README.md 5.01 KB
Newer Older
ussrhero's avatar
ussrhero committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117
# DUMPDIFF

DumpDiff - a tool based on pykd for batch kernel dumps handling.


Output example:
```
D:\>dumpdiff -r 75

Dump diff

Started analyze at 2018/08/24  15:57
parsed 20 dumps in 2 sec


Module filter: "not manufactor in ("Microsoft")"

============  OS diff  ===============
System: Built by: 10586.672.amd64fre.th2_release_sec.161024-1825 in 1 dumps
System: Built by: 14393.1358.amd64fre.rs1_release.170602-2252 in 1 dumps
System: Built by: 16299.15.amd64fre.rs3_release.170928-1534 in 2 dumps
System: Built by: 16299.431.amd64fre.rs3_release_svc_escrow.180502-1908 in 1 dumps
System: Built by: 17134.1.amd64fre.rs4_release.180410-1804 in 15 dumps

============  Module diff  ============
Module: intelpep   3 variants  (in 95% dumps)
        count: 3   timestamp: eb730b5b  manufactor: Intel
        count: 15   timestamp: 5c331bb5  manufactor: Intel
        count: 1   timestamp: 57899973  manufactor: Intel
Module: intelppm   5 variants  (in 100% dumps)
        count: 1   timestamp: 5632d16f manufactor: Intel
        count: 1   timestamp: 578997a3 manufactor: Intel
        count: 2   timestamp: 4e7b113f manufactor: Intel
        count: 15   timestamp: e0024307 manufactor: Intel
        count: 1   timestamp: 8a41cdc6 manufactor: Intel
Module: mcupdate_GenuineIntel   5 variants  (in 90% dumps)
        count: 12   timestamp: 7a3d793a manufactor: Intel
        count: 1   timestamp: 57899bb5 (manufactor: Intel
        count: 1   timestamp: 65c4658c manufactor: Intel
        count: 3   timestamp: 4488d19 manufactor: Intel
        count: 1   timestamp: 5632d912 manufactor: Intel

```

## Install

* Download source code
* Go to the root directory
* Run command: 
```
pip install .
```

dumpdiff - is a python script and will be placed to PYTHONHOME\Scripts catalog.
Add it to PATH to run dumpdiff from anywhere

## Dumpdiff command line

```
D:\dumpdiff --help

Dump diff

usage: dumpdiff [-h] [-f FILE [FILE ...]] [-d DIRECTORY] [-m FILTER] [-v]
                [-r RATE] [-p PROCESSNUMBER]

Compare windows kernel dumps file

optional arguments:
  -h, --help            show this help message and exit
  -f FILE [FILE ...], --files FILE [FILE ...]
                        list of dump files
  -d DIRECTORY, --dir DIRECTORY
                        directory with dump files
  -m FILTER, --module FILTER
                        module filter
  -v, --verbose         verbose output
  -r RATE, --rate RATE  filter dump by rate
  -p PROCESSNUMBER, --processes PROCESSNUMBER
                        load dump on multi core

```

## Module filter

Filter is a valid python expession. We can filter by module's name and manufactor.
The default filter is "manufactor != 'Microsoft'"

Filtering by name:
```
dumpdiff -m "name=='WdFilter'"
dumpdiff -m "fnmatch(name, 'Wd*')
```

Filtering by manufactor
```
dumpdiff -m "manufactor is ('Realtek', 'Nvidia')
```

To filter output by rate you can note rate in procents.
```
C:\dumpdiff -r 75

============  Module diff  ============
Module: intelpep   3 variants  (in 95% dumps)
        count: 3   timestamp: eb730b5b  manufactor: Intel
        count: 15   timestamp: 5c331bb5  manufactor: Intel
        count: 1   timestamp: 57899973  manufactor: Intel
Module: intelppm   5 variants  (in 100% dumps)
        count: 1   timestamp: 5632d16f manufactor: Intel
        count: 1   timestamp: 578997a3 manufactor: Intel
        count: 2   timestamp: 4e7b113f manufactor: Intel
        count: 15   timestamp: e0024307 manufactor: Intel
        count: 1   timestamp: 8a41cdc6 manufactor: Intel

```

ussrhero's avatar
ussrhero committed
118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142
To turn module filter off:

```
C:\dumpdiff -m off
```

## Crash info filter

Filter is a valid python expession. We can filter by the bug check code

To filter dumps by the bug check code:

```
C:\dumpdiff -m off -c "bugCheckCode=0x133"

```

Module diff: off
Crash filter: "bugCheckCode==0x133"


============  Crash diff  ============
BugCheck Code: 133 in 100% dumps


ussrhero's avatar
ussrhero committed
143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177
## Module database

By default dumpdiff gets module info from localdb\module.py file. Yoy can edit it to add your own information:
```python
moduleDB = r'''
[
{"name" : "intelppm", "manufactor" : "Intel", "timestamp" : "5b2a879e"},
{"name" : "intelppm", "manufactor" : "Intel", "timestamp" : "cdd5c2de"},
{"name" : "intelppm", "manufactor" : "Intel", "timestamp" : "96476b72,  "type" : "hardware" },
{"name" : "tbs", "manufactor" : "Microsoft", "type" : "system" },


{"name" : "MyOwnDriver.sys",  "manufactor" : "MyOwnSystem", "type" : "system" }  
]
'''

```

If you have your own database with module information, change config.py:

``` python
def getModuleInfoProvider():
    #comment this
    #from localdb.module import getDefaultModuleInfoProvider
    #return getDefaultModuleInfoProvider()
    
    # add your module provider
    class MyModuleInfoProvider(object):
    
        def __init__(self):
           from pymongo import MongoClient
           self.fileinfo = MongoClient('fileinfo.db', 27017).fileinfo_database.fileinfo
           
        def getModuleInfo(self, moduleName):
            return fileinfo.find_one({"name": moduleName})
Administrator's avatar
Administrator committed
178 179
            
    return MyModuleInfoProvider()
ussrhero's avatar
ussrhero committed
180
```