produce windows compatible dump file from Dom0

produce windows compatible dump file from Dom0

[James Harper]

I'm interested in being able to produce a windows dump file from Dom0,
which would help immensely in tracking down crashes when they happen.
What it would involve is:

. PV driver would need to prepare a crash dump header via Windows API
(in advance, and then at crash dump time if possible), store it in
non-paged memory, and write the PFN out to xenstore
. xc would need to detect a parameter (eg -w), check for the value in
xenstore, then write out that as the header and then write out the rest
of the data in windows dump format. The header could also be detected by
scanning memory (eg if the crash happened before xenbus was able to
start) but would be a bit less reliable.

It might also be possible to manufacture the header from Dom0, but I
can't say for sure.

Does this feature or similar already exist in any incantations of the
dom0 tools?

If not, would it be considered for inclusion into some future version of
xen?

Thanks

James

RE: produce windows compatible dump file from Dom0

[Paul Durrant]

IIRC Tim posted kdd a while ago which should allow generation of crash dumps from the VM without Windows doing anything at all.

  Paul

> -----Original Message-----
> From: xen-devel-bounces@lists.xensource.com [mailto:xen-devel-
> bounces@lists.xensource.com] On Behalf Of James Harper
> Sent: 23 February 2011 11:07
> To: xen-devel@lists.xensource.com
> Subject: [Xen-devel] produce windows compatible dump file from Dom0
> 
> I'm interested in being able to produce a windows dump file from
> Dom0, which would help immensely in tracking down crashes when they
> happen.
> What it would involve is:
> 
> . PV driver would need to prepare a crash dump header via Windows
> API (in advance, and then at crash dump time if possible), store it
> in non-paged memory, and write the PFN out to xenstore . xc would
> need to detect a parameter (eg -w), check for the value in xenstore,
> then write out that as the header and then write out the rest of the
> data in windows dump format. The header could also be detected by
> scanning memory (eg if the crash happened before xenbus was able to
> start) but would be a bit less reliable.
> 
> It might also be possible to manufacture the header from Dom0, but I
> can't say for sure.
> 
> Does this feature or similar already exist in any incantations of
> the
> dom0 tools?
> 
> If not, would it be considered for inclusion into some future
> version of xen?
> 
> Thanks
> 
> James
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel

RE: produce windows compatible dump file from Dom0

[James Harper]

> 
> IIRC Tim posted kdd a while ago which should allow generation of crash
dumps
> from the VM without Windows doing anything at all.
> 

I hadn't seen that. It looks pretty cool.

But I think there is still value in getting a synthesized crash dump out
as I won't necessarily have access to the machines that might be
crashing. It can be done already via 'xm dump-core' and a bit of extra
mucking around, but it would be much easier if I could just ask the user
to do (say) 'xm dump-core -w' and make the resulting dump available to
me.

James

Re: RE: produce windows compatible dump file from Dom0

[David Markey]

[-- Attachment #1.1: Type: text/plain, Size: 981 bytes --]

Hi all,

Did anyone make any progress on this?

I'm interested in getting a Windows memory dump out of a XenServer suspend
image.

Is it even remotely possible?

Thanks,

David


On 23 February 2011 22:15, James Harper <james.harper@bendigoit.com.au>wrote:

> >
> > IIRC Tim posted kdd a while ago which should allow generation of crash
> dumps
> > from the VM without Windows doing anything at all.
> >
>
> I hadn't seen that. It looks pretty cool.
>
> But I think there is still value in getting a synthesized crash dump out
> as I won't necessarily have access to the machines that might be
> crashing. It can be done already via 'xm dump-core' and a bit of extra
> mucking around, but it would be much easier if I could just ask the user
> to do (say) 'xm dump-core -w' and make the resulting dump available to
> me.
>
> James
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>

[-- Attachment #1.2: Type: text/html, Size: 1646 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: RE: produce windows compatible dump file from Dom0

[Tim Deegan]

At 10:54 +0100 on 25 May (1306320891), David Markey wrote:
> Hi all,
> 
> Did anyone make any progress on this?
> 
> I'm interested in getting a Windows memory dump out of a XenServer
> suspend image.
> 
> Is it even remotely possible?

I'm sure it's possible somehow, but it may involve getting your hands
dirty.  You could try:

- Take a copy of the suspend image (if that's possible) as a backup,
  since the next step will destroy it.
- Resume it, _paused_ (xe vm-resume uuid=xxx paused=true, I think).
- Attach kdd to it.  I believe kdd ships in the most recent XenServer.
- Use windbg from another VM to extract a crashdump.  If it's a recent 
  version of Windows kdd may not recognise it, but it can
  probably be taught to.

Disclaimer: I'm not a member of the XenServer engineering or support
teams, and this does _not_ count as a supported feature of XenServer.
This is just random speculation you found on the internet. :)

Cheers,

Tim.

-- 
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)

RE: RE: produce windows compatible dump file from Dom0

[James Harper]

> 
> Hi all,
> 
> Did anyone make any progress on this?
> 
> I'm interested in getting a Windows memory dump out of a XenServer
suspend
> image.
> 
> Is it even remotely possible?
> 

Yes. In order for it to work I believe the DomU needs to call
KeInitializeCrashDumpHeader to place a crash dump header inside the
memory image (eg in NonPagedPool). KeInitializeCrashDumpHeader is
available in 2003sp1 and newer. You can then find that info in the saved
image and use it to build a windows compatible crash dump. There is more
to it than that obviously and I haven't actually done it myself. Ideally
it would be possible to do 'xl wincrashdump -o memory.dmp domu_name' and
have it all happen.

I've BCC'd the guy who wrote a program to do it to see if he can share
it (hope he doesn't mind :)

James

Re: RE: produce windows compatible dump file from Dom0

[Konrad Rzeszutek Wilk]

On Wed, May 25, 2011 at 10:16:06PM +1000, James Harper wrote:
> > 
> > Hi all,
> > 
> > Did anyone make any progress on this?
> > 
> > I'm interested in getting a Windows memory dump out of a XenServer
> suspend
> > image.
> > 
> > Is it even remotely possible?
> > 
> 
> Yes. In order for it to work I believe the DomU needs to call
> KeInitializeCrashDumpHeader to place a crash dump header inside the
> memory image (eg in NonPagedPool). KeInitializeCrashDumpHeader is
> available in 2003sp1 and newer. You can then find that info in the saved
> image and use it to build a windows compatible crash dump. There is more
> to it than that obviously and I haven't actually done it myself. Ideally
> it would be possible to do 'xl wincrashdump -o memory.dmp domu_name' and
> have it all happen.
> 
> I've BCC'd the guy who wrote a program to do it to see if he can share
> it (hope he doesn't mind :)

I am not "the guy", and while "the guy" is working on getting a blanket
OK to release the source (or executable), let me give you some of the
technical details in case you feel inspired to write this yourself.

The process in making a dumpconverter involves finding the windows dump header
in memory and putting it at the beginning of the output file, then taking the
raw domain dump and writing it as is except that the following two ranges need
to be skipped - which can vary from system to system:
   1) the ELF header (by default the first 6 pages of the raw dump)
   2) a range which might be BIOS, which by default in the tool is set to
      pages 0x9F to 0xDF.

Good luck!

Re: RE: produce windows compatible dump file from Dom0

[David Markey]

[-- Attachment #1.1: Type: text/plain, Size: 1875 bytes --]

Hi Konrad,

Sorry for resurrecting,

Did "the guy" manage to get clearance to release the source for this
particular project?


Thanks!

David


On 26 May 2011 13:52, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> wrote:

> On Wed, May 25, 2011 at 10:16:06PM +1000, James Harper wrote:
> > >
> > > Hi all,
> > >
> > > Did anyone make any progress on this?
> > >
> > > I'm interested in getting a Windows memory dump out of a XenServer
> > suspend
> > > image.
> > >
> > > Is it even remotely possible?
> > >
> >
> > Yes. In order for it to work I believe the DomU needs to call
> > KeInitializeCrashDumpHeader to place a crash dump header inside the
> > memory image (eg in NonPagedPool). KeInitializeCrashDumpHeader is
> > available in 2003sp1 and newer. You can then find that info in the saved
> > image and use it to build a windows compatible crash dump. There is more
> > to it than that obviously and I haven't actually done it myself. Ideally
> > it would be possible to do 'xl wincrashdump -o memory.dmp domu_name' and
> > have it all happen.
> >
> > I've BCC'd the guy who wrote a program to do it to see if he can share
> > it (hope he doesn't mind :)
>
> I am not "the guy", and while "the guy" is working on getting a blanket
> OK to release the source (or executable), let me give you some of the
> technical details in case you feel inspired to write this yourself.
>
> The process in making a dumpconverter involves finding the windows dump
> header
> in memory and putting it at the beginning of the output file, then taking
> the
> raw domain dump and writing it as is except that the following two ranges
> need
> to be skipped - which can vary from system to system:
>   1) the ELF header (by default the first 6 pages of the raw dump)
>   2) a range which might be BIOS, which by default in the tool is set to
>      pages 0x9F to 0xDF.
>
> Good luck!
>

[-- Attachment #1.2: Type: text/html, Size: 2561 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: RE: produce windows compatible dump file from Dom0

[Konrad Rzeszutek Wilk]

On Tue, Nov 08, 2011 at 03:15:10PM +0000, David Markey wrote:
> Hi Konrad,
> 
> Sorry for resurrecting,

Oh no trouble.
> 
> Did "the guy" manage to get clearance to release the source for this
> particular project?

Uh, I think we lost track of this. Let me poke "the guy".

> 
> 
> Thanks!
> 
> David
> 
> 
> On 26 May 2011 13:52, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> wrote:
> 
> > On Wed, May 25, 2011 at 10:16:06PM +1000, James Harper wrote:
> > > >
> > > > Hi all,
> > > >
> > > > Did anyone make any progress on this?
> > > >
> > > > I'm interested in getting a Windows memory dump out of a XenServer
> > > suspend
> > > > image.
> > > >
> > > > Is it even remotely possible?
> > > >
> > >
> > > Yes. In order for it to work I believe the DomU needs to call
> > > KeInitializeCrashDumpHeader to place a crash dump header inside the
> > > memory image (eg in NonPagedPool). KeInitializeCrashDumpHeader is
> > > available in 2003sp1 and newer. You can then find that info in the saved
> > > image and use it to build a windows compatible crash dump. There is more
> > > to it than that obviously and I haven't actually done it myself. Ideally
> > > it would be possible to do 'xl wincrashdump -o memory.dmp domu_name' and
> > > have it all happen.
> > >
> > > I've BCC'd the guy who wrote a program to do it to see if he can share
> > > it (hope he doesn't mind :)
> >
> > I am not "the guy", and while "the guy" is working on getting a blanket
> > OK to release the source (or executable), let me give you some of the
> > technical details in case you feel inspired to write this yourself.
> >
> > The process in making a dumpconverter involves finding the windows dump
> > header
> > in memory and putting it at the beginning of the output file, then taking
> > the
> > raw domain dump and writing it as is except that the following two ranges
> > need
> > to be skipped - which can vary from system to system:
> >   1) the ELF header (by default the first 6 pages of the raw dump)
> >   2) a range which might be BIOS, which by default in the tool is set to
> >      pages 0x9F to 0xDF.
> >
> > Good luck!
> >

RE: RE: produce windows compatible dump file from Dom0

[Paul Durrant]

Can't this now be done using kdd?

  Paul

> -----Original Message-----
> From: Konrad Rzeszutek Wilk [mailto:konrad.wilk@oracle.com]
> Sent: 08 November 2011 15:41
> To: David Markey
> Cc: James Harper; Paul Durrant; xen-devel@lists.xensource.com
> Subject: Re: [Xen-devel] RE: produce windows compatible dump file
> from Dom0
> 
> On Tue, Nov 08, 2011 at 03:15:10PM +0000, David Markey wrote:
> > Hi Konrad,
> >
> > Sorry for resurrecting,
> 
> Oh no trouble.
> >
> > Did "the guy" manage to get clearance to release the source for
> this
> > particular project?
> 
> Uh, I think we lost track of this. Let me poke "the guy".
> 
> >
> >
> > Thanks!
> >
> > David
> >
> >
> > On 26 May 2011 13:52, Konrad Rzeszutek Wilk
> <konrad.wilk@oracle.com> wrote:
> >
> > > On Wed, May 25, 2011 at 10:16:06PM +1000, James Harper wrote:
> > > > >
> > > > > Hi all,
> > > > >
> > > > > Did anyone make any progress on this?
> > > > >
> > > > > I'm interested in getting a Windows memory dump out of a
> > > > > XenServer
> > > > suspend
> > > > > image.
> > > > >
> > > > > Is it even remotely possible?
> > > > >
> > > >
> > > > Yes. In order for it to work I believe the DomU needs to call
> > > > KeInitializeCrashDumpHeader to place a crash dump header
> inside
> > > > the memory image (eg in NonPagedPool).
> KeInitializeCrashDumpHeader
> > > > is available in 2003sp1 and newer. You can then find that info
> in
> > > > the saved image and use it to build a windows compatible crash
> > > > dump. There is more to it than that obviously and I haven't
> > > > actually done it myself. Ideally it would be possible to do
> 'xl
> > > > wincrashdump -o memory.dmp domu_name' and have it all happen.
> > > >
> > > > I've BCC'd the guy who wrote a program to do it to see if he
> can
> > > > share it (hope he doesn't mind :)
> > >
> > > I am not "the guy", and while "the guy" is working on getting a
> > > blanket OK to release the source (or executable), let me give
> you
> > > some of the technical details in case you feel inspired to write
> this yourself.
> > >
> > > The process in making a dumpconverter involves finding the
> windows
> > > dump header in memory and putting it at the beginning of the
> output
> > > file, then taking the raw domain dump and writing it as is
> except
> > > that the following two ranges need to be skipped - which can
> vary
> > > from system to system:
> > >   1) the ELF header (by default the first 6 pages of the raw
> dump)
> > >   2) a range which might be BIOS, which by default in the tool
> is set to
> > >      pages 0x9F to 0xDF.
> > >
> > > Good luck!
> > >

Re: RE: produce windows compatible dump file from Dom0

[David Markey]

[-- Attachment #1.1: Type: text/plain, Size: 3073 bytes --]

Kdd is for live debugging,(I thought)

I'm looking to specifically convert a VM save image(i,e, after suspend)
into a WinDBG compatible image.

It looked like the utility Konrad spoke of could have achieved this.

David



On 8 November 2011 16:20, Paul Durrant <Paul.Durrant@citrix.com> wrote:

> Can't this now be done using kdd?
>
>  Paul
>
> > -----Original Message-----
> > From: Konrad Rzeszutek Wilk [mailto:konrad.wilk@oracle.com]
> > Sent: 08 November 2011 15:41
> > To: David Markey
> > Cc: James Harper; Paul Durrant; xen-devel@lists.xensource.com
> > Subject: Re: [Xen-devel] RE: produce windows compatible dump file
> > from Dom0
> >
> > On Tue, Nov 08, 2011 at 03:15:10PM +0000, David Markey wrote:
> > > Hi Konrad,
> > >
> > > Sorry for resurrecting,
> >
> > Oh no trouble.
> > >
> > > Did "the guy" manage to get clearance to release the source for
> > this
> > > particular project?
> >
> > Uh, I think we lost track of this. Let me poke "the guy".
> >
> > >
> > >
> > > Thanks!
> > >
> > > David
> > >
> > >
> > > On 26 May 2011 13:52, Konrad Rzeszutek Wilk
> > <konrad.wilk@oracle.com> wrote:
> > >
> > > > On Wed, May 25, 2011 at 10:16:06PM +1000, James Harper wrote:
> > > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > Did anyone make any progress on this?
> > > > > >
> > > > > > I'm interested in getting a Windows memory dump out of a
> > > > > > XenServer
> > > > > suspend
> > > > > > image.
> > > > > >
> > > > > > Is it even remotely possible?
> > > > > >
> > > > >
> > > > > Yes. In order for it to work I believe the DomU needs to call
> > > > > KeInitializeCrashDumpHeader to place a crash dump header
> > inside
> > > > > the memory image (eg in NonPagedPool).
> > KeInitializeCrashDumpHeader
> > > > > is available in 2003sp1 and newer. You can then find that info
> > in
> > > > > the saved image and use it to build a windows compatible crash
> > > > > dump. There is more to it than that obviously and I haven't
> > > > > actually done it myself. Ideally it would be possible to do
> > 'xl
> > > > > wincrashdump -o memory.dmp domu_name' and have it all happen.
> > > > >
> > > > > I've BCC'd the guy who wrote a program to do it to see if he
> > can
> > > > > share it (hope he doesn't mind :)
> > > >
> > > > I am not "the guy", and while "the guy" is working on getting a
> > > > blanket OK to release the source (or executable), let me give
> > you
> > > > some of the technical details in case you feel inspired to write
> > this yourself.
> > > >
> > > > The process in making a dumpconverter involves finding the
> > windows
> > > > dump header in memory and putting it at the beginning of the
> > output
> > > > file, then taking the raw domain dump and writing it as is
> > except
> > > > that the following two ranges need to be skipped - which can
> > vary
> > > > from system to system:
> > > >   1) the ELF header (by default the first 6 pages of the raw
> > dump)
> > > >   2) a range which might be BIOS, which by default in the tool
> > is set to
> > > >      pages 0x9F to 0xDF.
> > > >
> > > > Good luck!
> > > >
>

[-- Attachment #1.2: Type: text/html, Size: 4708 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

RE: RE: produce windows compatible dump file from Dom0

[Paul Durrant]

[-- Attachment #1.1: Type: text/plain, Size: 3707 bytes --]

Ah, you want to convert a save image. Kdd could be modified to talk to a save image rather than a live VM (which is something I want to do at some stage, but it's way down my priority list). It would be kind of a shame to have to rely on something in the guest rather than a purely external solution (which kdd offers).

  Paul

From: David Markey [mailto:admin@dmarkey.com]
Sent: 08 November 2011 16:29
To: Paul Durrant
Cc: Konrad Rzeszutek Wilk; James Harper; xen-devel@lists.xensource.com
Subject: Re: [Xen-devel] RE: produce windows compatible dump file from Dom0


Kdd is for live debugging,(I thought)

I'm looking to specifically convert a VM save image(i,e, after suspend) into a WinDBG compatible image.

It looked like the utility Konrad spoke of could have achieved this.

David


On 8 November 2011 16:20, Paul Durrant <Paul.Durrant@citrix.com<mailto:Paul.Durrant@citrix.com>> wrote:
Can't this now be done using kdd?

 Paul

> -----Original Message-----
> From: Konrad Rzeszutek Wilk [mailto:konrad.wilk@oracle.com<mailto:konrad.wilk@oracle.com>]
> Sent: 08 November 2011 15:41
> To: David Markey
> Cc: James Harper; Paul Durrant; xen-devel@lists.xensource.com<mailto:xen-devel@lists.xensource.com>
> Subject: Re: [Xen-devel] RE: produce windows compatible dump file
> from Dom0
>
> On Tue, Nov 08, 2011 at 03:15:10PM +0000, David Markey wrote:
> > Hi Konrad,
> >
> > Sorry for resurrecting,
>
> Oh no trouble.
> >
> > Did "the guy" manage to get clearance to release the source for
> this
> > particular project?
>
> Uh, I think we lost track of this. Let me poke "the guy".
>
> >
> >
> > Thanks!
> >
> > David
> >
> >
> > On 26 May 2011 13:52, Konrad Rzeszutek Wilk
> <konrad.wilk@oracle.com<mailto:konrad.wilk@oracle.com>> wrote:
> >
> > > On Wed, May 25, 2011 at 10:16:06PM +1000, James Harper wrote:
> > > > >
> > > > > Hi all,
> > > > >
> > > > > Did anyone make any progress on this?
> > > > >
> > > > > I'm interested in getting a Windows memory dump out of a
> > > > > XenServer
> > > > suspend
> > > > > image.
> > > > >
> > > > > Is it even remotely possible?
> > > > >
> > > >
> > > > Yes. In order for it to work I believe the DomU needs to call
> > > > KeInitializeCrashDumpHeader to place a crash dump header
> inside
> > > > the memory image (eg in NonPagedPool).
> KeInitializeCrashDumpHeader
> > > > is available in 2003sp1 and newer. You can then find that info
> in
> > > > the saved image and use it to build a windows compatible crash
> > > > dump. There is more to it than that obviously and I haven't
> > > > actually done it myself. Ideally it would be possible to do
> 'xl
> > > > wincrashdump -o memory.dmp domu_name' and have it all happen.
> > > >
> > > > I've BCC'd the guy who wrote a program to do it to see if he
> can
> > > > share it (hope he doesn't mind :)
> > >
> > > I am not "the guy", and while "the guy" is working on getting a
> > > blanket OK to release the source (or executable), let me give
> you
> > > some of the technical details in case you feel inspired to write
> this yourself.
> > >
> > > The process in making a dumpconverter involves finding the
> windows
> > > dump header in memory and putting it at the beginning of the
> output
> > > file, then taking the raw domain dump and writing it as is
> except
> > > that the following two ranges need to be skipped - which can
> vary
> > > from system to system:
> > >   1) the ELF header (by default the first 6 pages of the raw
> dump)
> > >   2) a range which might be BIOS, which by default in the tool
> is set to
> > >      pages 0x9F to 0xDF.
> > >
> > > Good luck!
> > >


[-- Attachment #1.2: Type: text/html, Size: 8167 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: RE: produce windows compatible dump file from Dom0

[Tim Deegan]

At 16:28 +0000 on 08 Nov (1320769712), David Markey wrote:
> Kdd is for live debugging,(I thought)

It could be converted to run against a save file -- internally the
windowsy bits are kept separate from the state-access bits so it should
"just" be a matter of writing a new backend that can unfold save files
to get at memory and CPU state. 

For a quicker, uglier fix, you could restore (a copy of) the state file
into a paused VM. :)

kdd needs a bit of care and attention, actually; its internal list of
magic constants will need updating for recent windowses, and it hasn't
been tested against very recent debugger versions.  Sadly, I doubt I'll
have time to spend installing/prodding various windows flavours any time
soon. :(

Tim.

> I'm looking to specifically convert a VM save image(i,e, after suspend)
> into a WinDBG compatible image.
> 
> It looked like the utility Konrad spoke of could have achieved this.
> 
> David
> 
> 
> 
> On 8 November 2011 16:20, Paul Durrant <Paul.Durrant@citrix.com> wrote:
> 
> > Can't this now be done using kdd?
> >
> >  Paul
> >
> > > -----Original Message-----
> > > From: Konrad Rzeszutek Wilk [mailto:konrad.wilk@oracle.com]
> > > Sent: 08 November 2011 15:41
> > > To: David Markey
> > > Cc: James Harper; Paul Durrant; xen-devel@lists.xensource.com
> > > Subject: Re: [Xen-devel] RE: produce windows compatible dump file
> > > from Dom0
> > >
> > > On Tue, Nov 08, 2011 at 03:15:10PM +0000, David Markey wrote:
> > > > Hi Konrad,
> > > >
> > > > Sorry for resurrecting,
> > >
> > > Oh no trouble.
> > > >
> > > > Did "the guy" manage to get clearance to release the source for
> > > this
> > > > particular project?
> > >
> > > Uh, I think we lost track of this. Let me poke "the guy".
> > >
> > > >
> > > >
> > > > Thanks!
> > > >
> > > > David
> > > >
> > > >
> > > > On 26 May 2011 13:52, Konrad Rzeszutek Wilk
> > > <konrad.wilk@oracle.com> wrote:
> > > >
> > > > > On Wed, May 25, 2011 at 10:16:06PM +1000, James Harper wrote:
> > > > > > >
> > > > > > > Hi all,
> > > > > > >
> > > > > > > Did anyone make any progress on this?
> > > > > > >
> > > > > > > I'm interested in getting a Windows memory dump out of a
> > > > > > > XenServer
> > > > > > suspend
> > > > > > > image.
> > > > > > >
> > > > > > > Is it even remotely possible?
> > > > > > >
> > > > > >
> > > > > > Yes. In order for it to work I believe the DomU needs to call
> > > > > > KeInitializeCrashDumpHeader to place a crash dump header
> > > inside
> > > > > > the memory image (eg in NonPagedPool).
> > > KeInitializeCrashDumpHeader
> > > > > > is available in 2003sp1 and newer. You can then find that info
> > > in
> > > > > > the saved image and use it to build a windows compatible crash
> > > > > > dump. There is more to it than that obviously and I haven't
> > > > > > actually done it myself. Ideally it would be possible to do
> > > 'xl
> > > > > > wincrashdump -o memory.dmp domu_name' and have it all happen.
> > > > > >
> > > > > > I've BCC'd the guy who wrote a program to do it to see if he
> > > can
> > > > > > share it (hope he doesn't mind :)
> > > > >
> > > > > I am not "the guy", and while "the guy" is working on getting a
> > > > > blanket OK to release the source (or executable), let me give
> > > you
> > > > > some of the technical details in case you feel inspired to write
> > > this yourself.
> > > > >
> > > > > The process in making a dumpconverter involves finding the
> > > windows
> > > > > dump header in memory and putting it at the beginning of the
> > > output
> > > > > file, then taking the raw domain dump and writing it as is
> > > except
> > > > > that the following two ranges need to be skipped - which can
> > > vary
> > > > > from system to system:
> > > > >   1) the ELF header (by default the first 6 pages of the raw
> > > dump)
> > > > >   2) a range which might be BIOS, which by default in the tool
> > > is set to
> > > > >      pages 0x9F to 0xDF.
> > > > >
> > > > > Good luck!
> > > > >
> >

> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel