pcileech icon indicating copy to clipboard operation
pcileech copied to clipboard
verified publisher icon ufrisk

Dumping Application Memory

Open Creastoff opened this issue 3 years ago • 1 comments

Hi again Ulf,

I can see that it is possible to dump memory ranges, so I am trying to find out how to get the base address and size of the application. Size of the application is so that I can calculate the offset address.

I was using VMMDLL_ProcessGetInformation and can see there is wSize property of the response, but that doesn't seem to reflect the proper size of an application I am dumping, i.e. explorer.exe. Task Manager reporting ~22MB, PCILeech reporting 448.

I am also having trouble finding the base address of applications, are you able to assist with this?

Thanks, Chris

Creastoff avatar Nov 06 '22 22:11 Creastoff

if wishing to dump process memory there are two good options:

  1. copy the minidump file from the virtual file system. (there are APIs for this too). The minidump file should contain pretty much all process information.
  2. look into VAD memory ranges and dump each one of those. VMMDLL_Map_GetVad(...)

Task manager reports process private memory (active private working set). MemProcFS will also dump module (exe and dll) memory which is shared - so this will be larger than what task manager reports.

The wSize property is just the size of the c-struct so it's totally uninteresting in your case.

Hope this explains it a bit. Please let me know how it goes.

ufrisk avatar Nov 06 '22 23:11 ufrisk

I'm closing this issue due to old age. Also, I hope I've already answered your question in the post above. If not, please let me know.

ufrisk avatar Dec 04 '22 18:12 ufrisk

I will come back to this in the future, research direction has changed due to other hurdles.

Creastoff avatar Dec 04 '22 22:12 Creastoff