parsecrash420.pl

wince 内核dump程序

0x00 DWORD magic
0x04 *storageinfo pstorageinfo
0x08 *partitioninfo ppartitioninfo
0x0c DWORD@7 dw1

!struct partitioninfo
0x00  DWORD@8 dw

!struct storageinfo
0x0000 *somestoragestr somestring
0x0004 DWORD dw1a
0x0008 DWORD bdevhandle
0x000c wchar@16 devname
0x002c wchar@32 desc1
0x006c wchar@32 desc2
0x00ac wchar@260 partdll
0x02b4 wchar@260 profilekey
0x04bc wchar@260 fsname
0x06c4 DWORD@165 dw2
0x0958 wchar@32 desc3
0x0998 DWORD@29 dw3
0x0a0c wchar@260 driverkey
0x0c14 DWORD@11 dw4

!struct somestoragestr
0x00 DWORD codeptr
0x04 wchar@260 str

!struct FSMAP
0x00 DWORD hNext;          /* Next map in list */
0x04 DWORD hFile;          /* File, or INVALID_HANDLE_VALUE for just vm */
0x08 DWORD pBase;          /* pointer to start of kernel mapped region */
0x0c DWORD pDirty;         /* non-null if r/w real file, points to dirty bitmap */
0x10 DWORD  length;        /* length of mapped region */
0x14 DWORD  filelen;       /* length of file if hFile != INVALID_HANDLE_VALUE */
0x18 DWORD  reslen;        /* length of reservation */
0x1c *Name  name;          /* points to name of event */
0x20 *CLEANEVENT lpmlist;  /* List of mappings */
0x24 DWORD   dwDirty;      /* Count of dirty pages */
0x28 BYTE   bRestart;      /* Has been flushed */
0x29 BYTE   bNoAutoFlush;  /* Disallow automatic flushing */
0x2a BYTE   bDirectROM;    /* File mapped directly from ROM */
0x2b BYTE   bFlushFlags;   /* Flush flags */
0x2c PGPOOL_Q pgqueue;     /* list of the page owned by the mapfile */

!struct PROXY
0x00 DWORD  pQPrev;         /* Previous proxy for this object queue, must be first for ReQueueByPriority */
0x04 DWORD  pQNext;         /* Next proxy for this object queue */
0x08 DWORD  pQUp;
0x0c DWORD  pQDown;
0x10 DWORD  pThLinkNext;    /* Next proxy for this thread */
0x14 DWORD  pObject;         /* Pointer to object we're blocked on */
0x18 BYTE    bType;         /* Type of object we're blocked on */
0x19 BYTE    prio;          /* Current prio we're enqueued on */
0x1a WORD    wCount;        /* Count matching thread's wCount */
0x1c *THREAD pTh;           /* Thread "owning" this proxy */
0x20 DWORD   dwRetVal;       /* Return value if this is why we wake up */

!struct Module
0x00 *Module    lpSelf;                /* Self pointer for validation */
0x04 *Module    pMod;                   /* Next module in chain */
0x08 *wstr      lpszModName;            /* Module name */
0x0c DWORD       inuse;                 /* Bit vector of use */
0x10 DWORD       calledfunc;            /* Called entry but not exit */
0x14 WORD@32    refcnt;                 /* Reference count per process*/
0x54 DWORD       BasePtr;               /* Base pointer of dll load (not 0 based) */
0x58 DWORD       DbgFlags;              /* Debug flags */
0x5c DWORD       ZonePtr;               /* Debug zone pointer */
0x60 DWORD       startip;               /* 0 based entrypoint */
0x64 openexe_t  oe;                     /* Pointer to executable file handle */
0x74 e32_lite   e32;                    /* E32 header */
0xbc *o32_lite  o32_ptr;                /* O32 chain ptr */
0xc0 DWORD       dwNoNotify;            /* 1 bit per process, set if notifications disabled */
0xc4 WORD       wFlags;
0xc6 BYTE       bTrustLevel;
0xc7 BYTE       bPadding;
0xc8 *Module    pmodResource;           /* module that contains the resources */
0xcc DWORD       rwLow;                 /* base address of RW section for ROM DLL */
0xd0 DWORD       rwHigh;                /* high address RW section for ROM DLL */
0xd4 PGPOOL_Q   pgqueue;                /* list of the page owned by the module */

!struct Name
0x00 WORD wPool
0x02 wchar@260 name

!struct MemoryInfo
0x00 DWORD  pKData;         /* start of kernel's data */
0x04 DWORD  pKEnd;          /* end of kernel's data & bss */
0x08 DWORD  cFi;            /* # of entries in free memory array */
0x0c *FreeInfo pFi;         /* Pointer to cFi FREEINFO entries */

!struct FreeInfo
0x00 DWORD  paStart;    /* start of available region */
0x04 DWORD  paEnd;      /* end of region (last byte + 1) */
0x08 DWORD  paRealEnd;
0x0c DWORD  pUseMap;    /* ptr to page usage count map */

!struct MemBlock
0x00 DWORD        alk;       /* 00: key code for this set of pages */
0x04 BYTE        cUses;      /* 04: # of page table entries sharing this leaf */
0x05 BYTE        flags;      /* 05: mapping flags */
0x06 WORD        ixBase;     /* 06: first block in region */
0x08 WORD        hPf;        /* 08: handle to pager */
0x0a WORD        cLocks;     /* 0a: lock count */
0x0c DWORD       aPages;     /* 0c: entrylo values */

!struct APISET
0x00 CINFO  cinfo
0x14 DWORD  iReg

!struct EVENT
0x00 DWORD hNext;           /* Next event in list */
0x04 *PROXY pProxList;
0x08 *PROXY@32 pProxHash;
0x88 DWORD hPrev;           /* previous event in list */
0x8c BYTE onequeue;
0x8d BYTE state;             /* TRUE: signalled, FALSE: unsignalled */
0x8e BYTE manualreset;       /* TRUE: manual reset, FALSE: autoreset */
0x8f BYTE bMaxPrio;
0x90 *Name name;             /* points to name of event */
0x94 *PROXY pIntrProxy;
0x98 DWORD dwData;           /* data associated with the event (CE extention) */

!struct MUTEX
0x00 DWORD hNext;       /* Next mutex in list */
0x04 *PROXY pProxList;
0x08 *PROXY@32 pProxHash;
0x88 DWORD hPrev;       /* previous mutex in list */
0x8c BYTE bListed;
0x8d BYTE bListedPrio;
0x8e WORD LockCount;         /* current lock count */
0x90 DWORD pPrevOwned; /* Prev crit/mutex owned (for prio inversion) */   // was *MUTEX
0x94 DWORD pNextOwned; /* Next crit/mutex owned (for prio inversion) */   // was *MUTEX
0x98 DWORD pUpOwned;         // was *MUTEX
0x9c DWORD pDownOwned;       // was *MUTEX
0xa0 *THREAD pOwner;  /* owner thread */
0xa4 *Name name;             /* points to name of event */

!struct SEMAPHORE
0x00 DWORD hNext;       /* Next semaphore in list */
0x04 *PROXY pProxList;
0x08 *PROXY@32 pProxHash;
0x88 DWORD hPrev;       /* previous semaphore in list */
0x8c DWORD lCount;            /* current count */
0x90 DWORD lMaxCount;         /* Maximum count */
0x94 DWORD lPending;          /* Pending count */
0x98 *Name name;         /* points to name of event */

!struct DBInfo
0x00 *DBInfo  next
0x04 DWORD    hDatabase
0x08 DWORD    dw1
0x0c DWORD    dw2
0x10 *DBVolume pVolume
0x14 DWORD    oid
0x18 DWORD@2  dw4

!struct DBVolume
0x00 *DBVolume next
0x04 DWORD  dw1
0x08 DWORD  dw2
0x0c DWORD  dw3
0x10 wchar@260 path

!struct SocketInfo
0x00 DWORD@16 dw

!struct CLEANEVENT
0x00 *CLEANEVENT ceptr;
0x04 DWORD base;
0x08 DWORD size;
0x0c DWORD op;

!struct CRIT
0x00 *CRITICAL_SECTION lpcs;  /* Pointer to critical_section structure */
0x04 *PROXY pProxList;
0x08 *PROXY@32 pProxHash;
0x88 *CRIT  pPrev;            /* previous event in list */
0x8c BYTE bListed;             /* Is this on someone's owner list */
0x8d BYTE bListedPrio;
0x8e BYTE iOwnerProc;          /* Index of owner process */
0x8f BYTE bPad;
0x90 DWORD pPrevOwned; /* Prev crit/mutex (for prio inversion) */                   // was *CRIT
0x94 DWORD pNextOwned; /* Next crit/mutex section owned (for prio inversion) */     // was *CRIT
0x98 DWORD pUpOwned;           // was *CRIT
0x9c DWORD pDownOwned;         // was *CRIT
0xa0 *CRIT pNext;             /* Next CRIT in list */

!struct CRITICAL_SECTION
0x00 DWORD LockCount;         /* Nesting count on critical section */
0x04 DWORD OwnerThread;         	/* Handle of owner thread */
0x08 DWORD hCrit;					/* Handle to this critical section */
0x0c DWORD needtrap;					/* Trap in when freeing critical section */
0x10 DWORD dwContentions;			/* Count of contentions */

!struct DWLIST
0x00 DWORD@8 dw

!struct ROMHDR
0x00 DWORD dllFirst
0x04 DWORD dllLast
0x08 DWORD physStart
0x0C DWORD physLast
0x10 DWORD nummods
0x14 DWORD ulRAMStart
0x18 DWORD ulRAMFree
0x1C DWORD ulRAMEnd
0x20 DWORD ulCopyEntries
0x24 DWORD ulCopyOffset
0x28 DWORD ulProfileLe
0x2C DWORD ulProfileOffset
0x30 DWORD numfiles
0x34 DWORD ulKernelFlags
0x38 DWORD ulFSRamPercent
0x3C DWORD ulDrivglobStart
0x40 DWORD ulDrivglobLen
0x44 WORD usCPUType
0x46 WORD usMiscFlags
0x48 DWORD pExtensions
0x4C DWORD ulTrackingStart
0x50 DWORD ulTrackingLen
	
!struct COPYentry
0x00 DWORD ulSource
0x04 DWORD ulDest
0x08 DWORD ulCopyLen
0x0C DWORD ulDestLen

!struct FILESentry
0x00 DWORD dwFileAttributes
0x04 FILETIME ftTime
0x0C DWORD nRealFileSize
0x10 DWORD nCompFileSize
0x14 *wstr lpszFileName
0x18 DWORD ulLoadOffset

!struct TOCentry
0x00 DWORD dwFileAttributes
0x04 FILETIME ftTime
0x0C DWORD nFileSize
0x10 *wstr lpszFileName
0x14 DWORD ulE32Offset
0x18 DWORD ulO32Offset
0x1C DWORD ulLoadOffset

!struct e32_rom
0x00 WORD e32_objcnt
0x02 WORD e32_imageflags
0x04 DWORD e32_entryrva
0x08 DWORD e32_vbase
0x0C WORD e32_subsysmajor
0x0E WORD e32_subsysminor
0x10 DWORD e32_stackmax
0x14 DWORD e32_vsize
0x18 DWORD e32_sect14rva
0x1C DWORD e32_sect14size
0x20 info@9  e32_unit
0x68 DWORD e32_subsys
	
!struct o32_rom
0x00 DWORD o32_vsize
0x04 DWORD o32_rva
0x08 DWORD o32_psize
0x0C DWORD o32_dataptr
0x10 DWORD o32_realaddr
0x14 DWORD o32_flags
	
!struct IMAGE_DEBUG_DIRECTORY
0x00 DWORD Characteristics
0x04 DWORD TimeDateStamp
0x08 WORD MajorVersion
0x0A WORD MinorVersion
0x0C DWORD Type
0x10 DWORD SizeOfData
0x14 DWORD AddressOfRawData
0x18 DWORD PointerToRawData

!struct IMAGE_DOS_HEADER
0x00 WORD   e_magic                     /* Magic number */
0x02 WORD   e_cblp                      /* Bytes on last page of file */
0x04 WORD   e_cp                        /* Pages in file */
0x06 WORD   e_crlc                      /* Relocations */
0x08 WORD   e_cparhdr                   /* Size of header in paragraphs */
0x0a WORD   e_minalloc                  /* Minimum extra paragraphs needed */
0x0c WORD   e_maxalloc                  /* Maximum extra paragraphs needed */
0x0e WORD   e_ss                        /* Initial (relative) SS value */
0x10 WORD   e_sp                        /* Initial SP value */
0x12 WORD   e_csum                      /* Checksum */
0x14 WORD   e_ip                        /* Initial IP value */
0x16 WORD   e_cs                        /* Initial (relative) CS value */
0x18 WORD   e_lfarlc                    /* File address of relocation table */
0x1a WORD   e_ovno                      /* Overlay number */
0x1c WORD@4 e_res                       /* Reserved words */
0x24 WORD   e_oemid                     /* OEM identifier (for e_oeminfo) */
0x26 WORD   e_oeminfo                   /* OEM information; e_oemid specific */
0x28 WORD@10  e_res2                    /* Reserved words */
0x3c DWORD  e_lfanew                    /* File address of new exe header */

!struct e32_exe
0x00 char@4 e32_magic        /* Magic number E32_MAGIC              */
0x04 WORD  e32_cpu           /* The CPU type                        */
0x06 WORD  e32_objcnt        /* Number of memory objects            */
0x08 DWORD   e32_timestamp   /* Time EXE file was created/modified  */
0x0c DWORD   e32_symtaboff   /* Offset to the symbol table          */
0x10 DWORD   e32_symcount    /* Number of symbols                   */
0x14 WORD  e32_opthdrsize    /* Optional header size                */
0x16 WORD  e32_imageflags    /* Image flags                         */
0x18 WORD  e32_coffmagic     /* Coff magic number (usually 0x10b)   */
0x1a BYTE   e32_linkmajor    /* The linker major version number     */
0x1b BYTE   e32_linkminor    /* The linker minor version number     */
0x1c DWORD   e32_codesize    /* Sum of sizes of all code sections   */
0x20 DWORD   e32_initdsize   /* Sum of all initialized data size    */
0x24 DWORD   e32_uninitdsize /* Sum of all uninitialized data size  */
0x28 DWORD   e32_entryrva    /* Relative virt. addr. of entry point */
0x2c DWORD   e32_codebase    /* Address of beginning of code section*/
0x30 DWORD   e32_database    /* Address of beginning of data section*/
0x34 DWORD   e32_vbase       /* Virtual base address of module      */
0x38 DWORD   e32_objalign    /* Object Virtual Address align. factor*/
0x3c DWORD   e32_filealign   /* Image page alignment/truncate factor*/
0x40 WORD  e32_osmajor       /* The operating system major ver. no. */
0x42 WORD  e32_osminor       /* The operating system minor ver. no. */
0x44 WORD  e32_usermajor     /* The user major version number       */
0x46 WORD  e32_userminor     /* The user minor version number       */
0x48 WORD  e32_subsysmajor   /* The subsystem major version number  */
0x4a WORD  e32_subsysminor   /* The subsystem minor version number  */
0x4c DWORD   e32_res1        /* Reserved bytes - must be 0  */
0x50 DWORD   e32_vsize       /* Virtual size of the entire image    */
0x54 DWORD   e32_hdrsize     /* Header information size             */
0x58 DWORD   e32_filechksum  /* Checksum for entire file            */
0x5c WORD  e32_subsys        /* The subsystem type                  */
0x5e WORD  e32_dllflags      /* DLL flags                           */
0x60 DWORD   e32_stackmax    /* Maximum stack size                  */
0x64 DWORD   e32_stackinit   /* Initial committed stack size        */
0x68 DWORD   e32_heapmax     /* Maximum heap size                   */
0x6c DWORD   e32_heapinit    /* Initial committed heap size         */
0x70 DWORD   e32_res2        /* Reserved bytes - must be 0  */
0x74 DWORD   e32_hdrextra    /* Number of extra info units in header*/
0x78 info@16 e32_unit        /* Array of extra info units      */

!struct o32_obj
0x00 char@8 o32_name;       /* Object name            */
0x08 DWORD  o32_vsize;      /* Virtual memory size              */
0x0c DWORD  o32_rva;        /* Object relative virtual address  */
0x10 DWORD  o32_psize;      /* Physical file size of init. data */
0x14 DWORD  o32_dataptr;    /* Image pages offset               */
0x18 DWORD  o32_realaddr;   /* pointer to actual                */
0x1c DWORD  o32_access;     /* assigned access                  */
0x20 DWORD  o32_temp3;
0x24 DWORD  o32_flags;      /* Attribute flags for the object   */