header image

(Yet another) Memory dumper [OpenRCE import]

I wrote a simple process memory dumper recently. Actually, it started as a in-memory string replacer, but I’m only posting the dumper part for now – the rest is in a terrible mess. 😉

The dumper saves all process memory to a single file. It uses NTFS sparse files though, so any non committed memory range does not use physical disk space (sparse zeros). It also checks process handle for access entries limiting VM operations and can print a nice memory map. Nothing fancy, but just what I needed for some work.

It’s officially 32-bit only (DWORDs for addresses etc), but seems to somewhat work with 64-bit processes. I’ll do a proper 64-bit version later (maybe ;)).

Sample output:

c:\code\MemoryDump\Release>MemoryDump.exe explorer.exe v
 Searching for target process...
 Failed to open process 0x0: 0x57
 Failed to open process 0x4: 0x5
 Checking target process' ACL for problematic entries...
 Opened \Device\HarddiskVolume3\Windows\explorer.exe as PID 0xb30
 Target process suspended, 31 threads
 Proceeding with memory dump

 Address   Size     Type    State   Protect
    10000:    10000 MAPPED  COMMIT  READ&WRITE
    20000:     2000 MAPPED  COMMIT  READONLY
    22000:     e000 0       FREE    NOACCESS
    30000:     4000 MAPPED  COMMIT  READONLY
    34000:     c000 0       FREE    NOACCESS
    40000:     2000 MAPPED  COMMIT  READONLY
    42000:     e000 0       FREE    NOACCESS
    50000:     1000 PRIVATE COMMIT  READ&WRITE
    51000:     f000 0       FREE    NOACCESS
    60000:    10000 PRIVATE COMMIT  READ&WRITE
    70000:     7000 MAPPED  COMMIT  READONLY
    77000:     9000 0       FREE    NOACCESS
 77610000:     3000 IMAGE   COMMIT  READONLY
 77613000:  79cd000 0       FREE    NOACCESS
 7efe0000:     5000 MAPPED  COMMIT  READONLY
 7efe5000:    fb000 MAPPED  RESERVE 0
 7f0e0000:   f00000 PRIVATE RESERVE 0
 7ffe0000:     1000 PRIVATE COMMIT  READONLY
 7ffe1000:     f000 PRIVATE RESERVE 0

 Process resumed. Memory dumped to 2864.mem

Get source & binary here

~ by omeg on November 16, 2010.

code, reverse engineering, utility

Leave a Reply