zoukankan      html  css  js  c++  java

  • Dump文件数据存储格式(二)

    四、系统信息流

    流目录后面紧接着就是流数据了。第一个流数据就是系统信息流。

    可知,这个流的起始于文件偏移0xEC,大小是0x38,也就是56个字节。

    从上图可知,系统信息流就是紧挨着流目录尾部。这个流包含了如下操作系统和处理器信息:处理器架构、级别、版本,CPU信息等。数据结构如下:

    typedef struct _MINIDUMP_SYSTEM_INFO {
  USHORT          ProcessorArchitecture;
  USHORT          ProcessorLevel;
  USHORT          ProcessorRevision;
  union {
    USHORT Reserved0;
    struct {
      UCHAR NumberOfProcessors;
      UCHAR ProductType;
    };
  };
  ULONG32         MajorVersion;
  ULONG32         MinorVersion;
  ULONG32         BuildNumber;
  ULONG32         PlatformId;
  RVA             CSDVersionRva;
  union {
    ULONG32 Reserved1;
    struct {
      USHORT SuiteMask;
      USHORT Reserved2;
    };
  };
  CPU_INFORMATION Cpu;
} MINIDUMP_SYSTEM_INFO, *PMINIDUMP_SYSTEM_INFO;
    • ProcessorArchitecture
      系统的处理器架构。此成员可以是以下值之一。
      ValueMeaning
      PROCESSOR_ARCHITECTURE_AMD64
      9
      		 x64 (AMD or Intel)
      PROCESSOR_ARCHITECTURE_ARM
      5
      		 ARM
      PROCESSOR_ARCHITECTURE_IA64
      6
      		 Intel Itanium
      PROCESSOR_ARCHITECTURE_INTEL
      0
      		 x86
      PROCESSOR_ARCHITECTURE_UNKNOWN
      0xffff
      		 Unknown processor
    • ProcessorLevel
      系统依赖于架构的处理器级别。如果ProcessorArchitecturePROCESSOR_ARCHITECTURE_IA64, ProcessorLevel 的值是1。如果ProcessorArchitecturePROCESSOR_ARCHITECTURE_INTEL, ProcessorLevel 可以是取如下值:
      ValueMeaning
      3
      		 Intel 80386
      4
      		 Intel 80486
      5
      		 Intel Pentium
      6
      		 Intel Pentium Pro or Pentium II
    • ProcessorRevision
      依赖架构的处理器版本。
      ProcessorValue
      Intel 80386 or 80486 A value of the form xxyz.

      If xx is equal to 0xFF, y - 0xA is the model number, and z is the stepping identifier. For example, an Intel 80486-D0 system returns 0xFFD0.

      If xx is not equal to 0xFF, xx + 'A' is the stepping letter and yz is the minor stepping.
      Intel Pentium, Cyrix, or NextGen 586 A value of the form xxyy, where xx is the model number and yy is the stepping. Display this value of 0x0201 as follows:

      Model xx, Stepping yy
    • Reserved0
      此成员保留供将来使用,并且必须为零。
    • NumberOfProcessors
      系统中处理器的数量。
    • ProductType
      有关系统的任何其他信息。此成员可以是以下值之一。
      ValueMeaning
      VER_NT_DOMAIN_CONTROLLER
      0x0000002
      		 The system is a domain controller.
      VER_NT_SERVER
      0x0000003
      		 The system is a server.
      VER_NT_WORKSTATION
      0x0000001
      		 The system is running Windows XP, Windows Vista, Windows 7, or Windows 8.
    • MajorVersion
      操作系统的主要版本号。此成员可以是4、5或6。
    • MinorVersion
      操作系统的次要版本号。
    • BuildNumber
      操作系统的内部版本号。
    • PlatformId
      操作系统平台。此成员可以是以下值之一。
      ValueMeaning
      VER_PLATFORM_WIN32s
      0
      		 Not supported
      VER_PLATFORM_WIN32_WINDOWS
      1
      		 Not supported.
      VER_PLATFORM_WIN32_NT
      2
      		 The operating system platform is Windows.
    • CSDVersionRva
      MINIDUMP_STRING RVA,该字符串描述系统上安装的最新Service Pack。如果未安装Service Pack,则字符串为空。
    • Reserved1
      此成员保留供将来使用
    • SuiteMask
      标识系统上可用的产品套件的位标志。此成员可以是以下值的组合。
      ValueMeaning
      VER_SUITE_BACKOFFICE
      0x00000004
      		 Microsoft BackOffice components are installed.
      VER_SUITE_BLADE
      0x00000400
      		 Windows Server 2003, Web Edition is installed.
      VER_SUITE_COMPUTE_SERVER
      0x00004000
      		 Windows Server 2003, Compute Cluster Edition is installed.
      VER_SUITE_DATACENTER
      0x00000080
      		 Windows Server 2008 R2 Datacenter, Windows Server 2008 Datacenter, or Windows Server 2003, Datacenter Edition is installed.
      VER_SUITE_ENTERPRISE
      0x00000002
      		 Windows Server 2008 R2 Enterprise, Windows Server 2008 Enterprise, or Windows Server 2003, Enterprise Edition is installed.
      VER_SUITE_EMBEDDEDNT
      0x00000040
      		 Windows Embedded is installed.
      VER_SUITE_PERSONAL
      0x00000200
      		 Windows XP Home Edition is installed.
      VER_SUITE_SINGLEUSERTS
      0x00000100
      		 Remote Desktop is supported, but only one interactive session is supported. This value is set unless the system is running in application server mode.
      VER_SUITE_SMALLBUSINESS
      0x00000001
      		 Microsoft Small Business Server was once installed on the system, but may have been upgraded to another version of Windows.
      VER_SUITE_SMALLBUSINESS_RESTRICTED
      0x00000020
      		 Microsoft Small Business Server is installed with the restrictive client license in force.
      VER_SUITE_STORAGE_SERVER
      0x00002000
      		 Windows Storage Server is installed.
      VER_SUITE_TERMINAL
      0x00000010
      		 Terminal Services is installed. This value is always set.

      If VER_SUITE_TERMINAL is set but VER_SUITE_SINGLEUSERTS is not set, the system is running in application server mode.
    • Reserved2
      此成员保留供将来使用
    • Cpu
      CPU相关信息,CPU_INFORMATION union是数据组织形式。下面详细说明

    CPU_INFORMATION成员如下:

    union
{
struct X86CpuInfo
{
ULONG32 VendorID[3];
ULONG32 VersionInformation;
ULONG32 FeatureInformation;
ULONG32 AMDExtendedCpuFeatures
};
struct OtherCpuInfo
{
ULONG64 ProcesssorFeatures[2]
};
}

    X86CpuInfo

    从CPUID指令获得的CPU信息。只有x86计算机支持此结构。

    • VendorId
      CPUID子函数0。数组元素如下
    • ersionInformation
      CPUID子功能1。EAX的值。
    • FeatureInformation
      CPUID子功能1。EDX的值。
    • AMDExtendedCpuFeatures
      CPUID子功能80000001。EBX值。仅当供应商为“AuthenticAMD”时才支持此成员。

    OtherCpuInfo

    其他CPU信息。只有非x86计算机才支持此结构。

    • ProcessorFeatures
      它的值参考 IsProcessorFeaturePresent function.

    从上面的数据结构成员意思,我们可以得出,这个dmp文件的产生的系统信息如下:x86架构的奔5及以上级别windows平台,8核CPU。

    用windbg加载看看
  • 相关阅读:
    ICC_lab总结——ICC_lab1:数据设置和基本流程
    数字集成电路物理设计学习总结——时钟树综合
    数字集成电路物理设计学习总结——布图规划和布局
    Sublime Text 最佳插件列表
    Eclipse中10个最有用的快捷键组合
    MyEclipse使用总结——修改MyEclipse默认的Servlet和jsp代码模板
    XML回顾
    Day05_JAVAEE系列:XML
    Day05_JAVAEE系列:Junit
    Git命令
  • 原文地址:https://www.cnblogs.com/yilang/p/13813659.html
Copyright © 2011-2022 走看看