-
Nov 26th, 2012, 07:23 PM
#1
Thread Starter
Frenzied Member
How do I do a memory dump with API calls?
I want to use MemoryCopy to copy any specified memory range (such as from memory location &h10000 to &h20000) into a byte array and then save the retrieved data to a file. Unfortunately this is a VERY HIT AND MISS technique. More than half the time, copying from any random place in memory crashes the program. I could think it might if it wrote TO THE WRONG LOCATION but it is always writing to a byte array of the correct size. I don't see how READING FROM any random location causes crashes, but it does.
I found I need to LOCK the allocate and lock the memory with GlobalAlloc and GlobalLock. Unfortunately with GlobalAlloc I can specify the NUMBER OF BYTES to lock, but not the offset. What I need is to specify an EXACT OFFSET and byte count, or else an EXACT START AND END to the range of bytes. Then I can specify any range of bytes I want, and dump them to a file. I know police forensics software can do this (like for checking the RAM in a computer if the bad-guy left his comp running, to see if the bad-guy has any in-memory incriminating evidence on his compmuter). And I figured they just used standard Windows API calls.
If you can tell me exactly what API calls I can use to dump the memory of any general range of bytes in RAM, please let me know.
Thanks in advance.
-
Dec 2nd, 2012, 06:00 PM
#2
Re: How do I do a memory dump with API calls?
but it is always writing to a byte array
And where does a byte array live?
The chances are extremely strong that you are reading memory to which the program is writing or writing to the same memory that you are reading or any other combination of conflicts you'd care to think of.
As the 6-dimensional mathematics professor said to the brain surgeon, "It ain't Rocket Science!"
Reviews: "dunfiddlin likes his DataTables" - jmcilhinney
Please be aware that whilst I will read private messages (one day!) I am unlikely to reply to anything that does not contain offers of cash, fame or marriage!
-
Dec 6th, 2012, 04:02 AM
#3
Re: How do I do a memory dump with API calls?
Originally Posted by Ben321
If you can tell me exactly what API calls I can use to dump the memory of any general range of bytes in RAM, please let me know.
Thanks in advance.
You cannot do this because Windows uses a virtual memory model. Only the kernel has the privilege to read the actual RAM. I don't know of any way to run VB6/VB.Net programs(assuming that's what you're gonna program in) as kernel app.
-
Dec 9th, 2012, 11:14 AM
#4
Re: How do I do a memory dump with API calls?
-
Dec 9th, 2012, 11:11 PM
#5
Re: How do I do a memory dump with API calls?
Originally Posted by Peter Swinkels
That shows you how to read another process's memory. What he seems to be asking is how to read the contents of the RAM at any given moment which cannot be done because there is no way to get around the abstraction of virtual memory in user space.
-
Jan 9th, 2013, 11:08 PM
#6
Thread Starter
Frenzied Member
Re: How do I do a memory dump with API calls?
Originally Posted by Niya
That shows you how to read another process's memory. What he seems to be asking is how to read the contents of the RAM at any given moment which cannot be done because there is no way to get around the abstraction of virtual memory in user space.
It used to be possible with Peek and Poke in classic BASIC for DOS. I'm surprised you can't still do that. Maybe you could have it run some kind of assembly language with a Thunder ASM plugin, and low level read the ram?
Also the hex editor HxD has a memory editor. It can view the memory of a particular program, but this memory block is so huge it encompasses multiple regions even into obviously what's memory from another program (just by doing a string search in the hex editor you can see stuff outside of what you are supposedly viewing).
Also I'm aware police investigators have the ability to read all the memory off your ram chips (a full dump) in order to look for evidence. What kind of setup do they use do read all the data from RAM chips?
-
Jan 10th, 2013, 03:22 AM
#7
Re: How do I do a memory dump with API calls?
The Reading and Writing Memory MSDN article might help you get started.
The Windows debuggers can read and write directly into memory. This memory can be referenced by addresses or by the names of variables.
On Local Error Resume Next: If Not Empty Is Nothing Then Do While Null: ReDim i(True To False) As Currency: Loop: Else Debug.Assert CCur(CLng(CInt(CBool(False Imp True Xor False Eqv True)))): Stop: On Local Error GoTo 0
Declare Sub CrashVB Lib "msvbvm60" (Optional DontPassMe As Any)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|