Hide kdmp-parser's under a namespace (#8)

This should avoid user code clashing with kdmp-parser's structures.

src/lib/kdmp-parser-structs.h

@@ -7,18 +7,7 @@
 #include <cstdint>
 #include <cstdio>
 
-#ifndef WINDOWS
-#define EXCEPTION_MAXIMUM_PARAMETERS 15
-struct EXCEPTION_RECORD64 {
-  uint32_t ExceptionCode;
-  uint32_t ExceptionFlags;
-  uint64_t ExceptionRecord;
-  uint64_t ExceptionAddress;
-  uint32_t NumberParameters;
-  uint32_t __unusedAlignment;
-  uint64_t ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
-};
-#endif
+namespace kdmpparser {
 
 //
 // Save off the alignement setting and disable
@@ -147,28 +136,27 @@ struct DisplayUtils {
 // https://github.com/google/rekall/blob/master/rekall-core/rekall/plugins/overlays/windows/crashdump.py
 //
 
-struct KDMP_PARSER_PHYSMEM_RUN : public DisplayUtils {
+struct PHYSMEM_RUN : public DisplayUtils {
   uint64_t BasePage;
   uint64_t PageCount;
 
   void Show(const uint32_t Prefix = 0) const {
-    DISPLAY_HEADER("PHYSICAL_MEMORY_RUN");
+    DISPLAY_HEADER("PHYSMEM_RUN");
     DISPLAY_FIELD(BasePage);
     DISPLAY_FIELD(PageCount);
   }
 };
 
-static_assert(sizeof(KDMP_PARSER_PHYSMEM_RUN) == 0x10,
-              "PHYSICAL_MEMORY_RUN's size looks wrong.");
+static_assert(sizeof(PHYSMEM_RUN) == 0x10, "PHYSMEM_RUN's size looks wrong.");
 
-struct KDMP_PARSER_PHYSMEM_DESC : public DisplayUtils {
+struct PHYSMEM_DESC : public DisplayUtils {
   uint32_t NumberOfRuns;
   uint32_t Padding0;
   uint64_t NumberOfPages;
-  KDMP_PARSER_PHYSMEM_RUN Run[1];
+  PHYSMEM_RUN Run[1];
 
   void Show(const uint32_t Prefix = 0) const {
-    DISPLAY_HEADER("PHYSICAL_MEMORY_DESCRIPTOR");
+    DISPLAY_HEADER("PHYSMEM_DESC");
     DISPLAY_FIELD(NumberOfRuns);
     DISPLAY_FIELD(NumberOfPages);
     DISPLAY_FIELD_OFFSET(Run);
@@ -190,10 +178,10 @@ struct KDMP_PARSER_PHYSMEM_DESC : public DisplayUtils {
   }
 };
 
-static_assert(sizeof(KDMP_PARSER_PHYSMEM_DESC) == 0x20,
+static_assert(sizeof(PHYSMEM_DESC) == 0x20,
               "PHYSICAL_MEMORY_DESCRIPTOR's size looks wrong.");
 
-struct KDMP_PARSER_BMP_HEADER64 : public DisplayUtils {
+struct BMP_HEADER64 : public DisplayUtils {
   static const uint32_t ExpectedSignature = 0x504D4453;  // 'PMDS'
   static const uint32_t ExpectedSignature2 = 0x504D4446; // 'PMDF'
   static const uint32_t ExpectedValidDump = 0x504D5544;  // 'PMUD'
@@ -250,20 +238,20 @@ struct KDMP_PARSER_BMP_HEADER64 : public DisplayUtils {
     //
 
     if (Signature != ExpectedSignature && Signature != ExpectedSignature2) {
-      printf("KDMP_PARSER_BMP_HEADER64::Signature looks wrong.\n");
+      printf("BMP_HEADER64::Signature looks wrong.\n");
       return false;
     }
 
     if (ValidDump != ExpectedValidDump) {
-      printf("KDMP_PARSER_BMP_HEADER64::ValidDump looks wrong.\n");
+      printf("BMP_HEADER64::ValidDump looks wrong.\n");
       return false;
     }
 
     return true;
   }
 
   void Show(const uint32_t Prefix = 0) const {
-    DISPLAY_HEADER("KDMP_PARSER_BMP_HEADER64");
+    DISPLAY_HEADER("BMP_HEADER64");
     DISPLAY_FIELD(Signature);
     DISPLAY_FIELD(ValidDump);
     DISPLAY_FIELD(FirstPage);
@@ -273,10 +261,10 @@ struct KDMP_PARSER_BMP_HEADER64 : public DisplayUtils {
   }
 };
 
-static_assert(offsetof(KDMP_PARSER_BMP_HEADER64, FirstPage) == 0x20,
+static_assert(offsetof(BMP_HEADER64, FirstPage) == 0x20,
               "First page offset looks wrong.");
 
-struct KDMP_PARSER_CONTEXT : public DisplayUtils {
+struct CONTEXT : public DisplayUtils {
 
   //
   // Note that the below definition has been stolen directly from the windows
@@ -415,15 +403,15 @@ struct KDMP_PARSER_CONTEXT : public DisplayUtils {
     //
 
     if (MxCsr != MxCsr2) {
-      printf("KDMP_PARSER_CONTEXT::MxCsr doesn't match MxCsr2.\n");
+      printf("CONTEXT::MxCsr doesn't match MxCsr2.\n");
       return false;
     }
 
     return true;
   }
 
   void Show(const uint32_t Prefix = 0) const {
-    DISPLAY_HEADER("KDMP_PARSER_CONTEXT");
+    DISPLAY_HEADER("CONTEXT");
     DISPLAY_FIELD(P1Home);
     DISPLAY_FIELD(P2Home);
     DISPLAY_FIELD(P3Home);
@@ -547,17 +535,17 @@ struct KDMP_PARSER_CONTEXT : public DisplayUtils {
   }
 };
 
-static_assert(offsetof(KDMP_PARSER_CONTEXT, Xmm0) == 0x1a0,
+static_assert(offsetof(CONTEXT, Xmm0) == 0x1a0,
               "The offset of Xmm0 looks wrong.");
 
-struct KDMP_PARSER_EXCEPTION_RECORD64 : public DisplayUtils {
+struct EXCEPTION_RECORD64 : public DisplayUtils {
   uint32_t ExceptionCode;
   uint32_t ExceptionFlags;
   uint64_t ExceptionRecord;
   uint64_t ExceptionAddress;
   uint32_t NumberParameters;
   uint32_t __unusedAlignment;
-  uint64_t ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
+  uint64_t ExceptionInformation[15];
 
   void Show(const uint32_t Prefix = 0) const {
     DISPLAY_HEADER("KDMP_PARSER_EXCEPTION_RECORD64");
@@ -584,11 +572,10 @@ struct KDMP_PARSER_EXCEPTION_RECORD64 : public DisplayUtils {
   }
 };
 
-static_assert(sizeof(KDMP_PARSER_EXCEPTION_RECORD64) ==
-                  sizeof(EXCEPTION_RECORD64),
+static_assert(sizeof(EXCEPTION_RECORD64) == 0x98,
               "KDMP_PARSER_EXCEPTION_RECORD64's size looks wrong.");
 
-struct KDMP_PARSER_HEADER64 : public DisplayUtils {
+struct HEADER64 : public DisplayUtils {
   static const uint32_t ExpectedSignature = 0x45474150; // 'EGAP'
   static const uint32_t ExpectedValidDump = 0x34365544; // '46UD'
 
@@ -621,7 +608,7 @@ struct KDMP_PARSER_HEADER64 : public DisplayUtils {
 
   uint8_t Padding1[0x80 - (0x40 + sizeof(BugCheckCodeParameter))];
   uint64_t KdDebuggerDataBlock;
-  KDMP_PARSER_PHYSMEM_DESC PhysicalMemoryBlockBuffer;
+  PHYSMEM_DESC PhysicalMemoryBlockBuffer;
 
   //
   // According to rekall there's a gap here:
@@ -630,7 +617,7 @@ struct KDMP_PARSER_HEADER64 : public DisplayUtils {
   //
 
   uint8_t Padding2[0x348 - (0x88 + sizeof(PhysicalMemoryBlockBuffer))];
-  KDMP_PARSER_CONTEXT ContextRecord;
+  CONTEXT ContextRecord;
 
   //
   // According to rekall there's a gap here:
@@ -639,7 +626,7 @@ struct KDMP_PARSER_HEADER64 : public DisplayUtils {
   //
 
   uint8_t Padding3[0xf00 - (0x348 + sizeof(ContextRecord))];
-  KDMP_PARSER_EXCEPTION_RECORD64 Exception;
+  EXCEPTION_RECORD64 Exception;
   DumpType_t DumpType;
 
   //
@@ -661,7 +648,7 @@ struct KDMP_PARSER_HEADER64 : public DisplayUtils {
   uint8_t KdSecondaryVersion;
   uint8_t Unused[2];
   uint8_t _reserved0[4016];
-  KDMP_PARSER_BMP_HEADER64 BmpHeader;
+  BMP_HEADER64 BmpHeader;
 
   bool LooksGood() const {
 
@@ -670,12 +657,12 @@ struct KDMP_PARSER_HEADER64 : public DisplayUtils {
     //
 
     if (Signature != ExpectedSignature) {
-      printf("KDMP_PARSER_HEADER64::Signature looks wrong.\n");
+      printf("HEADER64::Signature looks wrong.\n");
       return false;
     }
 
     if (ValidDump != ExpectedValidDump) {
-      printf("KDMP_PARSER_HEADER64::ValidDump looks wrong.\n");
+      printf("HEADER64::ValidDump looks wrong.\n");
       return false;
     }
 
@@ -707,7 +694,7 @@ struct KDMP_PARSER_HEADER64 : public DisplayUtils {
   }
 
   void Show(const uint32_t Prefix = 0) const {
-    DISPLAY_HEADER("KDMP_PARSER_HEADER64");
+    DISPLAY_HEADER("HEADER64");
     DISPLAY_FIELD(Signature);
     DISPLAY_FIELD(ValidDump);
     DISPLAY_FIELD(MajorVersion);
@@ -763,22 +750,22 @@ struct KDMP_PARSER_HEADER64 : public DisplayUtils {
 // layout, so hopefully they prevent any regressions regarding the layout.
 //
 
-static_assert(offsetof(KDMP_PARSER_HEADER64, BugCheckCodeParameter) == 0x40,
+static_assert(offsetof(HEADER64, BugCheckCodeParameter) == 0x40,
               "The offset of KdDebuggerDataBlock looks wrong.");
 
-static_assert(offsetof(KDMP_PARSER_HEADER64, KdDebuggerDataBlock) == 0x80,
+static_assert(offsetof(HEADER64, KdDebuggerDataBlock) == 0x80,
               "The offset of KdDebuggerDataBlock looks wrong.");
 
-static_assert(offsetof(KDMP_PARSER_HEADER64, ContextRecord) == 0x348,
+static_assert(offsetof(HEADER64, ContextRecord) == 0x348,
               "The offset of ContextRecord looks wrong.");
 
-static_assert(offsetof(KDMP_PARSER_HEADER64, Exception) == 0xf00,
+static_assert(offsetof(HEADER64, Exception) == 0xf00,
               "The offset of Exception looks wrong.");
 
-static_assert(offsetof(KDMP_PARSER_HEADER64, Comment) == 0xfb0,
+static_assert(offsetof(HEADER64, Comment) == 0xfb0,
               "The offset of Comment looks wrong.");
 
-static_assert(offsetof(KDMP_PARSER_HEADER64, BmpHeader) == 0x2000,
+static_assert(offsetof(HEADER64, BmpHeader) == 0x2000,
               "The offset of BmpHeaders looks wrong.");
 
 struct Page {
@@ -846,4 +833,5 @@ union VIRTUAL_ADDRESS {
 };
 
 static_assert(sizeof(MMPTE_HARDWARE) == 8);
-static_assert(sizeof(VIRTUAL_ADDRESS) == 8);
+static_assert(sizeof(VIRTUAL_ADDRESS) == 8);
+} // namespace kdmpparser

src/lib/kdmp-parser.cc

@@ -1,6 +1,8 @@
 // Axel '0vercl0k' Souchet - February 15 2019
 #include "kdmp-parser.h"
 
+namespace kdmpparser {
+
 KernelDumpParser::KernelDumpParser() : DmpHdr_(nullptr), PathFile_(nullptr) {}
 
 KernelDumpParser::~KernelDumpParser() {
@@ -63,7 +65,7 @@ bool KernelDumpParser::ParseDmpHeader() {
   // The base of the view points on the DMP_HEADER64.
   //
 
-  DmpHdr_ = (KDMP_PARSER_HEADER64 *)FileMap_.ViewBase();
+  DmpHdr_ = (HEADER64 *)FileMap_.ViewBase();
 
   //
   // Now let's make sure the structures look right.
@@ -77,7 +79,7 @@ bool KernelDumpParser::ParseDmpHeader() {
   return true;
 }
 
-const KDMP_PARSER_CONTEXT *KernelDumpParser::GetContext() {
+const CONTEXT *KernelDumpParser::GetContext() {
 
   //
   // Give the user a view of the context record.
@@ -166,7 +168,7 @@ bool KernelDumpParser::BuildPhysmemFullDump() {
     // Grab the current run as well as its base page and page count.
     //
 
-    const KDMP_PARSER_PHYSMEM_RUN *Run =
+    const PHYSMEM_RUN *Run =
         DmpHdr_->PhysicalMemoryBlockBuffer.Run + RunIdx;
 
     const uint64_t BasePage = Run->BasePage;
@@ -254,7 +256,7 @@ KernelDumpParser::PhyRead8(const uint64_t PhysicalAddress) const {
 const Physmem_t &KernelDumpParser::GetPhysmem() { return Physmem_; }
 
 void KernelDumpParser::ShowContextRecord(const uint32_t Prefix = 0) const {
-  const KDMP_PARSER_CONTEXT &Context = DmpHdr_->ContextRecord;
+  const CONTEXT &Context = DmpHdr_->ContextRecord;
   printf("%*srax=%016" PRIx64 " rbx=%016" PRIx64 " rcx=%016" PRIx64 "\n",
          Prefix, "", Context.Rax, Context.Rbx, Context.Rcx);
   printf("%*srdx=%016" PRIx64 " rsi=%016" PRIx64 " rdi=%016" PRIx64 "\n",
@@ -461,4 +463,5 @@ KernelDumpParser::GetVirtualPage(const uint64_t VirtualAddress,
   //
 
   return GetPhysicalPage(PhysicalAddress);
-}
+}
+} // namespace kdmpparser

src/lib/kdmp-parser.h

@@ -6,6 +6,8 @@
 #include <cstdint>
 #include <unordered_map>
 
+namespace kdmpparser {
+
 using Physmem_t = std::unordered_map<uint64_t, const uint8_t *>;
 
 struct BugCheckParameters_t {
@@ -28,7 +30,7 @@ class KernelDumpParser {
   // Give the Context record to the user.
   //
 
-  const KDMP_PARSER_CONTEXT *GetContext();
+  const CONTEXT *GetContext();
 
   //
   // Give the bugcheck parameters to the user.
@@ -133,7 +135,7 @@ class KernelDumpParser {
   // Header of the crash-dump.
   //
 
-  KDMP_PARSER_HEADER64 *DmpHdr_;
+  HEADER64 *DmpHdr_;
 
   //
   // File path to the crash-dump.
@@ -146,4 +148,5 @@ class KernelDumpParser {
   //
 
   Physmem_t Physmem_;
-};
+};
+} // namespace kdmpparser

src/parser/parser.cc

@@ -266,7 +266,7 @@ int main(int argc, const char *argv[]) {
   // Create the parser instance.
   //
 
-  KernelDumpParser Dmp;
+  kdmpparser::KernelDumpParser Dmp;
 
   //
   // Parse the dump file.
@@ -340,8 +340,8 @@ int main(int argc, const char *argv[]) {
       // so that it is nicer for the user as they probably don't expect unorder.
       //
 
-      const Physmem_t &Physmem = Dmp.GetPhysmem();
-      std::vector<Physmem_t::key_type> OrderedPhysicalAddresses;
+      const kdmpparser::Physmem_t &Physmem = Dmp.GetPhysmem();
+      std::vector<kdmpparser::Physmem_t::key_type> OrderedPhysicalAddresses;
       OrderedPhysicalAddresses.reserve(Physmem.size());
 
       //