"""histogram_region_for_vt.py Show distribution of regions containing the given vtable signature, with region sizes. Also pick 5 hit addresses and read 0x40 bytes after the vtable to see what fields look like. """ import struct, sys from collections import Counter from minidump.minidumpfile import MinidumpFile def _ei(v): if v is None: return 0 if hasattr(v, 'value'): return int(v.value) return int(v) md = MinidumpFile.parse(sys.argv[1]) target = int(sys.argv[2], 16) reader = md.get_reader().get_buffered_reader() region_sizes = Counter() hit_addrs = [] total_hits = 0 for r in md.memory_info.infos: st, ty, pr = _ei(r.State), _ei(r.Type), _ei(r.Protect) & 0xff if st != 0x1000 or ty == 0x1000000 or pr not in (0x04, 0x40): continue try: reader.move(r.BaseAddress) buf = reader.read(r.RegionSize) except Exception: continue if not buf: continue end = (len(buf) // 4) * 4 hits_here = 0 for off in range(0, end, 4): if struct.unpack_from("8} hits_per_region={hph:>5} count={c:>5} density={density:.3f}/256B") print(f"\nFirst 10 hit addresses + 0x40 bytes after the vtable:") for addr, data in hit_addrs[:10]: print(f" 0x{addr:08x}: ", end="") for i in range(0, min(0x40, len(data)), 4): print(f"{struct.unpack_from('