Skip to content

Latest commit

 

History

History
30 lines (17 loc) · 2.02 KB

README.md

File metadata and controls

30 lines (17 loc) · 2.02 KB

SharpProcessDump

Dump memory regions of a process which are readable (no PAGE_NOACCESS protection) and are commited (MEM_COMMIT state) using only native API calls: NtOpenProcess, NtQueryVirtualMemory, NtReadVirtualMemory, NtCreateFile and NtWriteFile.

img0

It generates one file per memory region and one file containing all the memory chunks.

SharpProcessDump.exe [PROCESS] [FILE]

The default value for the process is "lsass" and for the file containing all memory chunks it is "Process_PID_allinone.dmp".


Example: Dumping lsass

SharpProcessDump.exe lsass lsass_allinone.dmp

img3

It generates one file per memory region using the process name, PID and memory address for the name (the syntax is "Process_PID_MEMADDRESS.dmp") and the file "lsass_allinone.dmp" containing all the memory chunks:

img4

As you can see in the image above, the size of the dump file created using Process Hacker and the one generated with this tool is almost the same size. However the file is not a valid Minidump file, if you are interested in this check NativeDump.