes to them:
- Support loading modules to other base addresses than
Program.imageBase. - Support loading modules separately from processing them.
- Support linking import symbols directly into memory locations if target memory is present.
- Support for
ModuleBaseOffsetXYdata types.
The goal would be to have these changes upstreamed to Ghidra in the future to
avoid the need to duplicate the implementation of the whole ..format.pe.*
package in the repository. However this work might need some clean up to bring
the current changes up to Ghidra standard. The current changes to the Ghidra
files are made with the goal to keep actual code changes to minimum with no
concern for single-responsibility principle, etc.
The majority of the source code under this repository is covered by the Apache
2.0 License as described in the LICENSE file. The contrib package (excluding
the contrib.new_ contents) is copied over from Ghidra and is covered under
Ghidra's Apache 2.0 License.