PDA

View Full Version : (Yet another) Memory dumper


OpenRCE_omega_red
November 16th, 2010, 08:17
I wrote a simple process memory dumper recently. Actually, it started as a in-memory string replacer, but I'm only posting the dumper part for now - the rest is in a terrible mess.

The dumper saves all process memory to a single file. It uses NTFS sparse files though, so any non committed memory range does not use physical disk space (sparse zeros). It also checks process handle for access entries limiting VM operations and can print a nice memory map. Nothing fancy, but just what I needed for some work.

It's officially 32-bit only (DWORDs for addresses etc), but seems to somewhat work with 64-bit processes. I'll do a proper 64-bit version later (maybe .

Sample output:
Code:
c:\code\MemoryDump\Release>MemoryDump.exe explorer.exe v
Searching for target process...
Failed to open process 0x0: 0x57
Failed to open process 0x4: 0x5
[...]
Checking target process' ACL for problematic entries...
Opened \Device\HarddiskVolume3\Windows\explorer.exe as PID 0xb30
Target process suspended, 31 threads
Proceeding with memory dump

Address Size Type State Protect
10000: 10000 MAPPED COMMIT READ&WRITE
20000: 2000 MAPPED COMMIT READONLY
22000: e000 0 FREE NOACCESS
30000: 4000 MAPPED COMMIT READONLY
34000: c000 0 FREE NOACCESS
40000: 2000 MAPPED COMMIT READONLY
42000: e000 0 FREE NOACCESS
50000: 1000 PRIVATE COMMIT READ&WRITE
51000: f000 0 FREE NOACCESS
60000: 10000 PRIVATE COMMIT READ&WRITE
70000: 7000 MAPPED COMMIT READONLY
77000: 9000 0 FREE NOACCESS
[...]
77610000: 3000 IMAGE COMMIT READONLY
77613000: 79cd000 0 FREE NOACCESS
7efe0000: 5000 MAPPED COMMIT READONLY
7efe5000: fb000 MAPPED RESERVE 0
7f0e0000: f00000 PRIVATE RESERVE 0
7ffe0000: 1000 PRIVATE COMMIT READONLY
7ffe1000: f000 PRIVATE RESERVE 0

Process resumed. Memory dumped to 2864.mem



Source & binary: http://omeg.pl/code/MemoryDump.zip


https://www.openrce.org/blog/view/1626/(Yet_another)_Memory_dumper