Welcome

Crashd.mp is a personal project of mine I started after completing some research into the Windows crash dump mechanism, which implements the capability for the operating system to hibernate and crash.  This site is meant to be a guide for Windows internals enthusiasts, reverse engineers, and kernel driver developers.

Of the many undocumented constructs in the Microsoft Windows operating system, the crash dump mechanism is, in my opinion, one of the most crucial undocumented components to have survived the scrupulous eyes of reverse engineers and Windows internals experts for so long.  Tucked away discreetly in the bowels of the operating system, the capabilities inherent to (but not explicitly exposed by) the crash dump mechanism are fascinating and have largely gone unnoticed in the Windows Internals community for decades.  Microsoft has provided some sparse and vague documentation for selective aspects of the crash dump stack, but only enough to expose the absolute minimum knowledge necessary for kernel driver developers to integrate their software.  An exposition of the current available documentation is one of many topics to be covered on this website.

Welcome to the first website dedicated exclusively to exposing and documenting the inner workings of the crash dump mechanism.  Over the coming months, I will attempt to demystify exactly what the crash dump stack does, documenting all related components and data structures.  This will include detailed coverage of crash dump stack initialization and usage by the kernel from Windows XP to Windows 8; how to use the crash dump stack outside of the operating system; neat tricks and attacks against the crash dump stack; and various papers, code, tools and techniques useful in your own investigation of the crash dump stack.

Please check back often, as the content will be updated frequently to accommodate new discoveries.

This website is owned and operated by Aaron LeMasters and is theoretically nestled away in the cozy Northern Mariana Islands commonwealth somewhere in the beautiful Pacific Ocean.  (well, not anymore, since the content has been relocated to a free wordpress website).

The website is named after SystemRoot\System32\Drivers\crashdmp.sys.

The information and views presented on this website are not those of my employer.

Follow

Get every new post delivered to your Inbox.