Crash Dumps of 32bit and 64bit versions of Microsoft Windows differ significantly. Because the market share of 64bit machines increases steadily, I decided to update my post on the Crash Dump (DMP) format.
A first and significant difference will catch your eye as soon as you view at a 64bit crash dump in a hex editor: instead of "PAGEDUMP" the file now starts with a "PAGEDU64" signature.
Not surprisingly addresses now are 64 bit wide. So in comparison to the 32bit header some fields were shifted.
| Offset | Type | Field | Remarks |
|---|---|---|---|
| 0x000 | char | Signature[4] | 'PAGE' |
| 0x004 | char | ValidDump[4] | 'DU64' |
| 0x008 | uint32 | MajorVersion | |
| 0x00c | uint32 | MinorVersion | Windows build no. |
| 0x010 | uint64 | DirectoryTableBase | |
| 0x018 | uint64 | PfnDataBase | |
| 0x020 | uint64 | PsLoadedModuleList | |
| 0x028 | uint64 | PsActiveProcessHead | |
| 0x030 | uint32 | MachineImageType | |
| 0x034 | uint32 | NumberProcessors | |
| ... | |||
| 0x088 | char | PhysicalMemoryBlock[0x80] | |
| ... | |||
| 0xf98 | uint32 | DumpType | 1 = full dump, 2 = kernel dump (smaller) |
| ... | |||
| 0xfa0 | int64 | SystemUpTime | measured in units of 100 ns |
| 0xfa8 | int64 | SystemTime | FILETIME |
The PhysicalMemoryBlock now contains up to 7 runs (in contrast to 4 in the 32bit format).
typedef struct {
uint64 BasePage;
uint64 PageCount;
} _PHYSICAL_MEMORY_RUN64;
typedef struct {
uint64 NumberOfRuns;
uint64 NumberOfPages;
_PHYSICAL_MEMORY_RUN64 Run[NumberOfRuns];
} _PHYSICAL_MEMORY_DESCRIPTOR64;
These fields and some more can be parsed with ease by means of a template for the 010 Editor. Here is an example of a 64bit file header:
Thanks go to "blufferisme", who provided me with some information on the file format.
