Metadata-Version: 2.4
Name: minidump-analyzer
Version: 0.1.0
Summary: 纯 Python 零依赖 Windows MiniDump 内存转储解析器 | Pure-Python parser for Windows MiniDump (.dmp) files
Author: Song Shiyu (宋诗雨)
License: MIT
Project-URL: Homepage, https://github.com/songshiyu777/minidump-analyzer
Project-URL: Repository, https://github.com/songshiyu777/minidump-analyzer
Keywords: minidump,windows,debugging,crash-dump,memory-forensics,reverse-engineering,内存转储,崩溃分析,逆向工程,Windows调试,dump解析
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Software Development :: Debuggers
Classifier: Topic :: System :: Operating System
Classifier: Operating System :: OS Independent
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Provides-Extra: dev
Requires-Dist: pytest; extra == "dev"
Requires-Dist: pytest-cov; extra == "dev"
Dynamic: license-file

# MiniDump Analyzer · Windows 内存转储分析器

> 纯 Python、零依赖的 Windows MiniDump（.dmp）文件解析工具。无需 Windows 系统，Linux/macOS 也能用。
> 查看崩溃转储、列出加载模块、浏览内存区域、搜索字符串、导出内存 — 全在命令行完成。

A **pure-Python**, **zero-dependency** parser for Windows MiniDump (`.dmp`) files. Works on **Linux, macOS, and Windows**.

Inspect crash dumps, list loaded modules, explore memory regions, search for strings, and export memory — all from the command line.

## Features

- **Cross-platform** — no Windows API needed, parses the binary format directly
- **Zero dependencies** — only the Python standard library
- **Command-line interface** with subcommands for common tasks
- **Python API** for programmatic use
- Supports both 32-bit and 64-bit MiniDump formats
- Handles large dumps (tested with 400MB+ files)

## Installation

```bash
pip install git+https://github.com/songshiyu777/minidump-analyzer.git
```

Or clone and install locally:

```bash
git clone https://github.com/songshiyu777/minidump-analyzer.git
cd minidump-analyzer
pip install -e .
```

## Quick Start

```bash
# Overview of a dump file
minidump-analyzer info crash.dmp

# List all loaded modules (DLLs, EXE)
minidump-analyzer modules crash.dmp

# List loaded modules with size info
minidump-analyzer modules -v crash.dmp

# Show all memory ranges
minidump-analyzer memory crash.dmp

# Show only ranges >= 1 MB
minidump-analyzer memory --min-size 1M crash.dmp

# Show detailed memory info (protection, state, type)
minidump-analyzer meminfo crash.dmp

# List threads with register context
minidump-analyzer threads crash.dmp

# List all streams in the dump
minidump-analyzer streams crash.dmp

# Search memory for a string
minidump-analyzer search "perform_key_validation" crash.dmp

# Export a memory region to a file
minidump-analyzer export --address 0x140000000 --size 4096 --output code.bin crash.dmp
```

### Example output

```
$ minidump-analyzer info dump.dmp

File        : dump.dmp
File size   : 426.1 MB
Signature   : MDMP (0x504D444D)
Version     : 0xA793
Streams     : 18
Flags       : 0x0000000000000000

Arch        : AMD64 (x86_64)
OS          : Windows NT 10.0.19041
CPU count   : 8
CPU level   : 6

Modules     : 91
Mem regions : 736
Threads     : 42
Total memory: 421.7 MB

Streams:
   THREAD_LIST               size=      840 B  rva=0x00000A20
   MODULE_LIST               size=      3.8 KB  rva=0x00000D98
   MEMORY_64_LIST            size=      5.8 KB  rva=0x00002420
 * SYSTEM_INFO               size=       56 B  rva=0x000003F4
 * MEMORY_INFO_LIST          size=     14.6 KB  rva=0x000023C0
   ...
```

```
$ minidump-analyzer modules dump.dmp

0x0000000140000000  鸡之巅.exe
0x00007FF8E2000000  ntdll.dll
0x00007FF8E0000000  kernel32.dll
0x00007FF8DE000000  kernelbase.dll
0x00007FF8C4000000  python310.dll
...
```

```
$ minidump-analyzer meminfo dump.dmp

0x0000000140000000    289.1 MB     EXECUTE_READWRITE    COMMIT    IMAGE
0x000000014C7EF000     42.1 MB              READWRITE    COMMIT   MAPPED
0x000000014EFEE000     22.0 MB     EXECUTE_READWRITE    COMMIT   MAPPED
...
```

## Python API

```python
from minidump_analyzer import MiniDumpParser

with MiniDumpParser("crash.dmp") as dump:
    # System info
    sysinfo = dump.get_system_info()
    print(f"OS: {sysinfo.os_version}, Arch: {sysinfo.arch_name}")

    # List all loaded modules
    for mod in dump.get_modules():
        print(f"0x{mod.base_of_image:016X}  {mod.module_name}")

    # Iterate memory ranges
    for r in dump.get_memory_ranges():
        print(f"0x{r.start:016X}-0x{r.end:016X}  {r.size:>10,d} bytes")

    # Search for a string across all memory
    for va, ctx in dump.search("key_validation"):
        print(f"Found at 0x{va:016X}")

    # Read memory at a virtual address
    data = dump.read_va(0x140000000, 256)

    # Read raw data at an RVA
    data = dump.read_rva(0x1000, 512)
```

## Supported Stream Types

| Stream | Type | Parsed |
|--------|------|--------|
| ThreadList | 3 | Full (TID, register context on x64) |
| ModuleList | 4 | Full (base, size, name) |
| MemoryList | 5 | Full (32-bit ranges) |
| SystemInfo | 7 | Full (arch, OS version, CPU) |
| Memory64List | 9 | Full (64-bit ranges) |
| MemoryInfoList | 16 | Full (protection, state, type) |
| ThreadInfoList | 17 | Basic |
| Other streams | — | Raw data accessible via `read_stream()` |

## License

MIT — see [LICENSE](LICENSE) for details.
