From: Viktor Prutyanov <viktor.prutyanov@virtuozzo.com>
To: "Marc-André Lureau" <marcandre.lureau@gmail.com>
Cc: QEMU <qemu-devel@nongnu.org>, Roman Kagan <rkagan@virtuozzo.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
Viktor Prutyanov <viktor.prutyanov@virtuozzo.com>
Subject: Re: [Qemu-devel] [PATCH v1] dump: add Windows dump format to dump-guest-memory
Date: Tue, 17 Apr 2018 18:43:25 +0300 [thread overview]
Message-ID: <20180417184325.7d3af718@vp-pc> (raw)
In-Reply-To: <CAJ+F1CLU5QyQ+d2Ji9Guz8wjB4m50pjRT7chyvW5bNBjqXyCTA@mail.gmail.com>
On Tue, 17 Apr 2018 16:17:54 +0200
Marc-André Lureau <marcandre.lureau@gmail.com> wrote:
Hello,
> Hi
>
> On Tue, Apr 17, 2018 at 3:50 PM, Viktor Prutyanov
> <viktor.prutyanov@virtuozzo.com> wrote:
> > This patch adds Windows crashdumping feature. Now QEMU can produce
> > ELF-dump containing Windows crashdump header, which can help to
> > convert to a valid WinDbg-understandable crashdump file, or
> > immediately create such file. The crashdump will be obtained by
> > joining physical memory dump and 8K header exposed through
> > vmcoreinfo/fw_cfg device by guest driver at BSOD time. Option '-w'
> > was added to dump-guest-memory command. At the moment, only x64
> > configuration is supported. Suitable driver can be found at
> > https://github.com/virtio-win/kvm-guest-drivers-windows/tree/master/fwcfg64
> >
> > Signed-off-by: Viktor Prutyanov <viktor.prutyanov@virtuozzo.com>
> > ---
>
> untested, but looks good to me.
>
> Could you provide more details on how to test? provide a test build
> for the driver, the tool you use for elf conversion, explain windbg
> usage etc?
>
> Thanks
How to test:
1. Use '-device vmcoreinfo', then install fwcfg64 driver from
virtio-win repository into guest Windows. Versions from 7 to 10 are
supported.
Unofficial test-signed driver sample can be found at
https://www.dropbox.com/s/nodjbehr9bb1x6i/fwcfg.zip?dl=0
2. Turn off "Automatically restart" or
use '-device pvpanic -no-shutdown' and install pvpanic driver.
3. Cause BSOD, for example, with HMP 'nmi' command.
4. Execute HMP command 'dump-guest-memory -w memory.dmp'
5. Open memory.dmp with WinDbg (better from WDK 10) on a Windows
machine. It can use dump file in a proper way, for example, to
display general information about dump with '!analyze -v' command or
investigate a call stack with 'k' command.
In this way, if guest Windows can't save dump in appropriate type, we
can still do this.
At the moment, there are no tools to produce fully valid Windows dump
file from ELF because they are unaware of header information. But in
future, tools like Volatility which try to do this, could use header
from ELF-note.
Regards,
Viktor Prutyanov
next prev parent reply other threads:[~2018-04-17 15:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-17 13:50 [Qemu-devel] [PATCH v1] dump: add Windows dump format to dump-guest-memory Viktor Prutyanov
2018-04-17 14:17 ` Marc-André Lureau
2018-04-17 15:43 ` Viktor Prutyanov [this message]
2018-04-18 14:53 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180417184325.7d3af718@vp-pc \
--to=viktor.prutyanov@virtuozzo.com \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=marcandre.lureau@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=rkagan@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).