SHOW:
|
|
- or go back to the newest paste.
| 1 | - | :: Analyze crash minidumps by aveyo v1.0b |
| 1 | + | :: Analyze local crash minidumps by aveyo v1.1 |
| 2 | :: You need to install Standalone Debugging Tools for Windows (WinDbg) before using this script! | |
| 3 | :: http://msdn.microsoft.com/library/windows/hardware/ff551063%28v=vs.85%29.aspx | |
| 4 | :: In the installation wizard, select Debugging Tools for Windows, and clear all other components | |
| 5 | :: and override the default install path to C:\ instead (it will use C:\Debuggers) | |
| 6 | - | :: No more wasting internet bandwidth with 30MB+ dumps (like in dota2). Send just the text summary |
| 6 | + | :: Includes dxdiag report and installed and running programs |
| 7 | @ECHO off | |
| 8 | ||
| 9 | CALL :CHECK_OS | |
| 10 | ||
| 11 | :: Check for Debugging Tools for Windows installation | |
| 12 | :: If script can't find them it means MS changed paths again | |
| 13 | ||
| 14 | SET "TOOLS_FOUND=" | |
| 15 | SET "DEBUG_TOOLS=%PFVAR%\Debugging Tools for Windows (x86)" | |
| 16 | IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1 | |
| 17 | IF NOT DEFINED TOOLS_FOUND SET "DEBUG_TOOLS=C:\Program Files\Debugging Tools for Windows (x64)" | |
| 18 | IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1 | |
| 19 | SET "DEBUG_TOOLS=%PFVAR%\Windows Kits\8.1\Debuggers\x86" | |
| 20 | IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1 | |
| 21 | SET "DEBUG_TOOLS=%PFVAR%\Windows Kits\8.1\Debuggers\x64" | |
| 22 | IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1 | |
| 23 | SET "DEBUG_TOOLS=C:\Debuggers\x86" | |
| 24 | IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1 | |
| 25 | SET "DEBUG_TOOLS=C:\Debuggers\x64" | |
| 26 | IF EXIST "%DEBUG_TOOLS%\kd.exe" SET /A TOOLS_FOUND=1 | |
| 27 | :: edit | |
| 28 | - | IF NOT DEFINED TOOLS_FOUND CALL :ERR You need to install Standalone Debugging Tools for Windows (WinDbg) before using this script! |
| 28 | + | IF NOT DEFINED TOOLS_FOUND SET "DEBUG_TOOLS=C:\Program Files (x86)\Windows Kits\10\Debuggers\x64" |
| 29 | - | IF NOT DEFINED TOOLS_FOUND CALL :ERR http://msdn.microsoft.com/library/windows/hardware/ff551063%28v=vs.85%29.aspx |
| 29 | + | |
| 30 | - | IF NOT DEFINED TOOLS_FOUND CALL :ERR In the installation wizard, select Debugging Tools for Windows, and clear all other components |
| 30 | + | :: |
| 31 | - | IF NOT DEFINED TOOLS_FOUND CALL :ERR and override the default install path to C:\ instead (it will use C:\Debuggers) |
| 31 | + | |
| 32 | IF NOT DEFINED TOOLS_FOUND ECHO. & ECHO You need to install Standalone Debugging Tools for Windows (WinDbg) before using this script! | |
| 33 | IF NOT DEFINED TOOLS_FOUND ECHO https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063(v=vs.85).aspx | |
| 34 | IF NOT DEFINED TOOLS_FOUND ECHO In the installation wizard, select Debugging Tools for Windows, and clear all other components | |
| 35 | IF NOT DEFINED TOOLS_FOUND ECHO and override the default install path to C:\ instead (it will use C:\Debuggers) | |
| 36 | IF NOT DEFINED TOOLS_FOUND CALL :ERR ... | |
| 37 | ||
| 38 | rem CALL :XECHO Debugging Tools for Windows="%DEBUG_TOOLS%" | |
| 39 | ||
| 40 | :: Choose minidump file by filepicker window | |
| 41 | CALL :XECHO Choose the .dmp/.mdmp file you want to analyze: | |
| 42 | IF NOT EXIST "%~1" CALL :VBCHOOSEFILE | |
| 43 | :: Choose minidump file by 1st parameter, skipping filepicker | |
| 44 | - | "%DEBUG_TOOLS%\kd.exe" -y "srv*c:\symbols*http://msdl.microsoft.com/download/symbols" -logo "%ChosenFile%.txt" -c ".reload;!analyze -v;r;kv;lmnt;.logclose;q" -z "%ChosenFile%" |
| 44 | + | |
| 45 | - | START " " /WAIT dxdiag /dontskip /whql:on /t dxdiag.txt |
| 45 | + | |
| 46 | - | COPY /Y "%ChosenFile%.txt" + "%DUMPDIR%\dxdiag.txt" "%ChosenFile%.txt" >nul 2>&1 |
| 46 | + | |
| 47 | CALL :XECHO Dump file = %ChosenFile% | |
| 48 | :: get dxdiag and programs info | |
| 49 | FINDSTR "'~1337%skip%vbprg" "%~f0">"%temp%\~1337prg.vbs" | |
| 50 | START " " /WAIT dxdiag /t \Users\%USERNAME%\AppData\Local\Temp\dxdiag.txt | |
| 51 | echo [INSTALLED PROGRAMS User] >"%TEMP%\List_my_programs.txt" | |
| 52 | CSCRIPT //nologo "%temp%\~1337prg.vbs" "32" "HKCU" >>"%TEMP%\List_my_programs.txt" | |
| 53 | echo [INSTALLED PROGRAMS Machine x86] >>"%TEMP%\List_my_programs.txt" | |
| 54 | CSCRIPT //nologo "%temp%\~1337prg.vbs" "32" "HKLM" >>"%TEMP%\List_my_programs.txt" | |
| 55 | echo [INSTALLED PROGRAMS Machine x64] >>"%TEMP%\List_my_programs.txt" | |
| 56 | CSCRIPT //nologo "%temp%\~1337prg.vbs" "64" "HKLM" >>"%TEMP%\List_my_programs.txt" | |
| 57 | DEL /F /Q "%temp%\~1337prg.vbs" | |
| 58 | rem echo [INSTALLED PROGRAMS - MSI] >>"%TEMP%\List_my_programs.txt" | |
| 59 | rem wmic product list brief | MORE >>"%TEMP%\List_my_programs.txt" | |
| 60 | echo [STARTUP] >>"%TEMP%\List_my_programs.txt" | |
| 61 | wmic startup list brief>"%TEMP%\wmic1.tmp" | |
| 62 | TYPE "%TEMP%\wmic1.tmp"| MORE >>"%TEMP%\List_my_programs.txt" | |
| 63 | echo [SERVICES] >>"%TEMP%\List_my_programs.txt" | |
| 64 | wmic service list brief>"%TEMP%\wmic2.tmp" | |
| 65 | TYPE "%TEMP%\wmic2.tmp"| MORE >>"%TEMP%\List_my_programs.txt" | |
| 66 | echo [RUNNING PROGRAMS] >>"%TEMP%\List_my_programs.txt" | |
| 67 | WMIC path win32_process get Processid,Caption,Commandline,WorkingSetSize>"%TEMP%\wmic3.tmp" | |
| 68 | TYPE "%TEMP%\wmic3.tmp"| MORE >>"%TEMP%\List_my_programs.txt" | |
| 69 | PING -n 10 localhost >nul 2>&1 | |
| 70 | :: start debugger | |
| 71 | PUSHD "%DUMPDIR%" | |
| 72 | - | SET _MYVER=%~n0 by a^v^ey^o^ v1.0 &TITLE %_MYVER% |
| 72 | + | "%DEBUG_TOOLS%\kd.exe" -y "srv*c:\symbols*http://msdl.microsoft.com/download/symbols" -logo "%ChosenFile%.txt" -c ".reload;!exploitable -m;.symopt;!analyze -v -f;!address -summary;vertarget;!PEB;lmft;.ecxr;kb;~*kp;.logclose;q" -z "%ChosenFile%" |
| 73 | COPY /Y "%ChosenFile%.txt" + "%USERPROFILE%\AppData\Local\Temp\dxdiag.txt" + "%TEMP%\List_my_programs.txt" "%ChosenFile%.txt" >nul 2>&1 | |
| 74 | START " " notepad "%ChosenFile%.txt" | |
| 75 | POPD | |
| 76 | ECHO DONE! &PING localhost >nul 2>&1 &EXIT /B | |
| 77 | ||
| 78 | GOTO :eof | |
| 79 | ||
| 80 | :CHECK_OS | |
| 81 | :: This must run first | |
| 82 | :: Usage: CALL :CHECK_OS | |
| 83 | IF "%PROCESSOR_ARCHITECTURE%"=="x86" ( | |
| 84 | SET "MACHINE=" | |
| 85 | IF DEFINED PROCESSOR_ARCHITEW6432 SET "MACHINE=_x64" | |
| 86 | ) ELSE ( | |
| 87 | SET "MACHINE=_x64" | |
| 88 | ) | |
| 89 | SET "REGNODE=" | |
| 90 | FOR %%I IN ("%PROGRAMFILES%") DO SET "PFVAR=%%~sI"
| |
| 91 | FOR %%I IN ("%WINDIR%\SYSTEM32") DO SET "SSVAR=%%~sI"
| |
| 92 | :: MS put ZERO thinking in naming x64 Program Files - brackets are deadly in batch files | |
| 93 | IF "%MACHINE%"=="_64" ( | |
| 94 | FOR %%I IN ("%PROGRAMFILES(X86)%") DO SET "PFVAR=%%~sI"
| |
| 95 | FOR %%I IN ("%WINDIR%\SysWOW64") DO SET "SSVAR=%%~sI"
| |
| 96 | SET "REGNODE=Wow6432Node\" | |
| 97 | IF DEFINED PROCESSOR_ARCHITEW6432 FOR %%I IN ("%WINDIR%\Sysnative") DO SET "SSVAR=%%~sI"
| |
| 98 | ) | |
| 99 | SET _MYVER=%~n0 by a^v^ey^o^ v1.1, please wait | |
| 100 | TITLE %_MYVER% & COLOR 70 | |
| 101 | rem FOR /F "tokens=4-5 delims=. " %%i IN ('ver') DO SET WINVERSION=%%i%%j
| |
| 102 | rem IF %WINVERSION% LEQ 60 CALL :ERR ONLY FOR WINDOWS 7 OR ABOVE | |
| 103 | rem CALL :XECHO PROGRAMFILES=%PFVAR% SYSTEM=%SSVAR% | |
| 104 | GOTO :eof | |
| 105 | ::END.CHECK_OS | |
| 106 | ||
| 107 | :ERR | |
| 108 | :: Usage: Call :ERR string | |
| 109 | echo/ | |
| 110 | echo #ERROR! %* | |
| 111 | - | IF [%ChosenFile%]==[] CALL :ERR No file was chosen, please select a .dmp/.mdmp file next run |
| 111 | + | |
| 112 | GOTO :eof | |
| 113 | ::END.ERR | |
| 114 | ||
| 115 | :XECHO | |
| 116 | :: Extended echo | |
| 117 | :: Usage: Call :XECHO string/var | |
| 118 | :: Output: onscreen | |
| 119 | rem CLS | |
| 120 | echo/ | |
| 121 | - | WScript.echo "set ChosenFile=" & oExec.StdOut.ReadLine '~1337vbcf |
| 121 | + | |
| 122 | IF DEFINED _TRACE echo/ & PAUSE | |
| 123 | GOTO :eof | |
| 124 | ::END.XECHO | |
| 125 | ||
| 126 | :VBCHOOSEFILE | |
| 127 | :: Show a vbs prompt to pick a file | |
| 128 | :: Usage: CALL :VBCHOOSEFILE | |
| 129 | :: Output: %SOURCEDIR% %SOURCEFILE% | |
| 130 | FINDSTR "'~1337v%skip%bc%skip%f" "%~f0">"%temp%\~1337cf.vbs" | |
| 131 | CSCRIPT //nologo "%temp%\~1337cf.vbs" >"%temp%\~1337cf.cmd" | |
| 132 | CALL "%temp%\~1337cf.cmd" | |
| 133 | CALL :__VBCHOOSEFILE_VERIFY | |
| 134 | GOTO :eof | |
| 135 | :__VBCHOOSEFILE_VERIFY | |
| 136 | :: file type filtering | |
| 137 | DEL /F /Q "%temp%\~1337cf.vbs" >NUL 2>&1 | |
| 138 | DEL /F /Q "%temp%\~1337cf.cmd" >NUL 2>&1 | |
| 139 | IF ["%ChosenFile%"]==[""] CALL :ERR No file was chosen, please select a .dmp/.mdmp file next run | |
| 140 | IF /I NOT [%ChosenFile:~-3%]==[dmp] CALL :ERR Please select a .dmp/.mdmp file next run | |
| 141 | IF NOT EXIST "%ChosenFile%" CALL :ERR File cannot be accessed, try moving it to the current dir | |
| 142 | GOTO :eof | |
| 143 | ::END.VBCHOOSEFILE | |
| 144 | ||
| 145 | ||
| 146 | GOTO :eof | |
| 147 | :: these are bundled vbs scripts used by this batch file | |
| 148 | Set wShell=CreateObject("WScript.Shell") '~1337vbcf
| |
| 149 | Set oExec=wShell.Exec("mshta.exe ""about:<input type=file id=FILE><script>FILE.click();new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).WriteLine(FILE.value);close();resizeTo(0,0);</script>""") '~1337vbcf
| |
| 150 | WScript.echo "set ChosenFile=" & oExec.StdOut.ReadLine '~1337vbcf | |
| 151 | Const HKCU = &H80000001, HKLM = &H80000002 '~1337vbprg | |
| 152 | Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet") '~1337vbprg
| |
| 153 | If WScript.Arguments(0) = "32" Then oCtx.Add "__ProviderArchitecture",32 Else oCtx.Add "__ProviderArchitecture",64 '~1337vbprg | |
| 154 | oCtx.Add "__RequiredArchitecture", TRUE '~1337vbprg | |
| 155 | Set oLoc = CreateObject("Wbemscripting.SWbemLocator") '~1337vbprg
| |
| 156 | Set oSvr = oLoc.ConnectServer("","root\default","","",,,,oCtx) '~1337vbprg
| |
| 157 | Set oReg = oSvr.Get("StdRegProv") '~1337vbprg
| |
| 158 | If WScript.Arguments(1) = "HKCU" Then Call ListMyApps(HKCU) Else Call ListMyApps(HKLM) '~1337vbprg | |
| 159 | '~1337vbprg | |
| 160 | Sub ListMyApps(HIVE) '~1337vbprg | |
| 161 | Set enumkey = oReg.Methods_("EnumKey").Inparameters '~1337vbprg
| |
| 162 | enumkey.Hdefkey = HIVE '~1337vbprg | |
| 163 | enumkey.Ssubkeyname = "Software\Microsoft\Windows\CurrentVersion\Uninstall\" '~1337vbprg | |
| 164 | set aApps = oReg.ExecMethod_("EnumKey", enumkey,,oCtx) '~1337vbprg
| |
| 165 | For Each strSubKey In aApps.snames '~1337vbprg | |
| 166 | Set search = oReg.Methods_("GetStringValue").Inparameters '~1337vbprg
| |
| 167 | search.Hdefkey = HIVE '~1337vbprg | |
| 168 | search.Ssubkeyname = "Software\Microsoft\Windows\CurrentVersion\Uninstall\" & strSubKey '~1337vbprg | |
| 169 | search.Svaluename = "DisplayName" '~1337vbprg | |
| 170 | set sName = oReg.ExecMethod_("GetStringValue", search,,oCtx) '~1337vbprg
| |
| 171 | If sName.sValue <> "" Then '~1337vbprg | |
| 172 | search.Svaluename = "DisplayVersion" '~1337vbprg | |
| 173 | set sVersion = oReg.ExecMethod_("GetStringValue", search,,oCtx) '~1337vbprg
| |
| 174 | If sVersion.sValue <> "" Then wscript.echo sName.sValue & " v" & sVersion.SValue Else wscript.echo sName.sValue '~1337vbprg | |
| 175 | End If '~1337vbprg | |
| 176 | Next '~1337vbprg | |
| 177 | End Sub '~1337vbprg |
