Results 1 to 7 of 7

Thread: How do I do a memory dump with API calls?

  1. #1

    Thread Starter
    Frenzied Member
    Join Date
    Oct 2008
    Posts
    1,181

    How do I do a memory dump with API calls?

    I want to use MemoryCopy to copy any specified memory range (such as from memory location &h10000 to &h20000) into a byte array and then save the retrieved data to a file. Unfortunately this is a VERY HIT AND MISS technique. More than half the time, copying from any random place in memory crashes the program. I could think it might if it wrote TO THE WRONG LOCATION but it is always writing to a byte array of the correct size. I don't see how READING FROM any random location causes crashes, but it does.

    I found I need to LOCK the allocate and lock the memory with GlobalAlloc and GlobalLock. Unfortunately with GlobalAlloc I can specify the NUMBER OF BYTES to lock, but not the offset. What I need is to specify an EXACT OFFSET and byte count, or else an EXACT START AND END to the range of bytes. Then I can specify any range of bytes I want, and dump them to a file. I know police forensics software can do this (like for checking the RAM in a computer if the bad-guy left his comp running, to see if the bad-guy has any in-memory incriminating evidence on his compmuter). And I figured they just used standard Windows API calls.

    If you can tell me exactly what API calls I can use to dump the memory of any general range of bytes in RAM, please let me know.

    Thanks in advance.

  2. #2
    PowerPoster dunfiddlin's Avatar
    Join Date
    Jun 2012
    Posts
    8,245

    Re: How do I do a memory dump with API calls?

    but it is always writing to a byte array
    And where does a byte array live?

    The chances are extremely strong that you are reading memory to which the program is writing or writing to the same memory that you are reading or any other combination of conflicts you'd care to think of.
    As the 6-dimensional mathematics professor said to the brain surgeon, "It ain't Rocket Science!"

    Reviews: "dunfiddlin likes his DataTables" - jmcilhinney

    Please be aware that whilst I will read private messages (one day!) I am unlikely to reply to anything that does not contain offers of cash, fame or marriage!

  3. #3
    Angel of Code Niya's Avatar
    Join Date
    Nov 2011
    Posts
    8,598

    Re: How do I do a memory dump with API calls?

    Quote Originally Posted by Ben321 View Post
    If you can tell me exactly what API calls I can use to dump the memory of any general range of bytes in RAM, please let me know.

    Thanks in advance.
    You cannot do this because Windows uses a virtual memory model. Only the kernel has the privilege to read the actual RAM. I don't know of any way to run VB6/VB.Net programs(assuming that's what you're gonna program in) as kernel app.
    Treeview with NodeAdded/NodesRemoved events | BlinkLabel control | Calculate Permutations | Object Enums | ComboBox with centered items | .Net Internals article(not mine) | Wizard Control | Understanding Multi-Threading | Simple file compression | Demon Arena

    Copy/move files using Windows Shell | I'm not wanted

    C++ programmers will dismiss you as a cretinous simpleton for your inability to keep track of pointers chained 6 levels deep and Java programmers will pillory you for buying into the evils of Microsoft. Meanwhile C# programmers will get paid just a little bit more than you for writing exactly the same code and VB6 programmers will continue to whitter on about "footprints". - FunkyDexter

    There's just no reason to use garbage like InputBox. - jmcilhinney

    The threads I start are Niya and Olaf free zones. No arguing about the benefits of VB6 over .NET here please. Happiness must reign. - yereverluvinuncleber

  4. #4
    Frenzied Member
    Join Date
    Feb 2003
    Posts
    1,807

    Re: How do I do a memory dump with API calls?


  5. #5
    Angel of Code Niya's Avatar
    Join Date
    Nov 2011
    Posts
    8,598

    Re: How do I do a memory dump with API calls?

    Quote Originally Posted by Peter Swinkels View Post
    That shows you how to read another process's memory. What he seems to be asking is how to read the contents of the RAM at any given moment which cannot be done because there is no way to get around the abstraction of virtual memory in user space.
    Treeview with NodeAdded/NodesRemoved events | BlinkLabel control | Calculate Permutations | Object Enums | ComboBox with centered items | .Net Internals article(not mine) | Wizard Control | Understanding Multi-Threading | Simple file compression | Demon Arena

    Copy/move files using Windows Shell | I'm not wanted

    C++ programmers will dismiss you as a cretinous simpleton for your inability to keep track of pointers chained 6 levels deep and Java programmers will pillory you for buying into the evils of Microsoft. Meanwhile C# programmers will get paid just a little bit more than you for writing exactly the same code and VB6 programmers will continue to whitter on about "footprints". - FunkyDexter

    There's just no reason to use garbage like InputBox. - jmcilhinney

    The threads I start are Niya and Olaf free zones. No arguing about the benefits of VB6 over .NET here please. Happiness must reign. - yereverluvinuncleber

  6. #6

    Thread Starter
    Frenzied Member
    Join Date
    Oct 2008
    Posts
    1,181

    Re: How do I do a memory dump with API calls?

    Quote Originally Posted by Niya View Post
    That shows you how to read another process's memory. What he seems to be asking is how to read the contents of the RAM at any given moment which cannot be done because there is no way to get around the abstraction of virtual memory in user space.
    It used to be possible with Peek and Poke in classic BASIC for DOS. I'm surprised you can't still do that. Maybe you could have it run some kind of assembly language with a Thunder ASM plugin, and low level read the ram?

    Also the hex editor HxD has a memory editor. It can view the memory of a particular program, but this memory block is so huge it encompasses multiple regions even into obviously what's memory from another program (just by doing a string search in the hex editor you can see stuff outside of what you are supposedly viewing).

    Also I'm aware police investigators have the ability to read all the memory off your ram chips (a full dump) in order to look for evidence. What kind of setup do they use do read all the data from RAM chips?

  7. #7
    Default Member Bonnie West's Avatar
    Join Date
    Jun 2012
    Location
    InIDE
    Posts
    4,060

    Re: How do I do a memory dump with API calls?

    The Reading and Writing Memory MSDN article might help you get started.

    The Windows debuggers can read and write directly into memory. This memory can be referenced by addresses or by the names of variables.
    On Local Error Resume Next: If Not Empty Is Nothing Then Do While Null: ReDim i(True To False) As Currency: Loop: Else Debug.Assert CCur(CLng(CInt(CBool(False Imp True Xor False Eqv True)))): Stop: On Local Error GoTo 0
    Declare Sub CrashVB Lib "msvbvm60" (Optional DontPassMe As Any)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width