Daeth

Process Dumping doesn't work

13 posts in this topic

I'm trying to dump a process' memory to a file in the temporary directory, similar to Microsoft's ProcDump. The code uses the MinidumpWriteDump function in the dbghelp.dll. Here is the following code. (You need to open Notepad to start)

#NoTrayIcon
#RequireAdmin
#include <WinAPI.au3>
Global Const $MiniDumpNormal = "0x00000000"
Global Const $MiniDumpWithDataSegs = "0x00000001"
Global Const $MiniDumpWithFullMemory = "0x00000002"
Global Const $MiniDumpWithHandleData = "0x00000004"
Global Const $MiniDumpFilterMemory = "0x00000008"
Global Const $MiniDumpScanMemory = "0x00000010"
Global Const $MiniDumpWithUnloadedModules = "0x00000020"
Global Const $MiniDumpWithIndirectlyReferencedMemory = "0x00000040"
Global Const $MiniDumpFilterModulePaths = "0x00000080"
Global Const $MiniDumpWithProcessThreadData = "0x00000100"
Global Const $MiniDumpWithPrivateReadWriteMemory = "0x00000200"
Global Const $MiniDumpWithoutOptionalData = "0x00000400"
Global Const $MiniDumpWithFullMemoryInfo = "0x00000800"
Global Const $MiniDumpWithThreadInfo = "0x00001000"
Global Const $MiniDumpWithCodeSegs = "0x00002000"
Global Const $MiniDumpWithoutAuxiliaryState = "0x00004000"
Global Const $MiniDumpWithFullAuxiliaryState = "0x00008000"
Global Const $MiniDumpWithPrivateWriteCopyMemory = "0x00010000"
Global Const $MiniDumpIgnoreInaccessibleMemory = "0x00020000"
Global Const $MiniDumpWithTokenInformation = "0x00040000"
Global Const $MiniDumpWithModuleHeaders = "0x00080000"
Global Const $MiniDumpFilterTriage = "0x00100000"
Global Const $MiniDumpValidTypeFlags = "0x001fffff"
Global $iProcessPID = ProcessWait("notepad.exe")
Global $hProcess = _WinAPI_OpenProcess("0x0400", 0, $iProcessPID)
Global $hFile = _WinAPI_CreateFile(@TempDir & "\test.dmp", 1)
ConsoleWrite("$iProcessPID = " & $iProcessPID & @CRLF & "$hProcess = " & $hProcess & @CRLF & "$hFile = " & $hFile & @CRLF)
DumpFile($hProcess, $iProcessPID, $hFile, $MiniDumpWithFullMemory)
_WinAPI_CloseHandle($hFile)
_WinAPI_CloseHandle($hProcess)
Exit

Func DumpFile($hProcess, $iPID, $hFile, $dDumpType)
    $hDLL = DllOpen(@SystemDir & "\dbghelp.dll")
    $aResult = DllCall($hDLL, "BOOL", "MiniDumpWriteDump", "HANDLE", $hProcess, "DWORD", $iPID, "HANDLE", $hFile, "DWORD", $dDumpType, "DWORD", Null, "DWORD", Null, "DWORD", Null)
    DllClose($hDLL)
    ConsoleWrite($aResult[0])
EndFunc

$aResult[0] always returns 0, and the "test.dmp" file is always 0 kilobytes.

Share this post


Link to post
Share on other sites



#3 ·  Posted (edited)

@JohnOne I still get a return value of 0 with that code. I tried with this, but still to no avail:

Global $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, $iProcessPID, True)

Could there be anything wrong with the DllCall?

Edited by Daeth

Share this post


Link to post
Share on other sites

@OP: you should be content - that zero as a return value means "success" a dump file was created!

Share this post


Link to post
Share on other sites

@PACaleala No, according to MSDN, it says the return value should be True if a successful dump file was written. Furthermore, the dump file created is 0 bytes.

Share this post


Link to post
Share on other sites

Comment the require admin line and insert the next line before the "Exit" line:

if FileExists(@TempDir & "\test.dmp") Then run ("notepad" & " " & @TempDir & "\test.dmp")

Now run the script from SciTe

Share this post


Link to post
Share on other sites

What is that meant to do? There's nothing in the dumpfile.

Share this post


Link to post
Share on other sites
#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile(@AutoItPID, $hFile)
_WinAPI_CloseHandle($hFile)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

ivbrlh.png

2 people like this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@Terenz Hmm that's odd, your code writes a dump file for @AutoItPID, so I tried using @AutoItPID, in my script as well - which actually works. How do I create a dump file of a system process or "notepad.exe". 

I tested the DumpFile on different applications such as "chrome.exe", but "notepad.exe" doesn't work. When I use the sysinternals 'ProcDump' tool and create a process dump of notepad.exe (procdump -ma notepad.exe), it worked fine.

Share this post


Link to post
Share on other sites

?

#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $iPID = Run("notepad.exe")
;~ Local $iPID = ProcessWait("notepad.exe")
Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile($iPID, $hFile)
_WinAPI_CloseHandle($hFile)
ProcessClose($iPID)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

35hqpn4.png

1 person likes this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@JohnOne you're a genius! That did the trick. How did you know that would solve the problem?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • nacerbaaziz
      By nacerbaaziz
      hello
      please i need to link a progress bar with a time can you help me?
      e.g
      i want to set a progress bar for 10 sec
      am waiting for your answers
      thank you.
    • AdminC
      By AdminC
      $Imglocation = @ScriptDir&"\Image\testimg.bmp" _GDIPlus_Startup() Local $Bitmap = _GDIPlus_BitmapCreateFromFile($Imglocation) Local $hBitmap = _GDIPlus_BitmapCreateHBITMAPFromBitmap($Bitmap) Local $imgSize = _WinAPI_GetBitmapDimension($hBitmap) Local $imgBits = DllStructCreate('dword[' & (DllStructGetData($imgSize, 'X') * DllStructGetData($imgSize, 'Y')) & ']') _WinAPI_GetBitmapBits($hBitmap, DllStructGetSize($imgBits), DllStructGetPtr($imgBits)) ;_WinAPI_DisplayStruct($imgBits) MsgBox(0, "", DllStructGetData($imgBits, 1, 1)) _GDIPlus_Shutdown()  
    • AdminC
      By AdminC
      #RequireAdmin
      #include <SendMessage.au3>
      #include <WinAPI.au3>
      #include <WindowsConstants.au3>
      #include <GDIPlus.au3>
      #include <GUIConstantsEx.au3>
      #include <WinAPIGdi.au3>
      #include <Array.au3>
      #include <WinAPIDiag.au3>
      $Imglocation = @ScriptDir&"\Image\testimg.bmp"
      _GDIPlus_Startup()
      Local $Bitmap = _GDIPlus_BitmapCreateFromFile($Imglocation)
      Local $hBitmap = _GDIPlus_BitmapCreateHBITMAPFromBitmap($Bitmap)
      Local $imgSize = _WinAPI_GetBitmapDimension($hBitmap)
      Local $imgBits = DllStructCreate('dword[' & ($imgSize.X * $imgSize.Y) & ']')
      _WinAPI_GetBitmapBits($hBitmap, DllStructGetSize($imgBits), DllStructGetPtr($imgBits))
      _WinAPI_DisplayStruct($imgBits)
      MsgBox(0, "", DllStructGetData($imgBits, 1, 1)) 
      _GDIPlus_Shutdown()
      DllstructGetData can't get data color B, G, R value. Who's know that? teach me plz
    • AdminC
      By AdminC
      #RequireAdmin
      #include <SendMessage.au3>
      #include <WinAPI.au3>
      #include <WindowsConstants.au3>
      #include <GDIPlus.au3>
      #include <GUIConstantsEx.au3>
      #include <WinAPIGdi.au3>
      #include <Array.au3>
      #include <WinAPIDiag.au3>
      $Imglocation = @ScriptDir&"\Image\testimg.bmp"
      _GDIPlus_Startup()
      Local $Bitmap = _GDIPlus_BitmapCreateFromFile($Imglocation)
      Local $hBitmap = _GDIPlus_BitmapCreateHBITMAPFromBitmap($Bitmap)
      Local $imgSize = _WinAPI_GetBitmapDimension($hBitmap)
      Local $imgBits = DllStructCreate('dword[' & ($imgSize.X * $imgSize.Y) & ']')
      _WinAPI_GetBitmapBits($hBitmap, DllStructGetSize($imgBits), DllStructGetPtr($imgBits))
      _WinAPI_DisplayStruct($imgBits)
      MsgBox(0, "", DllStructGetData($imgBits, 1, 1)) 
      _GDIPlus_Shutdown()
      DllstructGetData can't get data color B, G, R value. Who's know that? teach me plz
       
    • Miliardsto
      By Miliardsto
      Hello. Im trying to make my scripts safe - unnable to decompile. I search for obfuscators and other security methods but the search has come to nothing.
      Then one guy gave that idea below. If I rightly understood this idea lets we talk about example program with this secutiy method.
      Program have two parts, first is only login gui and the second part is the main program Second part (main program) is uploaded on ftp server lets say that on http://xxx/autoit/main_program.au3 So we have the first gui with login, we put correctly login and pass and this is the moment when code from http://xxx/autoit/main_program.au3 will be downloaded and executed Finally main program will be appear This is the similiar way like new games are protected by cracking.
      I have few questions in this moment about this:
      Is something like that even possible to do with the autoit? First part of program (login gui) must have somewhere given that link to download the rest of code - http://xxx/autoit/main_program.au3 to make it execute. As we know this first part of program is easy able to hack and retrieve this web url http://xxx/autoit/main_program.au3 where located is main part of program. Is the way to encrypt or secure it? If only code will be stored in .php we know it cannot be previewed. So it could for example get code from .php file instead of .au3 I know that methods works in other languages (I dont know exactly how) thats becouse I only speculates, maybe something may looks different in these solution? Other way would be compiling second part of code on web server (there are available web autoit servers) maybe this way is possible? Tell me anything U know about this ideas and if its even possible to achieve.
      Thanks for ur any response, advice or thoughts