How do I do a memory dump with API calls?
I want to use MemoryCopy to copy any specified memory range (such as from memory location &h10000 to &h20000) into a byte array and then save the retrieved data to a file. Unfortunately this is a VERY HIT AND MISS technique. More than half the time, copying from any random place in memory crashes the program. I could think it might if it wrote TO THE WRONG LOCATION but it is always writing to a byte array of the correct size. I don't see how READING FROM any random location causes crashes, but it does.
I found I need to LOCK the allocate and lock the memory with GlobalAlloc and GlobalLock. Unfortunately with GlobalAlloc I can specify the NUMBER OF BYTES to lock, but not the offset. What I need is to specify an EXACT OFFSET and byte count, or else an EXACT START AND END to the range of bytes. Then I can specify any range of bytes I want, and dump them to a file. I know police forensics software can do this (like for checking the RAM in a computer if the bad-guy left his comp running, to see if the bad-guy has any in-memory incriminating evidence on his compmuter). And I figured they just used standard Windows API calls.
If you can tell me exactly what API calls I can use to dump the memory of any general range of bytes in RAM, please let me know.
Thanks in advance.
Re: How do I do a memory dump with API calls?
Quote:
but it is always writing to a byte array
And where does a byte array live? :rolleyes:
The chances are extremely strong that you are reading memory to which the program is writing or writing to the same memory that you are reading or any other combination of conflicts you'd care to think of.
Re: How do I do a memory dump with API calls?
Quote:
Originally Posted by
Ben321
If you can tell me exactly what API calls I can use to dump the memory of any general range of bytes in RAM, please let me know.
Thanks in advance.
You cannot do this because Windows uses a virtual memory model. Only the kernel has the privilege to read the actual RAM. I don't know of any way to run VB6/VB.Net programs(assuming that's what you're gonna program in) as kernel app.
Re: How do I do a memory dump with API calls?
Re: How do I do a memory dump with API calls?
Quote:
Originally Posted by
Peter Swinkels
That shows you how to read another process's memory. What he seems to be asking is how to read the contents of the RAM at any given moment which cannot be done because there is no way to get around the abstraction of virtual memory in user space.
Re: How do I do a memory dump with API calls?
Quote:
Originally Posted by
Niya
That shows you how to read another process's memory. What he seems to be asking is how to read the contents of the RAM at any given moment which cannot be done because there is no way to get around the abstraction of virtual memory in user space.
It used to be possible with Peek and Poke in classic BASIC for DOS. I'm surprised you can't still do that. Maybe you could have it run some kind of assembly language with a Thunder ASM plugin, and low level read the ram?
Also the hex editor HxD has a memory editor. It can view the memory of a particular program, but this memory block is so huge it encompasses multiple regions even into obviously what's memory from another program (just by doing a string search in the hex editor you can see stuff outside of what you are supposedly viewing).
Also I'm aware police investigators have the ability to read all the memory off your ram chips (a full dump) in order to look for evidence. What kind of setup do they use do read all the data from RAM chips?
Re: How do I do a memory dump with API calls?
The Reading and Writing Memory MSDN article might help you get started.
Quote:
The Windows debuggers can read and write directly into memory. This memory can be referenced by addresses or by the names of variables.