Commit 5b084f9b authored by ussrhero's avatar ussrhero
Browse files

Update README.md

parent b0c6a8e6
# DUMPDIFF
DumpDiff - a tool based on pykd for batch kernel dumps handling.
Output example:
```
D:\>dumpdiff -r 75
Dump diff
Started analyze at 2018/08/24 15:57
parsed 20 dumps in 2 sec
Module filter: "not manufactor in ("Microsoft")"
============ OS diff ===============
System: Built by: 10586.672.amd64fre.th2_release_sec.161024-1825 in 1 dumps
System: Built by: 14393.1358.amd64fre.rs1_release.170602-2252 in 1 dumps
System: Built by: 16299.15.amd64fre.rs3_release.170928-1534 in 2 dumps
System: Built by: 16299.431.amd64fre.rs3_release_svc_escrow.180502-1908 in 1 dumps
System: Built by: 17134.1.amd64fre.rs4_release.180410-1804 in 15 dumps
============ Module diff ============
Module: intelpep 3 variants (in 95% dumps)
count: 3 timestamp: eb730b5b manufactor: Intel
count: 15 timestamp: 5c331bb5 manufactor: Intel
count: 1 timestamp: 57899973 manufactor: Intel
Module: intelppm 5 variants (in 100% dumps)
count: 1 timestamp: 5632d16f manufactor: Intel
count: 1 timestamp: 578997a3 manufactor: Intel
count: 2 timestamp: 4e7b113f manufactor: Intel
count: 15 timestamp: e0024307 manufactor: Intel
count: 1 timestamp: 8a41cdc6 manufactor: Intel
Module: mcupdate_GenuineIntel 5 variants (in 90% dumps)
count: 12 timestamp: 7a3d793a manufactor: Intel
count: 1 timestamp: 57899bb5 (manufactor: Intel
count: 1 timestamp: 65c4658c manufactor: Intel
count: 3 timestamp: 4488d19 manufactor: Intel
count: 1 timestamp: 5632d912 manufactor: Intel
```
## Install
* Download source code
* Go to the root directory
* Run command:
```
pip install .
```
dumpdiff - is a python script and will be placed to PYTHONHOME\Scripts catalog.
Add it to PATH to run dumpdiff from anywhere
## Dumpdiff command line
```
D:\dumpdiff --help
Dump diff
usage: dumpdiff [-h] [-f FILE [FILE ...]] [-d DIRECTORY] [-m FILTER] [-v]
[-r RATE] [-p PROCESSNUMBER]
Compare windows kernel dumps file
optional arguments:
-h, --help show this help message and exit
-f FILE [FILE ...], --files FILE [FILE ...]
list of dump files
-d DIRECTORY, --dir DIRECTORY
directory with dump files
-m FILTER, --module FILTER
module filter
-v, --verbose verbose output
-r RATE, --rate RATE filter dump by rate
-p PROCESSNUMBER, --processes PROCESSNUMBER
load dump on multi core
```
## Module filter
Filter is a valid python expession. We can filter by module's name and manufactor.
The default filter is "manufactor != 'Microsoft'"
Filtering by name:
```
dumpdiff -m "name=='WdFilter'"
dumpdiff -m "fnmatch(name, 'Wd*')
```
Filtering by manufactor
```
dumpdiff -m "manufactor is ('Realtek', 'Nvidia')
```
To filter output by rate you can note rate in procents.
```
C:\dumpdiff -r 75
============ Module diff ============
Module: intelpep 3 variants (in 95% dumps)
count: 3 timestamp: eb730b5b manufactor: Intel
count: 15 timestamp: 5c331bb5 manufactor: Intel
count: 1 timestamp: 57899973 manufactor: Intel
Module: intelppm 5 variants (in 100% dumps)
count: 1 timestamp: 5632d16f manufactor: Intel
count: 1 timestamp: 578997a3 manufactor: Intel
count: 2 timestamp: 4e7b113f manufactor: Intel
count: 15 timestamp: e0024307 manufactor: Intel
count: 1 timestamp: 8a41cdc6 manufactor: Intel
```
## Module database
By default dumpdiff gets module info from localdb\module.py file. Yoy can edit it to add your own information:
```python
moduleDB = r'''
[
{"name" : "intelppm", "manufactor" : "Intel", "timestamp" : "5b2a879e"},
{"name" : "intelppm", "manufactor" : "Intel", "timestamp" : "cdd5c2de"},
{"name" : "intelppm", "manufactor" : "Intel", "timestamp" : "96476b72, "type" : "hardware" },
{"name" : "tbs", "manufactor" : "Microsoft", "type" : "system" },
{"name" : "MyOwnDriver.sys", "manufactor" : "MyOwnSystem", "type" : "system" }
]
'''
```
If you have your own database with module information, change config.py:
``` python
def getModuleInfoProvider():
#comment this
#from localdb.module import getDefaultModuleInfoProvider
#return getDefaultModuleInfoProvider()
# add your module provider
class MyModuleInfoProvider(object):
def __init__(self):
from pymongo import MongoClient
self.fileinfo = MongoClient('fileinfo.db', 27017).fileinfo_database.fileinfo
def getModuleInfo(self, moduleName):
return fileinfo.find_one({"name": moduleName})
```
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment