-
Nov 26th, 2012, 07:23 PM
#1
Thread Starter
Frenzied Member
How do I do a memory dump with API calls?
I want to use MemoryCopy to copy any specified memory range (such as from memory location &h10000 to &h20000) into a byte array and then save the retrieved data to a file. Unfortunately this is a VERY HIT AND MISS technique. More than half the time, copying from any random place in memory crashes the program. I could think it might if it wrote TO THE WRONG LOCATION but it is always writing to a byte array of the correct size. I don't see how READING FROM any random location causes crashes, but it does.
I found I need to LOCK the allocate and lock the memory with GlobalAlloc and GlobalLock. Unfortunately with GlobalAlloc I can specify the NUMBER OF BYTES to lock, but not the offset. What I need is to specify an EXACT OFFSET and byte count, or else an EXACT START AND END to the range of bytes. Then I can specify any range of bytes I want, and dump them to a file. I know police forensics software can do this (like for checking the RAM in a computer if the bad-guy left his comp running, to see if the bad-guy has any in-memory incriminating evidence on his compmuter). And I figured they just used standard Windows API calls.
If you can tell me exactly what API calls I can use to dump the memory of any general range of bytes in RAM, please let me know.
Thanks in advance.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|