API tools faq
paste
aveyo

ANALYZE_CRASH_MINIDUMPS

aveyo
Oct 12th, 2014
747
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Batch 8.27 KB | None | 0 0
raw download clone embed print report diff
  1. :: Analyze local crash minidumps by aveyo v1.1
  2. :: You need to install Standalone Debugging Tools for Windows (WinDbg) before using this script!
  3. :: http://msdn.microsoft.com/library/windows/hardware/ff551063%28v=vs.85%29.aspx
  4. :: In the installation wizard, select Debugging Tools for Windows, and clear all other components
  5. :: and override the default install path to C:\ instead (it will use C:\Debuggers)
  6. :: Includes dxdiag report and installed and running programs
  7. @ECHO off
  8.  
  9. CALL :CHECK_OS
  10.  
  11. :: Check for Debugging Tools for Windows installation
  12. :: If script can't find them it means MS changed paths again
  13.  
  14. SET "TOOLS_FOUND="
  15. SET "DEBUG_TOOLS=%PFVAR%\Debugging Tools for Windows (x86)"
  16. IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1
  17. IF NOT DEFINED TOOLS_FOUND SET "DEBUG_TOOLS=C:\Program Files\Debugging Tools for Windows (x64)"
  18. IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1
  19. SET "DEBUG_TOOLS=%PFVAR%\Windows Kits\8.1\Debuggers\x86"
  20. IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1
  21. SET "DEBUG_TOOLS=%PFVAR%\Windows Kits\8.1\Debuggers\x64"
  22. IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1
  23. SET "DEBUG_TOOLS=C:\Debuggers\x86"
  24. IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1
  25. SET "DEBUG_TOOLS=C:\Debuggers\x64"
  26. IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1
  27. :: edit
  28. IF NOT DEFINED TOOLS_FOUND SET "DEBUG_TOOLS=C:\Program Files (x86)\Windows Kits\10\Debuggers\x64"
  29. IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1
  30. ::
  31.  
  32. IF NOT DEFINED TOOLS_FOUND ECHO. & ECHO    You need to install Standalone Debugging Tools for Windows (WinDbg) before using this script!
  33. IF NOT DEFINED TOOLS_FOUND ECHO   https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063(v=vs.85).aspx
  34. IF NOT DEFINED TOOLS_FOUND ECHO   In the installation wizard, select Debugging Tools for Windows, and clear all other components
  35. IF NOT DEFINED TOOLS_FOUND ECHO   and override the default install path to C:\ instead (it will use C:\Debuggers)
  36. IF NOT DEFINED TOOLS_FOUND CALL :ERR ...
  37.  
  38. rem CALL :XECHO Debugging Tools for Windows="%DEBUG_TOOLS%"
  39.  
  40. :: Choose minidump file by filepicker window
  41. CALL :XECHO Choose the .dmp/.mdmp file you want to analyze:
  42. IF NOT EXIST "%~1" CALL :VBCHOOSEFILE
  43. :: Choose minidump file by 1st parameter, skipping filepicker
  44. IF EXIST "%~1" SET "ChosenFile=%~1"
  45. IF EXIST "%~1" CALL :__VBCHOOSEFILE_VERIFY
  46. FOR /F "tokens=*" %%I IN ("%ChosenFile%") DO ( SET "DUMPDIR=%%~dpI" &SET "DUMPFILE=%%~nI%%~xI")
  47. CALL :XECHO Dump file = %ChosenFile%
  48. :: get dxdiag and programs info
  49. FINDSTR "'~1337%skip%vbprg" "%~f0">"%temp%\~1337prg.vbs"
  50. START " " /WAIT dxdiag /t \Users\%USERNAME%\AppData\Local\Temp\dxdiag.txt
  51. echo [INSTALLED PROGRAMS User] >"%TEMP%\List_my_programs.txt"
  52. CSCRIPT //nologo "%temp%\~1337prg.vbs" "32" "HKCU" >>"%TEMP%\List_my_programs.txt"
  53. echo [INSTALLED PROGRAMS Machine x86] >>"%TEMP%\List_my_programs.txt"
  54. CSCRIPT //nologo "%temp%\~1337prg.vbs" "32" "HKLM" >>"%TEMP%\List_my_programs.txt"
  55. echo [INSTALLED PROGRAMS Machine x64] >>"%TEMP%\List_my_programs.txt"
  56. CSCRIPT //nologo "%temp%\~1337prg.vbs" "64" "HKLM" >>"%TEMP%\List_my_programs.txt"
  57. DEL /F /Q "%temp%\~1337prg.vbs"
  58. rem echo [INSTALLED PROGRAMS - MSI] >>"%TEMP%\List_my_programs.txt"
  59. rem wmic product list brief | MORE >>"%TEMP%\List_my_programs.txt"
  60. echo [STARTUP] >>"%TEMP%\List_my_programs.txt"
  61. wmic startup list brief>"%TEMP%\wmic1.tmp"
  62. TYPE "%TEMP%\wmic1.tmp"| MORE >>"%TEMP%\List_my_programs.txt"  
  63. echo [SERVICES] >>"%TEMP%\List_my_programs.txt"
  64. wmic service list brief>"%TEMP%\wmic2.tmp"
  65. TYPE "%TEMP%\wmic2.tmp"| MORE >>"%TEMP%\List_my_programs.txt"
  66. echo [RUNNING PROGRAMS] >>"%TEMP%\List_my_programs.txt"
  67. WMIC path win32_process get Processid,Caption,Commandline,WorkingSetSize>"%TEMP%\wmic3.tmp"
  68. TYPE "%TEMP%\wmic3.tmp"| MORE >>"%TEMP%\List_my_programs.txt"
  69. PING -n 10 localhost >nul 2>&1
  70. :: start debugger
  71. PUSHD "%DUMPDIR%"
  72. "%DEBUG_TOOLS%\kd.exe" -y "srv*c:\symbols*http://msdl.microsoft.com/download/symbols" -logo "%ChosenFile%.txt" -c ".reload;!exploitable -m;.symopt;!analyze -v -f;!address -summary;vertarget;!PEB;lmft;.ecxr;kb;~*kp;.logclose;q" -z "%ChosenFile%"
  73. COPY /Y "%ChosenFile%.txt" + "%USERPROFILE%\AppData\Local\Temp\dxdiag.txt" + "%TEMP%\List_my_programs.txt" "%ChosenFile%.txt" >nul 2>&1
  74. START " " notepad "%ChosenFile%.txt"
  75. POPD
  76. ECHO  DONE!  &PING localhost >nul 2>&1 &EXIT /B
  77.  
  78. GOTO :eof
  79.  
  80. :CHECK_OS
  81. :: This must run first
  82. :: Usage: CALL :CHECK_OS
  83. IF "%PROCESSOR_ARCHITECTURE%"=="x86" (
  84. SET "MACHINE="
  85. IF DEFINED PROCESSOR_ARCHITEW6432 SET "MACHINE=_x64"
  86. ) ELSE (
  87. SET "MACHINE=_x64"
  88. )
  89. SET "REGNODE="
  90. FOR %%I IN ("%PROGRAMFILES%") DO SET "PFVAR=%%~sI"
  91. FOR %%I IN ("%WINDIR%\SYSTEM32") DO SET "SSVAR=%%~sI"
  92. :: MS put ZERO thinking in naming x64 Program Files - brackets are deadly in batch files
  93. IF "%MACHINE%"=="_64" (
  94. FOR %%I IN ("%PROGRAMFILES(X86)%") DO SET "PFVAR=%%~sI"
  95. FOR %%I IN ("%WINDIR%\SysWOW64") DO SET "SSVAR=%%~sI"
  96. SET "REGNODE=Wow6432Node\"
  97. IF DEFINED PROCESSOR_ARCHITEW6432 FOR %%I IN ("%WINDIR%\Sysnative") DO SET "SSVAR=%%~sI"
  98. )
  99. SET _MYVER=%~n0 by a^v^ey^o^ v1.1, please wait
  100. TITLE %_MYVER% & COLOR 70
  101. rem FOR /F "tokens=4-5 delims=. " %%i IN ('ver') DO SET WINVERSION=%%i%%j
  102. rem IF %WINVERSION% LEQ 60 CALL :ERR ONLY FOR WINDOWS 7 OR ABOVE
  103. rem CALL :XECHO PROGRAMFILES=%PFVAR% SYSTEM=%SSVAR%
  104. GOTO :eof
  105. ::END.CHECK_OS
  106.  
  107. :ERR
  108. :: Usage: Call :ERR string
  109. echo/
  110. echo #ERROR! %*
  111. PAUSE &EXIT
  112. GOTO :eof
  113. ::END.ERR
  114.  
  115. :XECHO
  116. :: Extended echo
  117. :: Usage: Call :XECHO string/var
  118. :: Output: onscreen
  119. rem CLS
  120. echo/
  121. IF NOT "%1_"=="_" echo #INFO: %*
  122. IF DEFINED _TRACE echo/ & PAUSE
  123. GOTO :eof
  124. ::END.XECHO
  125.  
  126. :VBCHOOSEFILE
  127. :: Show a vbs prompt to pick a file
  128. :: Usage: CALL :VBCHOOSEFILE
  129. :: Output: %SOURCEDIR% %SOURCEFILE%
  130. FINDSTR "'~1337v%skip%bc%skip%f" "%~f0">"%temp%\~1337cf.vbs"
  131. CSCRIPT //nologo "%temp%\~1337cf.vbs" >"%temp%\~1337cf.cmd"
  132. CALL "%temp%\~1337cf.cmd"
  133. CALL :__VBCHOOSEFILE_VERIFY
  134. GOTO :eof
  135. :__VBCHOOSEFILE_VERIFY
  136. :: file type filtering
  137. DEL /F /Q "%temp%\~1337cf.vbs" >NUL 2>&1
  138. DEL /F /Q "%temp%\~1337cf.cmd" >NUL 2>&1
  139. IF ["%ChosenFile%"]==[""] CALL :ERR No file was chosen, please select a .dmp/.mdmp file next run
  140. IF /I NOT [%ChosenFile:~-3%]==[dmp] CALL :ERR Please select a .dmp/.mdmp file next run  
  141. IF NOT EXIST "%ChosenFile%" CALL :ERR File cannot be accessed, try moving it to the current dir
  142. GOTO :eof
  143. ::END.VBCHOOSEFILE
  144.  
  145.  
  146. GOTO :eof
  147. :: these are bundled vbs scripts used by this batch file
  148. Set wShell=CreateObject("WScript.Shell") '~1337vbcf
  149. Set oExec=wShell.Exec("mshta.exe ""about:<input type=file id=FILE><script>FILE.click();new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).WriteLine(FILE.value);close();resizeTo(0,0);</script>""") '~1337vbcf
  150. WScript.echo "set ChosenFile=" & oExec.StdOut.ReadLine '~1337vbcf
  151. Const HKCU = &H80000001, HKLM = &H80000002 '~1337vbprg
  152. Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet") '~1337vbprg
  153. If WScript.Arguments(0) = "32" Then oCtx.Add "__ProviderArchitecture",32 Else oCtx.Add "__ProviderArchitecture",64 '~1337vbprg
  154. oCtx.Add "__RequiredArchitecture", TRUE '~1337vbprg
  155. Set oLoc = CreateObject("Wbemscripting.SWbemLocator") '~1337vbprg
  156. Set oSvr = oLoc.ConnectServer("","root\default","","",,,,oCtx) '~1337vbprg
  157. Set oReg = oSvr.Get("StdRegProv") '~1337vbprg
  158. If WScript.Arguments(1) = "HKCU" Then Call ListMyApps(HKCU) Else Call ListMyApps(HKLM) '~1337vbprg  
  159.  '~1337vbprg
  160. Sub ListMyApps(HIVE) '~1337vbprg
  161. Set enumkey = oReg.Methods_("EnumKey").Inparameters '~1337vbprg
  162. enumkey.Hdefkey = HIVE '~1337vbprg
  163. enumkey.Ssubkeyname = "Software\Microsoft\Windows\CurrentVersion\Uninstall\" '~1337vbprg
  164. set aApps = oReg.ExecMethod_("EnumKey", enumkey,,oCtx) '~1337vbprg
  165. For Each strSubKey In aApps.snames '~1337vbprg
  166. Set search = oReg.Methods_("GetStringValue").Inparameters '~1337vbprg
  167. search.Hdefkey = HIVE '~1337vbprg
  168. search.Ssubkeyname = "Software\Microsoft\Windows\CurrentVersion\Uninstall\" & strSubKey '~1337vbprg
  169. search.Svaluename = "DisplayName" '~1337vbprg
  170. set sName = oReg.ExecMethod_("GetStringValue", search,,oCtx) '~1337vbprg
  171. If sName.sValue <> "" Then '~1337vbprg
  172. search.Svaluename = "DisplayVersion" '~1337vbprg
  173. set sVersion = oReg.ExecMethod_("GetStringValue", search,,oCtx) '~1337vbprg
  174. If sVersion.sValue <> "" Then wscript.echo sName.sValue & " v" & sVersion.SValue Else wscript.echo sName.sValue '~1337vbprg
  175. End If '~1337vbprg
  176. Next '~1337vbprg
  177. End Sub '~1337vbprg
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!