From 7f02510762ba2fee6c3536ef24c4ac376014c90f Mon Sep 17 00:00:00 2001
From: Sabhya <89577007+5h4rrK@users.noreply.github.com>
Date: Sat, 14 Dec 2024 18:10:22 +0530
Subject: [PATCH] patterns: Added dmp64.hexpat and test files (#331)

* [+] Added dmp64.hexpat && test files

* Fix encoding of pattern file

---------

Co-authored-by: Nik <werwolv98@gmail.com>
---
 README.md                                 |   1 +
 patterns/dmp64.hexpat                     | 102 ++++++++++++++++++++++
 tests/patterns/test_data/dmp64.hexpat.bin | Bin 0 -> 16384 bytes
 3 files changed, 103 insertions(+)
 create mode 100644 patterns/dmp64.hexpat
 create mode 100644 tests/patterns/test_data/dmp64.hexpat.bin

diff --git a/README.md b/README.md
index aa5a783..909522f 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@ Everything will immediately show up in ImHex's Content Store and gets bundled wi
 | DEX | | [`patterns/dex.hexpat`](patterns/dex.hexpat) | Dalvik EXecutable Format |
 | DICOM | `application/dicom` | [`patterns/dicom.hexpat`](patterns/dicom.hexpat) | DICOM image format |
 | DMG | | [`patterns/dmg.hexpat`](patterns/dmg.hexpat) | Apple Disk Image Trailer (DMG) |
+| DMP | | [`patterns/dmp64.hexpat`](patterns/dmp64.hexpat) | Windows Kernel Dump(DMP64) |
 | DPAPI_Blob | | [`patterns/dpapblob.hexpat`](patterns/dpapiblob.hexpat) | Data protection API Blob File Format |
 | DPAPI_MasterKey | | [`patterns/dpapimasterkey.hexpat`](patterns/dpapimasterkey.hexpat) | Data protection API MasterKey |
 | DS_Store | | [`patterns/dsstore.hexpat`](patterns/dsstore.hexpat) | .DS_Store file format |
diff --git a/patterns/dmp64.hexpat b/patterns/dmp64.hexpat
new file mode 100644
index 0000000..f70fb12
--- /dev/null
+++ b/patterns/dmp64.hexpat
@@ -0,0 +1,102 @@
+#pragma magic [50 41 47 45] // PAGE 
+#pragma author "5h4rrK"
+#pragma description "KERNEL DUMP"
+
+import std.core;
+import std.io;
+import std.array;
+
+#define COMMENT_SIZE 0x80
+
+fn format_values(auto val){
+    return std::format("{:#x}", val);
+};
+
+fn format_size_values(auto val){
+    return std::format(
+        "{:#x} ({}) ",
+        val,
+        std::format("{:#x}",val * 0x1000)
+    );
+
+};
+
+union DUMP_FILE_ATTRIBUTES {
+    u32 bitfields[[name("BitFields")]];
+    u32 attributes[[name("Attributes")]];
+};
+
+enum DUMP_TYPE : u32 {
+    FULL_DUMP = 0x01,
+    BITMAP_DUMP = 0x05
+};
+
+struct EXCEPTION_RECORD64
+{
+    u32 exception_code[[name("ExceptionCode"), format("format_values")]];
+    u32 exception_flags[[name("ExceptionFlags"), format("format_values")]];
+    u64 exception_record[[name("ExceptionRecord"), format("format_values")]];
+    u64 exception_address[[name("ExceptionAddress"), format("format_values")]];
+    u32 number_parameters[[name("NumberParameters"), format("format_values")]];
+    u32 unused_alignment[[name("Alignment"), format("format_values")]];
+    u64 exception_information[15][[name("ExceptionInformation")]];
+}; 
+
+struct PHYSICAL_MEMORY_RUN64 {
+    u64 base_page [[ name("BasePage"), format("format_size_values"),   comment("StartOffset = BasePage * PageSize")]];
+    u64 page_count[[ name("PageCount"),format("format_size_values"),  comment("Length = PageCount * PageSize")]];
+}[[name("PHYSICAL_MEMORY_RUN_ENTRY")]];
+
+struct PHYSICAL_MEMORY_DESCRIPTOR64 {
+    u32  no_of_runs [[name("NumberOfRuns")]];
+    char description[4][[name("Description")]];
+    u64  no_of_pages[[name("NumberOfPages"),format("format_values")]];
+    // PHYSICAL_MEMORY_RUN64 pmr64[no_of_runs] [[name("PHYSICAL_MEMORY_RUN64")]];
+    std::Array<PHYSICAL_MEMORY_RUN64, no_of_runs> pmrObjs[[name("PHYSICAL_MEMORY_RUN64")]];
+
+};
+
+struct DUMP_HEADER64 {
+    char signature[4][[name("Signature")]];
+    char validdump[4][[name("ValidDump")]];
+    u32  major_version[[name("MajorVersion")]];
+    u32  minor_version[[name("MinorVersion")]];
+    u64  dtb [[name("DirectoryBaseTable"),format("format_values")]];
+    u64  pfn [[name("PfnDataBase"), format("format_values")]];
+    u64  ploadedmodulelist [[name("PsLoadedModuleList"), format("format_values")]];
+    u64  pactiveprocesshead [[name("PsActiveProcessHead"), format("format_values")]];
+    u32  machine_type [[name("MachineImageType"), format("format_values")]];
+    u32  processor_counts [[name("ProcessorsCount")]];
+    u32  bug_check [[name("BugCheckCode"), format("format_values")]];
+    u32  bug_check_code_desc[[name("BugCheckCodeDescription"), format("format_values")]];
+    u64  bug_check_param1[[name("BugCheckCodeParameter1"), format("format_values")]];
+    u64  bug_check_param2[[name("BugCheckCodeParameter2"), format("format_values")]];
+    u64  bug_check_param3[[name("BugCheckCodeParameter3"), format("format_values")]];
+    u64  bug_check_param4[[name("BugCheckCodeParameter4"), format("format_values")]];
+    char version_user[0x20][[name("VersionUser")]];
+    u64  kdbg[[name("KdDebuggerDataBlock"), format("format_values")]];
+    PHYSICAL_MEMORY_DESCRIPTOR64 phys_mem_desc[[name("PHYSICAL_MEMORY_DESCRIPTOR64")]];
+    char mem_block_buffer[0x260][[name("PhysicalMemoryBlockBuffer")]];
+    char context_record[0xbb8][[name("ContextRecord")]];
+    EXCEPTION_RECORD64 excr[[name("EXCEPTION_RECORD64")]];
+    DUMP_TYPE dmp_type[[name("DumpType")]];
+    char desc1[4][[name("Description")]];
+    u64 req_dump_space[[name("RequiredDumpSpace"), format("format_values")]];
+    u64 sys_time[[name("SystemTime"), format("format_values")]];
+    char comment[COMMENT_SIZE][[name("Comment")]];
+    u64 sys_up_time[[name("SystemUpTime"), format("format_values")]];
+    u32 min_dmp_fields[[name("MiniDumpFields"), format("format_values")]];
+    u32 sec_data_state[[name("SecondaryDataState"), format("format_values")]];
+    u32 product_type[[name("ProductType"), format("format_values")]];
+    u32 suite_mask[[name("SuiteMask"), format("format_values")]];
+    u32 writer_status[[name("WriterStatus"), format("format_values")]];
+    char unused1[[name("Unused1")]];
+    char secondary_version[[name("KdSecondaryVersion")]];
+    char unused2[2][[name("Unused2")]];
+    DUMP_FILE_ATTRIBUTES dfa[[name("DUMP_FILE_ATTRIBUTES")]];
+    u32 boot_id[[name("BootId")]];
+    char reserved[0xfa8][[name("Reserved")]];
+
+};
+
+DUMP_HEADER64 dmp @0x00 [[name("DumpHeader")]];
diff --git a/tests/patterns/test_data/dmp64.hexpat.bin b/tests/patterns/test_data/dmp64.hexpat.bin
new file mode 100644
index 0000000000000000000000000000000000000000..14f9ba424ffa5a9d173c6d1560c102ee61d372ad
GIT binary patch
literal 16384
zcmeGiOKenC^t_o$OAtH3O=D08O(v)dr=``Ri42B9G`1aWi)^G5M1_UP+pxfx@N`iV
zTsSl=T#;EBS&+<zkDr99XiQAVi!LC+NSBQu2`r=uf#><$^JY3J(>EodEuQ;w@44sP
zbMC$Gp3l8+?i9D~7}z%ULT@Jky!SdlDtruUE?teH>Qm>QXrGOuO6eztdnW+euz7In
z=x7mT2Zx7;h<jxCjS+&4IPo;gK{YtH`sXNm2xW<H;!Znt11T;6jyVXPRNizA7t?}Y
zz98_-C4r}(6d2tS=(S0I&E{Zj&2?n!v+(+ewIwe*Ap-&0Y6hOeX9RN>e3~N9YAvb1
z1~=Ldbp8-UL74lI{0Yk9SLN$M_xDV)pK0$Zr+5%{d{1)fcS^6}C%>WgKW|EZkm)~5
z_=k@kf0p9Ip&Fx#GNgB0o@rotPRnLxE3gb!z+(QwG2hn6*2rwYY`|<_<=Oy#Mh5QF
zl6PG_&l0kfdZjth_z=t-;)&%xf9I?9m%OE%6OFz7;Kv`(w|exj%#Y@o!9wTNg*Z0F
zxY7--TpuyrneNO6%m&N`%m&N`%m&N`%m&N`%m&N`R=y3mYjpf#p9ucQ;3eKFkADtH
zb4effe?Lz5dwL^ZqhFmv7b)Z~V8)c?5+LTUd@cM1*U&1+^sz+b5@fDPe||^YQ#y#E
zS^Pa`;wH^kQa#S^S`_~2eID~oZTW@&*P#5Z!eUCsyW7oe<%^fO|HAJt-qScbubiv&
zuj?sOwfp(D-{|Ufe|W3+Hm(iP3YhU<4<7wav)Gh%?{zo%NjS<)yBuFJf8<-fcXk3h
zVE~3;90u`jdpnFm4z?j>CsKN$8}j(%uw@Khjp;<oLm$%La-2fxM#>nxhJ549Ayg>=
z#~8uh$6>#FYP<)a{?YfCStI&Z*pU|f{a^h+*CmFTxF!|<yR}?tq*u?<Uxs3T=Q<YR
zT~l`mCs$P))NrDFN+;W`PfBm}C#BcCy<Y16)Z-Y}!f^E7arUUnMdBW4eKh0vD4$|H
zX$NH2nnga%cv5-NgXW|%^?al^&Gq!8^;O8IIjKxNAN~7Fb3NVawgQP(pnPRLpMU(n
zPCym+*UB-0;VFTMIsx!M8RGrF>|J0;KDhy4ngb<!*!&&&t84oc@=IWC!vE_U;rBPo
zK9_fR-gTdyl=Db<-knR13Y@+nu<D@BCYTYr;^C%Yp1*&)z%X0f%&>Ae&v5Fp@Mk|0
zy2=HoM6PmDVBq@E_VDc<mRGzHQVgWS4F*7<jYszZKPTrnC<*L(W-j~}_aM5Hq8LVU
zCCo|E`>>DMN^bq85AJs78&QFd4@DU-+cp30(Ci!}XPEiVK|L*;gZgo%U#=Csht6I$
zI=pco&Hgi2pGnq&dHO_eF@LY%;YY7D)mzNJ$O`G3l0v8oUdhV3D+Gtf5ZPiKiAbVS
z^`3X@=fC96wQk(S>XS~f3!iKExDzhM3+KP;&$Ew+ejhY_dTw1WJ}vrG*za(Kq`Z64
zCptfW@0I#QpE~aS&}Vld%Uc?zcQ;Paz=sXmI+z`pA6Oi)IAC$W;()~givt!1EDl&4
NusC3G;K7Xp{{h2wLiPXv

literal 0
HcmV?d00001