A forum for reverse engineering, OS internals and malware analysis 

how to dump the memory of a user-mode application?

Discussion on reverse-engineering and debugging.

how to dump the memory of a user-mode application?

 #28107  by xxxxnnxxxx
 Thu Mar 24, 2016 3:40 am
windows will display a warnning dialog that you can click "close the application" or "debug the application",
start the windbg and attach the process ,dump the memory of the application --".dump /ma c:\crash\example.dmp"
i can get the anther dump file choose the "debug the application" by windbg.

loading two dumps by windbg, !analyze -v dumps and dps esp l100,
they are different, i can't get any import information by the first dump
why? :shock: i can't understand.

how to dump the memory of a user-mode application? attach the process or debug the application? :?:
:shock: help~ thanks very much .

Re: how to dump the memory of a user-mode application?

 #30173  by ctrl^break
 Mon Mar 27, 2017 9:56 pm
Hi,

The first thing about working with memory dumps is basically asking to yourself how much experience do you have working with WinDBG. Fortunately, WinDBG is not the only option to work with it, but for sure is the more advanced one with a huge learning curve for the more adventurous ones. :twisted:

If you don't wanna suffer I suggest taking the easy way. What I usually do when working with malware samples on Windows is to use the very powerful tool called "pd". With this tool, you can dump basically the entire process regions being used during its execution and the best thing is that it attempts to reconstruct every file loaded within the program for later (off-line) inspection.

For instance, if the process you dumped is using certain areas that came from an injection event, these areas will be dumped too. From here, you can use your disassembler/debugger of preference and continue with your analysis.

You can download the tool from here:

http://split-code.com/processdump.html

Salu-DoS!
-ctrl^break
http://cubilfelino.net

Re: how to dump the memory of a user-mode application?

 #30210  by hyppocrite
 Fri Apr 07, 2017 6:09 am
pd (Process Dump) mentioned by Salu-DoS is an excellent tool that I often use - would highly recommend.

There are, however, other ways worth mentioning. If you would like to still use a debugger, many of them come with designated plugins for dumping memory.
For example, if you use ollydbg you can use ollydump: http://www.openrce.org/downloads/details/108/OllyDump
and I think that this plugin is also compatible with the up-and-coming open sourced Windows x86/64 debugger "x64dbg": http://x64dbg.com
Since you are interested in usermode applications I would recommend using these for a combination of debugger and process dumper.
 Return to “Reverse Engineering and Debugging”