Daeth

Process Dumping doesn't work

13 posts in this topic

I'm trying to dump a process' memory to a file in the temporary directory, similar to Microsoft's ProcDump. The code uses the MinidumpWriteDump function in the dbghelp.dll. Here is the following code. (You need to open Notepad to start)

#NoTrayIcon
#RequireAdmin
#include <WinAPI.au3>
Global Const $MiniDumpNormal = "0x00000000"
Global Const $MiniDumpWithDataSegs = "0x00000001"
Global Const $MiniDumpWithFullMemory = "0x00000002"
Global Const $MiniDumpWithHandleData = "0x00000004"
Global Const $MiniDumpFilterMemory = "0x00000008"
Global Const $MiniDumpScanMemory = "0x00000010"
Global Const $MiniDumpWithUnloadedModules = "0x00000020"
Global Const $MiniDumpWithIndirectlyReferencedMemory = "0x00000040"
Global Const $MiniDumpFilterModulePaths = "0x00000080"
Global Const $MiniDumpWithProcessThreadData = "0x00000100"
Global Const $MiniDumpWithPrivateReadWriteMemory = "0x00000200"
Global Const $MiniDumpWithoutOptionalData = "0x00000400"
Global Const $MiniDumpWithFullMemoryInfo = "0x00000800"
Global Const $MiniDumpWithThreadInfo = "0x00001000"
Global Const $MiniDumpWithCodeSegs = "0x00002000"
Global Const $MiniDumpWithoutAuxiliaryState = "0x00004000"
Global Const $MiniDumpWithFullAuxiliaryState = "0x00008000"
Global Const $MiniDumpWithPrivateWriteCopyMemory = "0x00010000"
Global Const $MiniDumpIgnoreInaccessibleMemory = "0x00020000"
Global Const $MiniDumpWithTokenInformation = "0x00040000"
Global Const $MiniDumpWithModuleHeaders = "0x00080000"
Global Const $MiniDumpFilterTriage = "0x00100000"
Global Const $MiniDumpValidTypeFlags = "0x001fffff"
Global $iProcessPID = ProcessWait("notepad.exe")
Global $hProcess = _WinAPI_OpenProcess("0x0400", 0, $iProcessPID)
Global $hFile = _WinAPI_CreateFile(@TempDir & "\test.dmp", 1)
ConsoleWrite("$iProcessPID = " & $iProcessPID & @CRLF & "$hProcess = " & $hProcess & @CRLF & "$hFile = " & $hFile & @CRLF)
DumpFile($hProcess, $iProcessPID, $hFile, $MiniDumpWithFullMemory)
_WinAPI_CloseHandle($hFile)
_WinAPI_CloseHandle($hProcess)
Exit

Func DumpFile($hProcess, $iPID, $hFile, $dDumpType)
    $hDLL = DllOpen(@SystemDir & "\dbghelp.dll")
    $aResult = DllCall($hDLL, "BOOL", "MiniDumpWriteDump", "HANDLE", $hProcess, "DWORD", $iPID, "HANDLE", $hFile, "DWORD", $dDumpType, "DWORD", Null, "DWORD", Null, "DWORD", Null)
    DllClose($hDLL)
    ConsoleWrite($aResult[0])
EndFunc

$aResult[0] always returns 0, and the "test.dmp" file is always 0 kilobytes.

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

@JohnOne I still get a return value of 0 with that code. I tried with this, but still to no avail:

Global $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, $iProcessPID, True)

Could there be anything wrong with the DllCall?

Edited by Daeth

Share this post


Link to post
Share on other sites

@OP: you should be content - that zero as a return value means "success" a dump file was created!

Share this post


Link to post
Share on other sites

@PACaleala No, according to MSDN, it says the return value should be True if a successful dump file was written. Furthermore, the dump file created is 0 bytes.

Share this post


Link to post
Share on other sites

Comment the require admin line and insert the next line before the "Exit" line:

if FileExists(@TempDir & "\test.dmp") Then run ("notepad" & " " & @TempDir & "\test.dmp")

Now run the script from SciTe

Share this post


Link to post
Share on other sites

What is that meant to do? There's nothing in the dumpfile.

Share this post


Link to post
Share on other sites
#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile(@AutoItPID, $hFile)
_WinAPI_CloseHandle($hFile)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

ivbrlh.png

2 people like this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@Terenz Hmm that's odd, your code writes a dump file for @AutoItPID, so I tried using @AutoItPID, in my script as well - which actually works. How do I create a dump file of a system process or "notepad.exe". 

I tested the DumpFile on different applications such as "chrome.exe", but "notepad.exe" doesn't work. When I use the sysinternals 'ProcDump' tool and create a process dump of notepad.exe (procdump -ma notepad.exe), it worked fine.

Share this post


Link to post
Share on other sites

?

#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $iPID = Run("notepad.exe")
;~ Local $iPID = ProcessWait("notepad.exe")
Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile($iPID, $hFile)
_WinAPI_CloseHandle($hFile)
ProcessClose($iPID)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

35hqpn4.png

1 person likes this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@JohnOne you're a genius! That did the trick. How did you know that would solve the problem?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • Ascer
      By Ascer
      1. Description
      Anti-bot system to avoid spam. Vector graphic style generates 4 random numbers from 0-9 and create a picture. 2. Requirements
      .NET Framework 1.1 - 4.5 (on this version Microsoft destroy old rules) 3. Possibilities.

      4. Downloads.
      Source package Capatcha.rar
    • Valnurat
      By Valnurat
      How can I get combobox value by using  the ENTER key?
    • vyperhand
      By vyperhand
      I'm struggling to launch a VBS file via autoit using RunWait.  Due to the nature of the deployment tool I am using for said script, I only know that the .vbs files will be in the same directory as my AutoIt-generated .exe, but not what that path will be.  The path will look something like this:
      c:\programdata\vendor\lots\of\folders\randomnumber
      This is generated during deployment and I have no way of predicting the path - therefore, I am not sure how to call back to "same directory" in order to successfully launch the .vbs.
      This line is as close as I have gotten - this fires off the cmd window, but it closes immediately with out information, and the .vbs is not launched.
      RunWait (@ComSpec & " /c" & 'cscript.exe WORKPLEASE.vbs ALL /Q /NoCancel') I thought /c might be the problem, but leaving out the /c element causes me not to even see the momentary CMD window flash by.  Any help will be greatly appreciated, and thanks in advance.
    • Valnurat
      By Valnurat
      I have a ComboBox and I want, when I start writting in it, that it will show me what is the first in the list.
      Like, is I start writting:
      "pe" it  should show me "peter" if that is the first in the list.
      How can I do that?
       
      While 1 Switch GUIGetMsg() Case $GUI_EVENT_CLOSE, $idClos ExitLoop Case $idComboBox $sComboRead = GUICtrlRead($idComboBox) Local $iIdx = _ArraySearch($aResult,$sComboRead,0,0,0,0,1,1) Local $aComputerOwner = _AD_GetObjectsInOU("OU=al,DC=AD,DC=AL,DC=ORG","(&(objectclass=computer)(managedby=" & $aResult[$iIdx][0] & "))",Default,"cn") _ArrayDelete($aComputerOwner,0) _GUICtrlListView_SetItemCount($idMylist,UBound($aComputerOwner)) If IsArray($aComputerOwner) Then For $i = 0 To UBound($aComputerOwner) - 1 GUICtrlCreateListViewItem($aComputerOwner[$i], $idMylist) Next Else GUICtrlSetData($idMylist, "No computer|") EndIf EndSwitch WEnd  
    • Valnurat
      By Valnurat
      Hi.
      I'm trying to add an array to my gui listview, but it fails with
      "C:\Program Files (x86)\AutoIt3\Include\GuiListView.au3" (473) : ==> Array variable has incorrect number of subscripts or subscript dimension range exceeded.: DllStructSetData($tBuffer, "Text", $aItems[$iI][0]) DllStructSetData($tBuffer, "Text", ^ ERROR My code is:
      #cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.14.2 Author: myName Script Function: Template AutoIt script. #ce ---------------------------------------------------------------------------- ; Script Start - Add your code below here #include <WindowsConstants.au3> #include <ComboConstants.au3> #include <GuiComboBox.au3> #include <GUIConstantsEx.au3> #include <GuiListView.au3> #include <MsgBoxConstants.au3> #Include <AD.au3> #include <Array.au3> Opt('MustDeclareVars', 1) Global $aResult[0][2] Local $aNames[4] = ["DKSO","DKKO","SELU","SEES"] Local Const $iWidth = 300, $iHeight = 250, $iW = 85, $iH = 25 Local $hGUI = GUICreate("Find Computer Owner", $iWidth, $iHeight) ; Create a combobox control. Local $idComboBox = GUICtrlCreateCombo("", 2, 2, 296, 20, BitOR($CBS_DROPDOWN, $CBS_AUTOHSCROLL, $WS_VSCROLL, $CBS_SORT)) ;$WS_VSCROLL Local $idMylist = GUICtrlCreateListView("", 2, 114, 296, 100) Local $idClos = GUICtrlCreateButton("Close", ($iWidth - $iW) / 2, ($iHeight - $iH) - 7 , $iW, $iH) _AD_Open() Local $sFill = "" For $i = 0 to UBound($aNames) -1 Local $aUserInfo = _AD_GetObjectsInOU("OU=Al,DC=ad,DC=al,DC=org","(&(objectCategory=Person)(objectclass=user)(sAMAccountName=" & $aNames[$i] & "*))","","distinguishedName,cn") if @error Then MsgBox(0,@error,@extended) Exit EndIf For $x = $aUserInfo[0][0] To 1 Step -1 If $aUserInfo[$x][0] = "" Or StringInStr($aUserInfo[$x][0], "Resources") > 0 Or StringInStr($aUserInfo[$x][0], "Leavers") > 0 Or StringInStr($aUserInfo[$x][0], "Administration") > 0 Then _ArrayDelete($aUserInfo, $x) EndIf Next _ArrayConcatenate($aResult, $aUserInfo, 1) Next for $i = 0 To UBound($aResult) -1 If $aResult[$i][0] <> "" Then $sFill &= $aResult[$i][1] & "|" EndIf Next _ArrayDisplay($aResult, 'AD ' & UBound($aResult)) $sFill = StringTrimRight($sFill, 1) _GUICtrlComboBox_BeginUpdate($idComboBox) GUICtrlSetData($idComboBox, $sFill, "") _GUICtrlComboBox_EndUpdate($idComboBox) GUISetState(@SW_SHOW, $hGUI) GUIRegisterMsg($WM_NOTIFY, "WM_NOTIFY") _GUICtrlListView_AddColumn($idMylist, "Computername", 296) Local $sComboRead = "" ; Loop until the user exits. While 1 Switch GUIGetMsg() Case $GUI_EVENT_CLOSE, $idClos ExitLoop Case $idComboBox $sComboRead = GUICtrlRead($idComboBox) Local $iIdx = _ArraySearch($aResult,$sComboRead,0,0,0,0,1,1) Local $aComputerOwner = _AD_GetObjectsInOU("OU=al,DC=AD,DC=AL,DC=ORG","(&(objectclass=computer)(managedby=" & $aResult[$iIdx][0] & "))",Default,"cn") _ArrayDelete($aComputerOwner,0) _ArrayDisplay($aComputerOwner) _GUICtrlListView_SetItemCount($idMylist,UBound($aComputerOwner)) If IsArray($aComputerOwner) Then MsgBox(0,"Test",$sComboRead) _GUICtrlListView_AddArray($idMylist, $aComputerOwner) ; <---- it fails Else GUICtrlSetData($idMylist, "No computer|") EndIf EndSwitch WEnd _AD_Close() ; Delete the previous GUI and all controls. GUIDelete($hGUI) Func WM_NOTIFY($hWnd, $iMsg, $wParam, $lParam) #forceref $hWnd, $iMsg, $wParam Local $hWndFrom, $iIDFrom, $iCode, $tNMHDR, $hWndListView, $tInfo ; Local $tBuffer $hWndListView = $idMylist If Not IsHWnd($idMylist) Then $hWndListView = GUICtrlGetHandle($idMylist) $tNMHDR = DllStructCreate($tagNMHDR, $lParam) $hWndFrom = HWnd(DllStructGetData($tNMHDR, "hWndFrom")) $iIDFrom = DllStructGetData($tNMHDR, "IDFrom") $iCode = DllStructGetData($tNMHDR, "Code") Switch $hWndFrom Case $hWndListView Switch $iCode Case $NM_DBLCLK ; Sent by a list-view control when the user double-clicks an item with the left mouse button $tInfo = DllStructCreate($tagNMITEMACTIVATE, $lParam) _DebugPrint("$NM_DBLCLK" & @CRLF & "--> hWndFrom:" & @TAB & $hWndFrom & @CRLF & _ "-->IDFrom:" & @TAB & $iIDFrom & @CRLF & _ "-->Code:" & @TAB & $iCode & @CRLF & _ "-->Index:" & @TAB & DllStructGetData($tInfo, "Index") & @CRLF & _ "-->SubItem:" & @TAB & DllStructGetData($tInfo, "SubItem") & @CRLF & _ "-->NewState:" & @TAB & DllStructGetData($tInfo, "NewState") & @CRLF & _ "-->OldState:" & @TAB & DllStructGetData($tInfo, "OldState") & @CRLF & _ "-->Changed:" & @TAB & DllStructGetData($tInfo, "Changed") & @CRLF & _ "-->ActionX:" & @TAB & DllStructGetData($tInfo, "ActionX") & @CRLF & _ "-->ActionY:" & @TAB & DllStructGetData($tInfo, "ActionY") & @CRLF & _ "-->lParam:" & @TAB & DllStructGetData($tInfo, "lParam") & @CRLF & _ "-->KeyFlags:" & @TAB & DllStructGetData($tInfo, "KeyFlags")) ; No return value EndSwitch EndSwitch Return $GUI_RUNDEFMSG EndFunc ;==>WM_NOTIFY Func _DebugPrint($s_Text, $sLine = @ScriptLineNumber) ConsoleWrite( _ "!===========================================================" & @CRLF & _ "+======================================================" & @CRLF & _ "-->Line(" & StringFormat("%04d", $sLine) & "):" & @TAB & $s_Text & @CRLF & _ "+======================================================" & @CRLF) EndFunc ;==>_DebugPrint Do I do it wrong?
       
      Thank you in advanced.