public override bool IsSupportedFormat(Vtero vtero)
{
bool rv = false;
if (!File.Exists(DumpFile))
return rv;
// use abstract implementation & scan for internal
LogicalPhysMemDesc = ExtractMemDesc(vtero);
using (var dstream = File.OpenRead(DumpFile))
{
MemSize = dstream.Length;
using (var dbin = new BinaryReader(dstream))
{
// start with a easy to handle format of DMP
if (ASCIIEncoding.ASCII.GetString(dbin.ReadBytes(8)) != "PAGEDU64")
return rv;
dbin.BaseStream.Position = 0x2020;
StartOfMem = dbin.ReadUInt32();
// Find the RUN info
dbin.BaseStream.Position = 0x88;
var MemRunDescriptor = new MemoryDescriptor();
MemRunDescriptor.StartOfMemmory = StartOfMem;
MemRunDescriptor.NumberOfRuns = dbin.ReadInt64();
MemRunDescriptor.NumberOfPages = dbin.ReadInt64();
// this struct has to fit in the header which is only 0x2000 in total size
if (MemRunDescriptor.NumberOfRuns > 32 || MemRunDescriptor.NumberOfRuns < 0)
{
// TODO: in this case we have to de-patchguard the KDDEBUGGER_DATA block
// before resulting to that... implemented a memory scanning mode to extract the runs out via struct detection
PhysMemDesc = LogicalPhysMemDesc;
PhysMemDesc.StartOfMemmory = StartOfMem;
// physmem is preferred place to load from so if we have only 1 run move it to phys.
LogicalPhysMemDesc = null;
}
else
{
// in this case StartOfMem is 0x2000
MemRunDescriptor.StartOfMemmory = 0x2000;
// we have an embedded RUN in the DMP file that appears to conform to the rules we know
for (int i = 0; i < MemRunDescriptor.NumberOfRuns; i++)
{
var basePage = dbin.ReadInt64();
var pageCount = dbin.ReadInt64();
MemRunDescriptor.Run.Add(new MemoryRun() { BasePage = basePage, PageCount = pageCount });
}
PhysMemDesc = MemRunDescriptor;
}
rv = true;
}
}
#if OLD_CODE
long aSkipCount = 0;
for (int i = 0; i < PhysMemDesc.NumberOfRuns; i++)
{
var RunSkip = PhysMemDesc.Run[i].BasePage - aSkipCount;
PhysMemDesc.Run[i].SkipCount = RunSkip;
aSkipCount = PhysMemDesc.Run[i].BasePage + PhysMemDesc.Run[i].PageCount;
}
#endif
return rv;
}
