From mboxrd@z Thu Jan  1 00:00:00 1970
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: Re: RE: produce windows compatible dump file from Dom0
Date: Thu, 26 May 2011 08:52:40 -0400
Message-ID: <20110526125239.GA7838@dumpdata.com>
References: <AEC6C66638C05B468B556EA548C1A77D01C558B2@trantor>
	<291EDFCB1E9E224A99088639C47620228D3EDCA57D@LONPMAILBOX01.citrite.net>
	<AEC6C66638C05B468B556EA548C1A77D01C558C1@trantor>
	<BANLkTin1MKmJXTe53SJBHxvw+TYgrEpdpw@mail.gmail.com>
	<AEC6C66638C05B468B556EA548C1A77D01D573FD@trantor>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <xen-devel-bounces@lists.xensource.com>
Content-Disposition: inline
In-Reply-To: <AEC6C66638C05B468B556EA548C1A77D01D573FD@trantor>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: James Harper <james.harper@bendigoit.com.au>
Cc: admin@dmarkey.com, Paul Durrant <Paul.Durrant@citrix.com>, xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

On Wed, May 25, 2011 at 10:16:06PM +1000, James Harper wrote:
> > 
> > Hi all,
> > 
> > Did anyone make any progress on this?
> > 
> > I'm interested in getting a Windows memory dump out of a XenServer
> suspend
> > image.
> > 
> > Is it even remotely possible?
> > 
> 
> Yes. In order for it to work I believe the DomU needs to call
> KeInitializeCrashDumpHeader to place a crash dump header inside the
> memory image (eg in NonPagedPool). KeInitializeCrashDumpHeader is
> available in 2003sp1 and newer. You can then find that info in the saved
> image and use it to build a windows compatible crash dump. There is more
> to it than that obviously and I haven't actually done it myself. Ideally
> it would be possible to do 'xl wincrashdump -o memory.dmp domu_name' and
> have it all happen.
> 
> I've BCC'd the guy who wrote a program to do it to see if he can share
> it (hope he doesn't mind :)

I am not "the guy", and while "the guy" is working on getting a blanket
OK to release the source (or executable), let me give you some of the
technical details in case you feel inspired to write this yourself.

The process in making a dumpconverter involves finding the windows dump header
in memory and putting it at the beginning of the output file, then taking the
raw domain dump and writing it as is except that the following two ranges need
to be skipped - which can vary from system to system:
   1) the ELF header (by default the first 6 pages of the raw dump)
   2) a range which might be BIOS, which by default in the tool is set to
      pages 0x9F to 0xDF.

Good luck!