(Yet another) Memory dumper [OpenRCE import]
I wrote a simple process memory dumper recently. Actually, it started as a in-memory string replacer, but I’m only posting the dumper part for now – the rest is in a terrible mess. 😉
The dumper saves all process memory to a single file. It uses NTFS sparse files though, so any non committed memory range does not use physical disk space (sparse zeros). It also checks process handle for access entries limiting VM operations and can print a nice memory map. Nothing fancy, but just what I needed for some work.
It’s officially 32-bit only (DWORDs for addresses etc), but seems to somewhat work with 64-bit processes. I’ll do a proper 64-bit version later (maybe ;)).
Sample output:
c:\code\MemoryDump\Release>MemoryDump.exe explorer.exe v Searching for target process... Failed to open process 0x0: 0x57 Failed to open process 0x4: 0x5 [...] Checking target process' ACL for problematic entries... Opened \Device\HarddiskVolume3\Windows\explorer.exe as PID 0xb30 Target process suspended, 31 threads Proceeding with memory dump Address Size Type State Protect 10000: 10000 MAPPED COMMIT READ&WRITE 20000: 2000 MAPPED COMMIT READONLY 22000: e000 0 FREE NOACCESS 30000: 4000 MAPPED COMMIT READONLY 34000: c000 0 FREE NOACCESS 40000: 2000 MAPPED COMMIT READONLY 42000: e000 0 FREE NOACCESS 50000: 1000 PRIVATE COMMIT READ&WRITE 51000: f000 0 FREE NOACCESS 60000: 10000 PRIVATE COMMIT READ&WRITE 70000: 7000 MAPPED COMMIT READONLY 77000: 9000 0 FREE NOACCESS [...] 77610000: 3000 IMAGE COMMIT READONLY 77613000: 79cd000 0 FREE NOACCESS 7efe0000: 5000 MAPPED COMMIT READONLY 7efe5000: fb000 MAPPED RESERVE 0 7f0e0000: f00000 PRIVATE RESERVE 0 7ffe0000: 1000 PRIVATE COMMIT READONLY 7ffe1000: f000 PRIVATE RESERVE 0 Process resumed. Memory dumped to 2864.memcode, reverse engineering, utility
Leave a Reply