From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: David Markey <admin@dmarkey.com>
Cc: Paul Durrant <Paul.Durrant@citrix.com>,
James Harper <james.harper@bendigoit.com.au>,
xen-devel@lists.xensource.com
Subject: Re: RE: produce windows compatible dump file from Dom0
Date: Tue, 8 Nov 2011 10:40:34 -0500 [thread overview]
Message-ID: <20111108154034.GA12849@phenom.dumpdata.com> (raw)
In-Reply-To: <CANXrN=0E70=AWfyhzUk6N3Rw=oVNqzcmUweCRforKpa3GQG4oQ@mail.gmail.com>
On Tue, Nov 08, 2011 at 03:15:10PM +0000, David Markey wrote:
> Hi Konrad,
>
> Sorry for resurrecting,
Oh no trouble.
>
> Did "the guy" manage to get clearance to release the source for this
> particular project?
Uh, I think we lost track of this. Let me poke "the guy".
>
>
> Thanks!
>
> David
>
>
> On 26 May 2011 13:52, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> wrote:
>
> > On Wed, May 25, 2011 at 10:16:06PM +1000, James Harper wrote:
> > > >
> > > > Hi all,
> > > >
> > > > Did anyone make any progress on this?
> > > >
> > > > I'm interested in getting a Windows memory dump out of a XenServer
> > > suspend
> > > > image.
> > > >
> > > > Is it even remotely possible?
> > > >
> > >
> > > Yes. In order for it to work I believe the DomU needs to call
> > > KeInitializeCrashDumpHeader to place a crash dump header inside the
> > > memory image (eg in NonPagedPool). KeInitializeCrashDumpHeader is
> > > available in 2003sp1 and newer. You can then find that info in the saved
> > > image and use it to build a windows compatible crash dump. There is more
> > > to it than that obviously and I haven't actually done it myself. Ideally
> > > it would be possible to do 'xl wincrashdump -o memory.dmp domu_name' and
> > > have it all happen.
> > >
> > > I've BCC'd the guy who wrote a program to do it to see if he can share
> > > it (hope he doesn't mind :)
> >
> > I am not "the guy", and while "the guy" is working on getting a blanket
> > OK to release the source (or executable), let me give you some of the
> > technical details in case you feel inspired to write this yourself.
> >
> > The process in making a dumpconverter involves finding the windows dump
> > header
> > in memory and putting it at the beginning of the output file, then taking
> > the
> > raw domain dump and writing it as is except that the following two ranges
> > need
> > to be skipped - which can vary from system to system:
> > 1) the ELF header (by default the first 6 pages of the raw dump)
> > 2) a range which might be BIOS, which by default in the tool is set to
> > pages 0x9F to 0xDF.
> >
> > Good luck!
> >
next prev parent reply other threads:[~2011-11-08 15:40 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-23 11:07 produce windows compatible dump file from Dom0 James Harper
2011-02-23 13:34 ` Paul Durrant
2011-02-23 22:15 ` James Harper
2011-05-25 9:54 ` David Markey
2011-05-25 10:17 ` Tim Deegan
2011-05-25 12:16 ` James Harper
2011-05-26 12:52 ` Konrad Rzeszutek Wilk
2011-11-08 15:15 ` David Markey
2011-11-08 15:40 ` Konrad Rzeszutek Wilk [this message]
2011-11-08 16:20 ` Paul Durrant
2011-11-08 16:28 ` David Markey
2011-11-08 16:48 ` Paul Durrant
2011-11-08 22:04 ` Tim Deegan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111108154034.GA12849@phenom.dumpdata.com \
--to=konrad.wilk@oracle.com \
--cc=Paul.Durrant@citrix.com \
--cc=admin@dmarkey.com \
--cc=james.harper@bendigoit.com.au \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).