Re: Generating a raw memory dump
- From: "Marc Sherman" <masherman1970@xxxxxxxxx>
- Date: Wed, 28 Oct 2009 17:30:32 -0400
Clever idea.
One thought is that after you resume the process you'll get a flurry of AVs
from threads pushing and popping stack frames. Maybe add step 2.5 to dump
all the thread stacks while the process is suspended? In other words, limit
your on-the-fly page dumps everything other than thread stacks.
Of course, my idea might be slower since I'm just speculating (for ex. all
threads blocked on waits except for one as opposed to all, or majority, of
threads in a runnable state).
Marc
"Günter Prossliner" <nospam@xxxxxxxx> wrote in message
news:eQYOkL$VKHA.4816@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
creating a memory-dump from another process with lange VM size can be very
time consuming, because the operation is like:
1. Attach as a debugger to the process
2. Suspend it
3. Dump all needed (depending on the options) pages to a file
4. Resume it
5. Detach and quit
So the process is suspended as long as the complete memory is written to
disk.
If think it could be theoretically possible to implement a "raw memory
dump" which would have to suspend the process for a very shorter time:
1. Attach as a debugger to the process
2. Suspend it
3. Execute VirtualQuery to build a database of currently mapped VM ranges
4. If a range is writeable set it to READ_ONLY using VirtualProtect (so an
Access Violation will occur when the process is resumed and wants to
modify the range)
5. Resume the Process
6. Traverse the range-database build in step #3
6.1 Check if the range has alread been dump on-the-fly
6.2 Dump the content of each range to disk
6.3 Restore the protection
7. When finished detach and quit
If the process is resumed in step 5 it will modify memory. But it's
nessersary to dump the content of the region *before* any modifications.
In this case, the Debugger (which is me) gets notificed about the
Access-Violation. It would then perform the following check:
Check the VM-database if the protection of this range has been set to
read-only by me.
If not, it will throw it back to the app, because it's a Access-Violation
which is not "my fault".
If it wasn't Read-Only before (and so it's ok for the process to write
into this range), it would dump the actual content of the Region (which
should not be modified so far) to disk and than restores the protection on
the fly. Then the Debugger will resume execution on the faulting EIP,
which shall now succeed, because the protection has been restored.
Subsequent modifications are not relevant, because the region has been
already dumped.
Do you think it would be possible?
GP
.
- References:
- Generating a raw memory dump
- From: Günter Prossliner
- Generating a raw memory dump
- Prev by Date: Re: what is kernelbase.dll ?
- Next by Date: Re: running applications
- Previous by thread: Generating a raw memory dump
- Index(es):
Relevant Pages
|
