Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all articles
Browse latest Browse all 5816

BlueScreenView - Blue Screen of Death (STOP error) information in dump files

$
0
0

BlueScreenView scans all your minidump files created during 'blue screen of death' crashes, and displays the information about all crashes in one table. For each crash, BlueScreenView displays the minidump filename, the date/time of the crash, the basic crash information displayed in the blue screen (Bug Check Code and 4 parameters), and the details of the driver or module that possibly caused the crash (filename, product name, file description, and file version).

For each crash displayed in the upper pane, you can view the details of the device drivers loaded during the crash in the lower pane. BlueScreenView also mark the drivers that their addresses found in the crash stack, so you can easily locate the suspected drivers that possibly caused the crash.

Features
  • Automatically scans your current minidump folder and displays the list of all crash dumps, including crash dump date/time and crash details.
  • Allows you to view a blue screen which is very similar to the one that Windows displayed during the crash.
  • BlueScreenView enumerates the memory addresses inside the stack of the crash, and find all drivers/modules that might be involved in the crash.
  • BlueScreenView also allows you to work with another instance of Windows, simply by choosing the right minidump folder (In Advanced Options).
  • BlueScreenView automatically locate the drivers appeared in the crash dump, and extract their version resource information, including product name, file version, company, and file description. 

Using BlueScreenView

BlueScreenView doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - BlueScreenView.exe 

After running BlueScreenView, it automatically scans your MiniDump folder and display all crash details in the upper pane.

Crashes Information Columns (Upper Pane)
  • Dump File: The MiniDump filename that stores the crash data.
  • Crash Time: The created time of the MiniDump filename, which also matches to the date/time that the crash occurred.
  • Bug Check String: The crash error string. This error string is determined according to the Bug Check Code, and it's also displayed in the blue screen window of Windows.
  • Bug Check Code: The bug check code, as displayed in the blue screen window.
  • Parameter 1/2/3/4: The 4 crash parameters that are also displayed in the blue screen of death.
  • Caused By Driver: The driver that probably caused this crash. BlueScreenView tries to locate the right driver or module that caused the blue screen by looking inside the crash stack. However, be aware that the driver detection mechanism is not 100% accurate, and you should also look in the lower pane, that display all drivers/modules found in the stack. These drivers/modules are marked in pink color.
  • Caused By Address: Similar to 'Caused By Driver' column, but also display the relative address of the crash.
  • File Description: The file description of the driver that probably caused this crash. This information is loaded from the version resource of the driver.
  • Product Name: The product name of the driver that probably caused this crash. This information is loaded from the version resource of the driver.
  • Company: The company name of the driver that probably caused this crash. This information is loaded from the version resource of the driver.
  • File Version: The file version of the driver that probably caused this crash. This information is loaded from the version resource of the driver.
  • Crash Address:The memory address that the crash occurred. (The address in the EIP/RIP processor register) In some crashes, this value might be identical to 'Caused By Address' value, while in others, the crash address is different from the driver that caused the crash.
  • Stack Address 1 - 3:The last 3 addresses found in the call stack. Be aware that in some crashes, these values will be empty. Also, the stack addresses list is currently not supported for 64-bit crashes. 

Drivers Information Columns (Lower Pane)
  • Filename: The driver/module filename
  • Address In Stack: The memory address of this driver that was found in the stack.
  • From Address: First memory address of this driver.
  • To Address: Last memory address of this driver.
  • Size: Driver size in memory.
  • Time Stamp: Time stamp of this driver.
  • Time String: Time stamp of this driver, displayed in date/time format.
  • Product Name: Product name of this driver, loaded from the version resource of the driver.
  • File Description: File description of this driver, loaded from the version resource of the driver.
  • File Version: File version of this driver, loaded from the version resource of the driver.
  • Company: Company name of this driver, loaded from the version resource of the driver.
  • Full Path: Full path of the driver filename.

Lower Pane Modes

Currently, the lower pane has 4 different display modes. You can change the display mode of the lower pane from Options->Lower Pane Mode menu.
  1. All Drivers: Displays all the drivers that were loaded during the crash that you selected in the upper pane. The drivers/module that their memory addresses found in the stack, are marked in pink color.
  2. Only Drivers Found In Stack: Displays only the modules/drivers that their memory addresses found in the stack of the crash. There is very high chance that one of the drivers in this list is the one that caused the crash.
  3. Blue Screen in XP Style: Displays a blue screen that looks very similar to the one that Windows displayed during the crash.
  4. DumpChk Output: Displays the output of Microsoft DumpChk utility. This mode only works when Microsoft DumpChk is installed on your computer and BlueScreenView is configured to run it from the right folder (In the Advanced Options window). 

Command-Line Options

/LoadFrom <Source> Specifies the source to load from.
1 -> Load from a single MiniDump folder (/MiniDumpFolder parameter)
2 -> Load from all computers specified in the computer list file. (/ComputersFile parameter)
3 -> Load from a single MiniDump file (/SingleDumpFile parameter)
/MiniDumpFolder <Folder> Start BlueScreenView with the specified MiniDump folder.
/SingleDumpFile <Filename> Start BlueScreenView with the specified MiniDump file. (For using with /LoadFrom 3)
/ComputersFile <Filename> Specifies the computers list filename. (When LoadFrom = 2)
/LowerPaneMode <1 - 3> Start BlueScreenView with the specified mode. 1 = All Drivers, 2 = Only Drivers Found In Stack, 3 = Blue Screen in XP Style.
/stext <Filename> Save the list of blue screen crashes into a regular text file.
/stab <Filename> Save the list of blue screen crashes into a tab-delimited text file.
/scomma <Filename> Save the list of blue screen crashes into a comma-delimited text file (csv).
/stabular <Filename> Save the list of blue screen crashes into a tabular text file.
/shtml <Filename> Save the list of blue screen crashes into HTML file (Horizontal).
/sverhtml <Filename> Save the list of blue screen crashes into HTML file (Vertical).
/sxml <Filename> Save the list of blue screen crashes into XML file.
/sort <column> This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Bug Check Code" and "Crash Time". You can specify the '~' prefix character (e.g: "~Crash Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. Examples:
BlueScreenView.exe /shtml "f:\temp\crashes.html" /sort 2 /sort ~1
BlueScreenView.exe /shtml "f:\temp\crashes.html" /sort "Bug Check String" /sort "~Crash Time"
/nosort When you specify this command-line option, the list will be saved without any sorting.



Viewing all articles
Browse latest Browse all 5816

Trending Articles