Merge pull request #36 from skelsec/main

skelsec · web-flow · commit fe9c5be129ae · 2023-11-21T01:24:26.000-08:00
Main
diff --git a/minidump/_version.py b/minidump/_version.py
@@ -1,5 +1,5 @@
 
-__version__ = "0.0.21"
+__version__ = "0.0.22"
 __banner__ = \
 """
 # minidump %s 
diff --git a/minidump/common_structs.py b/minidump/common_structs.py
@@ -83,15 +83,21 @@ def get_from_rva(rva, buff):
 		buff.seek(rva, 0)
 		ms = MINIDUMP_STRING.parse(buff)
 		buff.seek(pos, 0)
-		return ms.Buffer.decode('utf-16-le')
+		try:
+			return ms.Buffer.decode('utf-16-le')
+		except:
+			return '<STRING_DECODE_FAILED>'
 	
 	@staticmethod
 	async def aget_from_rva(rva, buff):
 		pos = buff.tell()
 		await buff.seek(rva, 0)
 		ms = await MINIDUMP_STRING.aparse(buff)
 		await buff.seek(pos, 0)
-		return ms.Buffer.decode('utf-16-le')
+		try:
+			return ms.Buffer.decode('utf-16-le')
+		except:
+			return '<STRING_DECODE_FAILED>'
 		
 class MinidumpMemorySegment:
 	def __init__(self):
diff --git a/minidump/streams/Memory64ListStream.py b/minidump/streams/Memory64ListStream.py
@@ -26,10 +26,17 @@ def to_bytes(self):
 	@staticmethod
 	def parse(buff):
 		mml = MINIDUMP_MEMORY64_LIST()
+		buffsize = len(buff.read())
+		buff.seek(-buffsize, io.SEEK_CUR)
 		mml.NumberOfMemoryRanges = int.from_bytes(buff.read(8), byteorder = 'little', signed = False)
 		mml.BaseRva = int.from_bytes(buff.read(8), byteorder = 'little', signed = False)
 		for _ in range(mml.NumberOfMemoryRanges):
 			mml.MemoryRanges.append(MINIDUMP_MEMORY_DESCRIPTOR64.parse(buff))
+			
+			#sometimes buggy minidumps have a wrong number of memory ranges, so we need to check if we reached the end of the buffer
+			curpos = buff.tell()
+			if curpos == buffsize:
+				break
 		
 		return mml
 		
diff --git a/minidump/streams/SystemInfoStream.py b/minidump/streams/SystemInfoStream.py
@@ -9,6 +9,48 @@
 import logging
 from minidump.common_structs import *
 
+MINIDUMP_WIN_BUILDNO_TO_VERSION = {
+	103: 'Windows 3.1',
+	102: 'Windows 3.1 - Sparta',
+	528: 'Windiws NT 3.1',
+	300: 'Windows NT 3.11 - Snowball',
+	153: 'Windows 3.2',
+	807: 'Windows NT 3.5',
+	1057: 'Windows NT 3.51',
+	1381: 'Windows NT 4.0',
+	950: 'Windows 95',
+	1998 : 'Windows 98',
+	2222: 'Windows 98 SE',
+	2195: 'Windows 2000',
+	3000: 'Windows ME',
+	2600: 'Windows XP',
+	2700: 'Windows XP - Media Center Edition 2005',
+	2710: 'Windows XP - Media Center Edition 2005 Update Rollup 2',
+	3790: 'Windows XP x64 / Server 2003 / Server 2003 R2',
+	6002: 'Windows Vista / Server 2008',
+	7601: 'Windows 7 / Server 2008 R2',
+	9200: 'Windows 8 / Server 2012',
+	9600: 'Windows 8.1 / Server 2012 R2',
+	10240: 'Windows 10 - 1507',
+	10586: 'Windows 10 - 1511',
+	14393: 'Windows 10 - 1607 / Server 2016',
+	15063: 'Windows 10 - 1703',
+	16299: 'Windows 10 - 1709 / Server 2016',
+	17134: 'Windows 10 - 1803 / Server 2016',
+	17763: 'Windows 10 - 1809 / Server 2019',
+	18362: 'Windows 10 - 1903 / Server 2019',
+	18363: 'Windows 10 - 1909 / Server 2019',
+	19041: 'Windows 10 - 2004 / Server 2019',
+	19042: 'Windows 10 - 20H2 / Server 2019',
+	19043: 'Windows 10 - 21H1',
+	19044: 'Windows 10 - 21H2',
+	19045: 'Windows 10 - 22H2',
+	22000: 'Windows 11 - 21H2',
+	20348: 'Windows Server 2022',
+	22621: 'Windows 11 - 22H2',
+}
+
+
 # https://msdn.microsoft.com/en-us/library/windows/desktop/ms680396(v=vs.85).aspx
 class PROCESSOR_ARCHITECTURE(enum.Enum):
 	AMD64 = 9 #x64 (AMD or Intel)
@@ -191,7 +233,9 @@ def __init__(self):
 		self.OperatingSystem = None
 
 	def guess_os(self):
-		if self.MajorVersion == 10 and self.MinorVersion == 0 and self.ProductType == PRODUCT_TYPE.VER_NT_WORKSTATION:
+		if self.BuildNumber in MINIDUMP_WIN_BUILDNO_TO_VERSION:
+			self.OperatingSystem = MINIDUMP_WIN_BUILDNO_TO_VERSION[self.BuildNumber]
+		elif self.MajorVersion == 10 and self.MinorVersion == 0 and self.ProductType == PRODUCT_TYPE.VER_NT_WORKSTATION:
 			self.OperatingSystem = "Windows 10"
 		elif self.MajorVersion == 10 and self.MinorVersion == 0 and self.ProductType != self.ProductType.VER_NT_WORKSTATION:
 			self.OperatingSystem =  "Windows Server 2016 Technical Preview"
