Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to create binary/hex dump of another process's memory?

I am having trouble finding a reasonable way to dump another process's memory to a file.

After extensive searching, I've been able to find a nice article at CodeProject that has *most* of the functionality I want: Performing a hex dump of another process's memory. This does a good job of addressing permission issues and sets a good foundation.

However, with this utility I've seen that even a small process, such as an clean Notepad.exe or Calc.exe instance, can generate a dump file over 24MB in size, while the process itself runs under 20KB in memory according to TaskManager.

The article has lead me to believe that perhaps it is also dumping things in shared memory, possibly DLL space and the like. For example, a dump of Calc.exe will include sections that include method names (and presumably memory) from Kernel32.dll:

²³´µKERNEL32.dll ActivateActCtx AddAtomA AddAtomW AddConsoleAliasA AddConsoleAliasW AddLocalAlternateComputerNameA AddLocalAlternateComputerNameW AddRefActCtx AddVectoredExceptionHandler AllocConsole AllocateUserPhysicalPages AreFileApisANSI AssignProcessToJobObject AttachConsole BackupRead BackupSeek BackupWrite BaseCheckAppcompatCache BaseCleanupAppcompatCache

Is there a better way to dump the memory of another process that doesn't lead to this overhead, or perhaps an improvement upon the linked article's code that solves this problem? I want to get the memory that actually belongs to the process itself. I'd be okay with dumping the memory space of functions that are actually used in DLLs, but it seems unnecessary to dump the *entire* contents of multiple DLLs to get the running memory of the process.

I'm looking for a way to get the 30-60KB of a 30KB process, rather than 25MB for a 30KB process. Or at least closer than I can get currently.

Thanks in advance for your suggestions and guidance, it is appreciated.

Note: This is for a console utility, so GUI elements like the ones in the CodeProject article are unimportant.

like image 757
KevenK Avatar asked Oct 15 '22 14:10

KevenK


2 Answers

You're basically asking for a user process minidump. The Windows Debug Helper library has a ready made function for this, MiniDumpWriteDump.

There is a coarse control over the amount of the detail contained in the mini dump from the MINIDUMP_TYPE parameter passed in to the function. The most basic, MiniDumpNormal, will only capture the call stack of each thread in the process. The amount of memory gets progressively more detailed with the other mini dump types.

You can also fine control the amount of information to be written into the mini dump by providing a callback to the MiniDumpWriteDump function and in the callback set the flags on the MINIDUMP_CALLBACK_OUTPUT structure.

The resulted mini dumps can be read with a debugger like Windbg or Visual Studio, or they can be processed by the various functions in the dbghelp.dll library.

like image 66
Remus Rusanu Avatar answered Oct 20 '22 20:10

Remus Rusanu


Not really a "how to program it" answer, but I just found your question while looking for a tool that could do that, when I ran into PMDump:

http://ntsecurity.nu/toolbox/pmdump/

It's dead easy and simple to use, and creates correct dumps (I just tried it with some programs).

like image 30
Milan Babuškov Avatar answered Oct 20 '22 19:10

Milan Babuškov