Dump文件数据存储格式(二）

四、系统信息流

流目录后面紧接着就是流数据了。第一个流数据就是系统信息流。

可知，这个流的起始于文件偏移0xEC，大小是0x38,也就是56个字节。

从上图可知，系统信息流就是紧挨着流目录尾部。这个流包含了如下操作系统和处理器信息：处理器架构、级别、版本，CPU信息等。数据结构如下：

typedef struct _MINIDUMP_SYSTEM_INFO {
  USHORT          ProcessorArchitecture;
  USHORT          ProcessorLevel;
  USHORT          ProcessorRevision;
  union {
    USHORT Reserved0;
    struct {
      UCHAR NumberOfProcessors;
      UCHAR ProductType;
    };
  };
  ULONG32         MajorVersion;
  ULONG32         MinorVersion;
  ULONG32         BuildNumber;
  ULONG32         PlatformId;
  RVA             CSDVersionRva;
  union {
    ULONG32 Reserved1;
    struct {
      USHORT SuiteMask;
      USHORT Reserved2;
    };
  };
  CPU_INFORMATION Cpu;
} MINIDUMP_SYSTEM_INFO, *PMINIDUMP_SYSTEM_INFO;

ProcessorArchitecture
系统的处理器架构。此成员可以是以下值之一。

Value	Meaning
PROCESSOR_ARCHITECTURE_AMD64 9	x64 (AMD or Intel)
PROCESSOR_ARCHITECTURE_ARM 5	ARM
PROCESSOR_ARCHITECTURE_IA64 6	Intel Itanium
PROCESSOR_ARCHITECTURE_INTEL 0	x86
PROCESSOR_ARCHITECTURE_UNKNOWN 0xffff	Unknown processor

ProcessorLevel
系统依赖于架构的处理器级别。如果ProcessorArchitecture 是 PROCESSOR_ARCHITECTURE_IA64, ProcessorLevel 的值是1。如果ProcessorArchitecture 是 PROCESSOR_ARCHITECTURE_INTEL, ProcessorLevel 可以是取如下值：

Value Meaning

3
Intel 80386

4
Intel 80486

5
Intel Pentium

6
Intel Pentium Pro or Pentium II

Value	Meaning
3	Intel 80386
4	Intel 80486
5	Intel Pentium
6	Intel Pentium Pro or Pentium II

ProcessorRevision
依赖架构的处理器版本。

Processor	Value
Intel 80386 or 80486	A value of the form xxyz. If xx is equal to 0xFF, y - 0xA is the model number, and z is the stepping identifier. For example, an Intel 80486-D0 system returns 0xFFD0. If xx is not equal to 0xFF, xx + 'A' is the stepping letter and yz is the minor stepping.
Intel Pentium, Cyrix, or NextGen 586	A value of the form xxyy, where xx is the model number and yy is the stepping. Display this value of 0x0201 as follows: Model xx, Stepping yy

Processor

Value

Intel 80386 or 80486

A value of the form xxyz.

If xx is equal to 0xFF, y - 0xA is the model number, and z is the stepping identifier. For example, an Intel 80486-D0 system returns 0xFFD0.

If xx is not equal to 0xFF, xx + 'A' is the stepping letter and yz is the minor stepping.

Intel Pentium, Cyrix, or NextGen 586

A value of the form xxyy, where xx is the model number and yy is the stepping. Display this value of 0x0201 as follows:

Model xx, Stepping yy

Reserved0 此成员保留供将来使用，并且必须为零。
NumberOfProcessors 系统中处理器的数量。

ProductType
有关系统的任何其他信息。此成员可以是以下值之一。

Value	Meaning
VER_NT_DOMAIN_CONTROLLER 0x0000002	The system is a domain controller.
VER_NT_SERVER 0x0000003	The system is a server.
VER_NT_WORKSTATION 0x0000001	The system is running Windows XP, Windows Vista, Windows 7, or Windows 8.

MajorVersion 操作系统的主要版本号。此成员可以是4、5或6。
MinorVersion 操作系统的次要版本号。
BuildNumber 操作系统的内部版本号。
PlatformId 操作系统平台。此成员可以是以下值之一。

Value Meaning

VER_PLATFORM_WIN32s
0
Not supported

VER_PLATFORM_WIN32_WINDOWS
1
Not supported.

VER_PLATFORM_WIN32_NT
2
The operating system platform is Windows.
CSDVersionRva MINIDUMP_STRING RVA，该字符串描述系统上安装的最新Service Pack。如果未安装Service Pack，则字符串为空。
Reserved1 此成员保留供将来使用

Value	Meaning
VER_PLATFORM_WIN32s 0	Not supported
VER_PLATFORM_WIN32_WINDOWS 1	Not supported.
VER_PLATFORM_WIN32_NT 2	The operating system platform is Windows.

SuiteMask
标识系统上可用的产品套件的位标志。此成员可以是以下值的组合。

Value	Meaning
VER_SUITE_BACKOFFICE 0x00000004	Microsoft BackOffice components are installed.
VER_SUITE_BLADE 0x00000400	Windows Server 2003, Web Edition is installed.
VER_SUITE_COMPUTE_SERVER 0x00004000	Windows Server 2003, Compute Cluster Edition is installed.
VER_SUITE_DATACENTER 0x00000080	Windows Server 2008 R2 Datacenter, Windows Server 2008 Datacenter, or Windows Server 2003, Datacenter Edition is installed.
VER_SUITE_ENTERPRISE 0x00000002	Windows Server 2008 R2 Enterprise, Windows Server 2008 Enterprise, or Windows Server 2003, Enterprise Edition is installed.
VER_SUITE_EMBEDDEDNT 0x00000040	Windows Embedded is installed.
VER_SUITE_PERSONAL 0x00000200	Windows XP Home Edition is installed.
VER_SUITE_SINGLEUSERTS 0x00000100	Remote Desktop is supported, but only one interactive session is supported. This value is set unless the system is running in application server mode.
VER_SUITE_SMALLBUSINESS 0x00000001	Microsoft Small Business Server was once installed on the system, but may have been upgraded to another version of Windows.
VER_SUITE_SMALLBUSINESS_RESTRICTED 0x00000020	Microsoft Small Business Server is installed with the restrictive client license in force.
VER_SUITE_STORAGE_SERVER 0x00002000	Windows Storage Server is installed.
VER_SUITE_TERMINAL 0x00000010	Terminal Services is installed. This value is always set. If VER_SUITE_TERMINAL is set but VER_SUITE_SINGLEUSERTS is not set, the system is running in application server mode.

Reserved2 此成员保留供将来使用
Cpu CPU相关信息，CPU_INFORMATION union是数据组织形式。下面详细说明

CPU_INFORMATION成员如下：

union
{
struct X86CpuInfo
{
ULONG32 VendorID[3];
ULONG32 VersionInformation;
ULONG32 FeatureInformation;
ULONG32 AMDExtendedCpuFeatures
};
struct OtherCpuInfo
{
ULONG64 ProcesssorFeatures[2]
};
}

X86CpuInfo

从CPUID指令获得的CPU信息。只有x86计算机支持此结构。

VendorId
CPUID子函数0。数组元素如下
ersionInformation
CPUID子功能1。EAX的值。
FeatureInformation
CPUID子功能1。EDX的值。
AMDExtendedCpuFeatures
CPUID子功能80000001。EBX值。仅当供应商为“AuthenticAMD”时才支持此成员。

OtherCpuInfo

其他CPU信息。只有非x86计算机才支持此结构。

ProcessorFeatures
它的值参考 IsProcessorFeaturePresent function.

从上面的数据结构成员意思，我们可以得出，这个dmp文件的产生的系统信息如下：x86架构的奔5及以上级别windows平台，8核CPU。

用windbg加载看看

posted on 2020-10-19 08:01 活着的虫子阅读(541) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

活着的虫子