[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1912":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":14,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},1912,"ephemera","vmi-rs\u002Fephemera","vmi-rs","Multiplatform MEMORY.DMP analysis tool with a WinDbg flavor","",null,"Rust",168,7,1,0,13,20,3,2.71,"MIT License",false,"master",[],"2026-06-12 02:00:34","# ephemera\n\nMultiplatform windows kernel crash dump analysis tool with a WinDbg flavor.\n\n### Motivation\n\nThis is another episode from the series \"there doesn't seem to exist such\nthing\".\n\nI often find myself needing to analyze Windows kernel crash dumps on non-Windows\nplatforms. Surprisingly, WinDbg\u002Fcdb \u003Cabbr title=\"doesn't run at all\">runs rather\npoorly under Wine\u003C\u002Fabbr>. Also, even on Windows, WinDbg is notoriously slow.\n\nI also thought this would be a fun showcase for the [vmi-rs] framework.\n\nInitially, I planned to make `ephemera` a general-purpose memory forensics\nframework - similar to Volatility or Rekall - but I quickly realized that the\nscope of such a project is incompatible with the amount of time I can\nrealistically dedicate to this.\n\nMaybe, some day. Who knows.\n\n### Features\n\n- Supports symbol caching and PDB downloading\u002Fparsing via the [`isr`].\n- Supports only Windows kernel crash dumps (i.e. `MEMORY.DMP` files).\n- Supports only AMD64 architecture.\n- Supports only a small subset of WinDbg commands (see below).\n- It's fast. Really fast. `!process 0 7` takes _minutes_ in WinDbg.\n  In `ephemera`, it takes about 1 second on a 4GB dump (if all symbols are\n  already cached).\n\n### Demo\n\n\u003Cvideo src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F13cd6e4e-cfef-44c5-83a5-c984e2cd7c97\" controls autoplay loop>\u003C\u002Fvideo>\n\n### Usage\n\nHere's a short list of currently supported commands:\n\n```\nCommands:\n  !analyze                             Analyze the crash.\n  !process [Proc [Flags [Image]]]      Information about a process or all processes.\n                                       Proc: PID, EPROCESS addr, 0 (all), -1 (current).\n  !thread  [Thread [Flags]]            Information about a thread or all threads.\n                                       Thread: TID, ETHREAD addr, 0 (all), -1 (current).\n  dt \u003Ctype> [address]                  Display type layout, optionally at an address.\n  db  [Address [L\u003CCount> | Address2]]  Display memory as bytes and ASCII.\n                                       Address: hex, 0n\u003Cdecimal>, register, or module!symbol.\n                                                Arithmetic: a+b, a-b. Empty module means nt.\n  dd  [Address [L\u003CCount> | Address2]]  Display memory as DWORDs.\n  dq  [Address [L\u003CCount> | Address2]]  Display memory as QWORDs.\n  dp  [Address [L\u003CCount> | Address2]]  Alias for dq on 64-bit.\n  dps [Address [L\u003CCount> | Address2]]  Display memory as QWORDs with symbols.\n  k  [FrameCount]                      Display stack backtrace: Child-SP, RetAddr, Call Site.\n  kb [FrameCount]                      As k, plus the first four home-space args per frame.\n  kc [FrameCount]                      As k, Call Site only.\n  kv [FrameCount]                      As kb, plus TrapFrame @ addr for trap-handler frames.\n  r [Reg]                              Display registers.\n                                       Reg: rax..r15, rip, rsp, rbp, cs\u002Fds\u002Fes\u002Ffs\u002Fgs\u002Fss, efl.\n  .process [\u002Fr] [\u002Fp] \u003Caddress>         Set the process context.\n  .thread  [\u002Fr] [\u002Fp] \u003Caddress>         Set the register context to a thread.\n  ~\u003Cn>                                 Change the current processor.\n  .help, help, ?                       Show this list.\n  q, quit, .quit                       Exit the REPL.\n```\n\n### FAQ\n\n- Could it be made into a full-fledged debugger, with support for live\n debugging, breakpoints, ...?\n\n  > Yes! Quite easily, actually. `vmi-rs` supports multiple backend drivers,\n  > so it's just a matter of replacing [`VmiKdmpDriver`] with [something else].\n  > Implementing a new driver is also pretty straightforward - for read-only\n  > operations you only need to implement [`VmiRead`] trait.\n\n# License\n\nThis project is licensed under the MIT license.\n\n[vmi-rs]: https:\u002F\u002Fgithub.com\u002Fvmi-rs\u002Fvmi\n[isr]: https:\u002F\u002Fgithub.com\u002Fvmi-rs\u002Fisr\n[Volatility]: https:\u002F\u002Fgithub.com\u002Fvolatilityfoundation\u002Fvolatility3\n[Rekall]: https:\u002F\u002Fgithub.com\u002Fgoogle\u002Frekall\n[`VmiRead`]: https:\u002F\u002Fdocs.rs\u002Fvmi\u002Flatest\u002Fvmi\u002Ftrait.VmiRead.html\n[`VmiKdmpDriver`]: https:\u002F\u002Fdocs.rs\u002Fvmi\u002F0.6.0\u002Fvmi\u002Fdriver\u002Fkdmp\u002Fstruct.VmiKdmpDriver.html\n[something else]: https:\u002F\u002Fdocs.rs\u002Fvmi\u002F0.6.0\u002Fvmi\u002Fdriver\u002Findex.html\n","ephemera 是一个跨平台的 Windows 内核崩溃转储分析工具，具有 WinDbg 的风格。它使用 Rust 语言编写，支持符号缓存、PDB 文件下载和解析，并且仅支持 AMD64 架构的 MEMORY.DMP 文件。与传统的 WinDbg 相比，ephemera 在速度上有显著优势，例如执行 `!process 0 7` 命令时，WinDbg 需要几分钟，而 ephemera 仅需约1秒。该工具适合在非 Windows 平台上进行高效快速的内存转储分析工作，特别适用于需要频繁处理 Windows 内核崩溃转储的场景。",2,"2026-06-11 02:46:46","CREATED_QUERY"]