Dump文件数据存储格式(二）

四、系统信息流

流目录后面紧接着就是流数据了。第一个流数据就是系统信息流。

可知，这个流的起始于文件偏移0xEC，大小是0x38,也就是56个字节。

从上图可知，系统信息流就是紧挨着流目录尾部。这个流包含了如下操作系统和处理器信息：处理器架构、级别、版本，CPU信息等。数据结构如下：

typedef struct _MINIDUMP_SYSTEM_INFO {
  USHORT          ProcessorArchitecture;
  USHORT          ProcessorLevel;
  USHORT          ProcessorRevision;
  union {
    USHORT Reserved0;
    struct {
      UCHAR NumberOfProcessors;
      UCHAR ProductType;
    };
  };
  ULONG32         MajorVersion;
  ULONG32         MinorVersion;
  ULONG32         BuildNumber;
  ULONG32         PlatformId;
  RVA             CSDVersionRva;
  union {
    ULONG32 Reserved1;
    struct {
      USHORT SuiteMask;
      USHORT Reserved2;
    };
  };
  CPU_INFORMATION Cpu;
} MINIDUMP_SYSTEM_INFO, *PMINIDUMP_SYSTEM_INFO;

• ProcessorArchitecture
系统的处理器架构。此成员可以是以下值之一。


  Value	Meaning
  PROCESSOR_ARCHITECTURE_AMD64 9	x64 (AMD or Intel)
  PROCESSOR_ARCHITECTURE_ARM 5	ARM
  PROCESSOR_ARCHITECTURE_IA64 6	Intel Itanium
  PROCESSOR_ARCHITECTURE_INTEL 0	x86
  PROCESSOR_ARCHITECTURE_UNKNOWN 0xffff	Unknown processor

• ProcessorLevel
  系统依赖于架构的处理器级别。如果ProcessorArchitecture 是 PROCESSOR_ARCHITECTURE_IA64, ProcessorLevel 的值是1。如果ProcessorArchitecture 是 PROCESSOR_ARCHITECTURE_INTEL, ProcessorLevel 可以是取如下值：
  

  Value	Meaning
  3	Intel 80386
  4	Intel 80486
  5	Intel Pentium
  6	Intel Pentium Pro or Pentium II

• ProcessorRevision
依赖架构的处理器版本。


  Processor	Value
  Intel 80386 or 80486	A value of the form xxyz. If xx is equal to 0xFF, y - 0xA is the model number, and z is the stepping identifier. For example, an Intel 80486-D0 system returns 0xFFD0. If xx is not equal to 0xFF, xx + 'A' is the stepping letter and yz is the minor stepping.
  Intel Pentium, Cyrix, or NextGen 586	A value of the form xxyy, where xx is the model number and yy is the stepping. Display this value of 0x0201 as follows: Model xx, Stepping yy

• Reserved0
此成员保留供将来使用，并且必须为零。

• NumberOfProcessors
系统中处理器的数量。

• ProductType
有关系统的任何其他信息。此成员可以是以下值之一。


  Value	Meaning
  VER_NT_DOMAIN_CONTROLLER 0x0000002	The system is a domain controller.
  VER_NT_SERVER 0x0000003	The system is a server.
  VER_NT_WORKSTATION 0x0000001	The system is running Windows XP, Windows Vista, Windows 7, or Windows 8.

• MajorVersion
操作系统的主要版本号。此成员可以是4、5或6。

• MinorVersion
操作系统的次要版本号。

• BuildNumber
操作系统的内部版本号。

• PlatformId
操作系统平台。此成员可以是以下值之一。


  Value	Meaning
  VER_PLATFORM_WIN32s 0	Not supported
  VER_PLATFORM_WIN32_WINDOWS 1	Not supported.
  VER_PLATFORM_WIN32_NT 2	The operating system platform is Windows.

• CSDVersionRva
MINIDUMP_STRING RVA，该字符串描述系统上安装的最新Service Pack。如果未安装Service Pack，则字符串为空。

• Reserved1
此成员保留供将来使用

• SuiteMask
标识系统上可用的产品套件的位标志。此成员可以是以下值的组合。


  Value	Meaning
  VER_SUITE_BACKOFFICE 0x00000004	Microsoft BackOffice components are installed.
  VER_SUITE_BLADE 0x00000400	Windows Server 2003, Web Edition is installed.
  VER_SUITE_COMPUTE_SERVER 0x00004000	Windows Server 2003, Compute Cluster Edition is installed.
  VER_SUITE_DATACENTER 0x00000080	Windows Server 2008 R2 Datacenter, Windows Server 2008 Datacenter, or Windows Server 2003, Datacenter Edition is installed.
  VER_SUITE_ENTERPRISE 0x00000002	Windows Server 2008 R2 Enterprise, Windows Server 2008 Enterprise, or Windows Server 2003, Enterprise Edition is installed.
  VER_SUITE_EMBEDDEDNT 0x00000040	Windows Embedded is installed.
  VER_SUITE_PERSONAL 0x00000200	Windows XP Home Edition is installed.
  VER_SUITE_SINGLEUSERTS 0x00000100	Remote Desktop is supported, but only one interactive session is supported. This value is set unless the system is running in application server mode.
  VER_SUITE_SMALLBUSINESS 0x00000001	Microsoft Small Business Server was once installed on the system, but may have been upgraded to another version of Windows.
  VER_SUITE_SMALLBUSINESS_RESTRICTED 0x00000020	Microsoft Small Business Server is installed with the restrictive client license in force.
  VER_SUITE_STORAGE_SERVER 0x00002000	Windows Storage Server is installed.
  VER_SUITE_TERMINAL 0x00000010	Terminal Services is installed. This value is always set. If VER_SUITE_TERMINAL is set but VER_SUITE_SINGLEUSERTS is not set, the system is running in application server mode.

• Reserved2
此成员保留供将来使用

• Cpu
CPU相关信息，CPU_INFORMATION union是数据组织形式。下面详细说明


CPU_INFORMATION成员如下：

union
{
struct X86CpuInfo
{
ULONG32 VendorID[3];
ULONG32 VersionInformation;
ULONG32 FeatureInformation;
ULONG32 AMDExtendedCpuFeatures
};
struct OtherCpuInfo
{
ULONG64 ProcesssorFeatures[2]
};
}

X86CpuInfo

从CPUID指令获得的CPU信息。只有x86计算机支持此结构。

• VendorId
  CPUID子函数0。数组元素如下

• ersionInformation
  CPUID子功能1。EAX的值。

• FeatureInformation
  CPUID子功能1。EDX的值。

• AMDExtendedCpuFeatures
  CPUID子功能80000001。EBX值。仅当供应商为“AuthenticAMD”时才支持此成员。

OtherCpuInfo

其他CPU信息。只有非x86计算机才支持此结构。

• ProcessorFeatures
  它的值参考 IsProcessorFeaturePresent function.

从上面的数据结构成员意思，我们可以得出，这个dmp文件的产生的系统信息如下：x86架构的奔5及以上级别windows平台，8核CPU。

用windbg加载看看