纯 Python 零依赖 Windows MiniDump 内存转储解析器 | Pure-Python parser for Windows MiniDump (.dmp) files
Project description
MiniDump Analyzer · Windows 内存转储分析器
纯 Python、零依赖的 Windows MiniDump(.dmp)文件解析工具。无需 Windows 系统,Linux/macOS 也能用。 查看崩溃转储、列出加载模块、浏览内存区域、搜索字符串、导出内存 — 全在命令行完成。
A pure-Python, zero-dependency parser for Windows MiniDump (.dmp) files. Works on Linux, macOS, and Windows.
Inspect crash dumps, list loaded modules, explore memory regions, search for strings, and export memory — all from the command line.
Features
- Cross-platform — no Windows API needed, parses the binary format directly
- Zero dependencies — only the Python standard library
- Command-line interface with subcommands for common tasks
- Python API for programmatic use
- Supports both 32-bit and 64-bit MiniDump formats
- Handles large dumps (tested with 400MB+ files)
Installation
pip install git+https://github.com/songshiyu777/minidump-analyzer.git
Or clone and install locally:
git clone https://github.com/songshiyu777/minidump-analyzer.git
cd minidump-analyzer
pip install -e .
Quick Start
# Overview of a dump file
minidump-analyzer info crash.dmp
# List all loaded modules (DLLs, EXE)
minidump-analyzer modules crash.dmp
# List loaded modules with size info
minidump-analyzer modules -v crash.dmp
# Show all memory ranges
minidump-analyzer memory crash.dmp
# Show only ranges >= 1 MB
minidump-analyzer memory --min-size 1M crash.dmp
# Show detailed memory info (protection, state, type)
minidump-analyzer meminfo crash.dmp
# List threads with register context
minidump-analyzer threads crash.dmp
# List all streams in the dump
minidump-analyzer streams crash.dmp
# Search memory for a string
minidump-analyzer search "perform_key_validation" crash.dmp
# Export a memory region to a file
minidump-analyzer export --address 0x140000000 --size 4096 --output code.bin crash.dmp
Example output
$ minidump-analyzer info dump.dmp
File : dump.dmp
File size : 426.1 MB
Signature : MDMP (0x504D444D)
Version : 0xA793
Streams : 18
Flags : 0x0000000000000000
Arch : AMD64 (x86_64)
OS : Windows NT 10.0.19041
CPU count : 8
CPU level : 6
Modules : 91
Mem regions : 736
Threads : 42
Total memory: 421.7 MB
Streams:
THREAD_LIST size= 840 B rva=0x00000A20
MODULE_LIST size= 3.8 KB rva=0x00000D98
MEMORY_64_LIST size= 5.8 KB rva=0x00002420
* SYSTEM_INFO size= 56 B rva=0x000003F4
* MEMORY_INFO_LIST size= 14.6 KB rva=0x000023C0
...
$ minidump-analyzer modules dump.dmp
0x0000000140000000 鸡之巅.exe
0x00007FF8E2000000 ntdll.dll
0x00007FF8E0000000 kernel32.dll
0x00007FF8DE000000 kernelbase.dll
0x00007FF8C4000000 python310.dll
...
$ minidump-analyzer meminfo dump.dmp
0x0000000140000000 289.1 MB EXECUTE_READWRITE COMMIT IMAGE
0x000000014C7EF000 42.1 MB READWRITE COMMIT MAPPED
0x000000014EFEE000 22.0 MB EXECUTE_READWRITE COMMIT MAPPED
...
Python API
from minidump_analyzer import MiniDumpParser
with MiniDumpParser("crash.dmp") as dump:
# System info
sysinfo = dump.get_system_info()
print(f"OS: {sysinfo.os_version}, Arch: {sysinfo.arch_name}")
# List all loaded modules
for mod in dump.get_modules():
print(f"0x{mod.base_of_image:016X} {mod.module_name}")
# Iterate memory ranges
for r in dump.get_memory_ranges():
print(f"0x{r.start:016X}-0x{r.end:016X} {r.size:>10,d} bytes")
# Search for a string across all memory
for va, ctx in dump.search("key_validation"):
print(f"Found at 0x{va:016X}")
# Read memory at a virtual address
data = dump.read_va(0x140000000, 256)
# Read raw data at an RVA
data = dump.read_rva(0x1000, 512)
Supported Stream Types
| Stream | Type | Parsed |
|---|---|---|
| ThreadList | 3 | Full (TID, register context on x64) |
| ModuleList | 4 | Full (base, size, name) |
| MemoryList | 5 | Full (32-bit ranges) |
| SystemInfo | 7 | Full (arch, OS version, CPU) |
| Memory64List | 9 | Full (64-bit ranges) |
| MemoryInfoList | 16 | Full (protection, state, type) |
| ThreadInfoList | 17 | Basic |
| Other streams | — | Raw data accessible via read_stream() |
License
MIT — see LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
minidump_analyzer-0.1.0.tar.gz
(15.9 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file minidump_analyzer-0.1.0.tar.gz.
File metadata
- Download URL: minidump_analyzer-0.1.0.tar.gz
- Upload date:
- Size: 15.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
720a8f80e1b0027d569391211dc4a6dd67e1c135466dc464cbd12f068f918c96
|
|
| MD5 |
f541292fc5383da4af6f67156eaf3bcb
|
|
| BLAKE2b-256 |
5860456562dd5269398f8b3ed6e87c8f9b9adb7c117656c516fc49f530b3c0fb
|
File details
Details for the file minidump_analyzer-0.1.0-py3-none-any.whl.
File metadata
- Download URL: minidump_analyzer-0.1.0-py3-none-any.whl
- Upload date:
- Size: 13.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
86e64fc11b38543019c1b4ab76b0561dcfa8d4c946d04629c0f77212a8addf6a
|
|
| MD5 |
fa6599f66e3fd64af1b47fdc66107215
|
|
| BLAKE2b-256 |
ddf247b6d69911bc692b640faf209a0fcea8e3ac47dbeebc1807cc7645deaed5
|
