Daeth

Process Dumping doesn't work

13 posts in this topic

I'm trying to dump a process' memory to a file in the temporary directory, similar to Microsoft's ProcDump. The code uses the MinidumpWriteDump function in the dbghelp.dll. Here is the following code. (You need to open Notepad to start)

#NoTrayIcon
#RequireAdmin
#include <WinAPI.au3>
Global Const $MiniDumpNormal = "0x00000000"
Global Const $MiniDumpWithDataSegs = "0x00000001"
Global Const $MiniDumpWithFullMemory = "0x00000002"
Global Const $MiniDumpWithHandleData = "0x00000004"
Global Const $MiniDumpFilterMemory = "0x00000008"
Global Const $MiniDumpScanMemory = "0x00000010"
Global Const $MiniDumpWithUnloadedModules = "0x00000020"
Global Const $MiniDumpWithIndirectlyReferencedMemory = "0x00000040"
Global Const $MiniDumpFilterModulePaths = "0x00000080"
Global Const $MiniDumpWithProcessThreadData = "0x00000100"
Global Const $MiniDumpWithPrivateReadWriteMemory = "0x00000200"
Global Const $MiniDumpWithoutOptionalData = "0x00000400"
Global Const $MiniDumpWithFullMemoryInfo = "0x00000800"
Global Const $MiniDumpWithThreadInfo = "0x00001000"
Global Const $MiniDumpWithCodeSegs = "0x00002000"
Global Const $MiniDumpWithoutAuxiliaryState = "0x00004000"
Global Const $MiniDumpWithFullAuxiliaryState = "0x00008000"
Global Const $MiniDumpWithPrivateWriteCopyMemory = "0x00010000"
Global Const $MiniDumpIgnoreInaccessibleMemory = "0x00020000"
Global Const $MiniDumpWithTokenInformation = "0x00040000"
Global Const $MiniDumpWithModuleHeaders = "0x00080000"
Global Const $MiniDumpFilterTriage = "0x00100000"
Global Const $MiniDumpValidTypeFlags = "0x001fffff"
Global $iProcessPID = ProcessWait("notepad.exe")
Global $hProcess = _WinAPI_OpenProcess("0x0400", 0, $iProcessPID)
Global $hFile = _WinAPI_CreateFile(@TempDir & "\test.dmp", 1)
ConsoleWrite("$iProcessPID = " & $iProcessPID & @CRLF & "$hProcess = " & $hProcess & @CRLF & "$hFile = " & $hFile & @CRLF)
DumpFile($hProcess, $iProcessPID, $hFile, $MiniDumpWithFullMemory)
_WinAPI_CloseHandle($hFile)
_WinAPI_CloseHandle($hProcess)
Exit

Func DumpFile($hProcess, $iPID, $hFile, $dDumpType)
    $hDLL = DllOpen(@SystemDir & "\dbghelp.dll")
    $aResult = DllCall($hDLL, "BOOL", "MiniDumpWriteDump", "HANDLE", $hProcess, "DWORD", $iPID, "HANDLE", $hFile, "DWORD", $dDumpType, "DWORD", Null, "DWORD", Null, "DWORD", Null)
    DllClose($hDLL)
    ConsoleWrite($aResult[0])
EndFunc

$aResult[0] always returns 0, and the "test.dmp" file is always 0 kilobytes.

Share this post


Link to post
Share on other sites



#3 ·  Posted (edited)

@JohnOne I still get a return value of 0 with that code. I tried with this, but still to no avail:

Global $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, $iProcessPID, True)

Could there be anything wrong with the DllCall?

Edited by Daeth

Share this post


Link to post
Share on other sites

@OP: you should be content - that zero as a return value means "success" a dump file was created!

Share this post


Link to post
Share on other sites

@PACaleala No, according to MSDN, it says the return value should be True if a successful dump file was written. Furthermore, the dump file created is 0 bytes.

Share this post


Link to post
Share on other sites

Comment the require admin line and insert the next line before the "Exit" line:

if FileExists(@TempDir & "\test.dmp") Then run ("notepad" & " " & @TempDir & "\test.dmp")

Now run the script from SciTe

Share this post


Link to post
Share on other sites

What is that meant to do? There's nothing in the dumpfile.

Share this post


Link to post
Share on other sites
#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile(@AutoItPID, $hFile)
_WinAPI_CloseHandle($hFile)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

ivbrlh.png

2 people like this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@Terenz Hmm that's odd, your code writes a dump file for @AutoItPID, so I tried using @AutoItPID, in my script as well - which actually works. How do I create a dump file of a system process or "notepad.exe". 

I tested the DumpFile on different applications such as "chrome.exe", but "notepad.exe" doesn't work. When I use the sysinternals 'ProcDump' tool and create a process dump of notepad.exe (procdump -ma notepad.exe), it worked fine.

Share this post


Link to post
Share on other sites

?

#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $iPID = Run("notepad.exe")
;~ Local $iPID = ProcessWait("notepad.exe")
Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile($iPID, $hFile)
_WinAPI_CloseHandle($hFile)
ProcessClose($iPID)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

35hqpn4.png

1 person likes this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@JohnOne you're a genius! That did the trick. How did you know that would solve the problem?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • ExiLeD4EveR
      By ExiLeD4EveR
      'm trying to make an autologin script for facebook which prompts u to enter an email and a password and then opens the browser and logs you with the info u entered but im having a problem with the text entered in the input box. What i basically want it to do is take what's written on the inputbox and replace it on the email form in the facebook site and the password. Don't mind the other buttons in the gui , i just wanted to focus on the facebook button first. Any help will be appreciated
      #include <ButtonConstants.au3> #include <GUIConstantsEx.au3> #include <WindowsConstants.au3> #include <EditConstants.au3> #include <StaticConstants.au3> #include <IE.au3> #Region ### START Koda GUI section ### Form=c:\users\ExiLeD\desktop\coding\autoit\gui samples\simplegui.kxf $SimpleGUI = GUICreate("MultiProgram", 392, 122, -1, -1) GUISetIcon("C:\Users\ExiLeD\Desktop\Work\Smile\Icon Pack\EcranLcd.ico", -1) $Notepad = GUICtrlCreateButton("Notepad", 16, 24, 73, 25) GUICtrlSetCursor (-1, 0) $Calculator = GUICtrlCreateButton("Calculator", 112, 24, 73, 25) GUICtrlSetCursor (-1, 0) $ExitButoon = GUICtrlCreateButton("Exit", 160, 72, 73, 25) GUICtrlSetFont(-1, 8, 800, 0, "MS Sans Serif") GUICtrlSetCursor (-1, 0) $Lol = GUICtrlCreateButton("Lol Login", 208, 24, 73, 25) GUICtrlSetCursor (-1, 0) $Facebook = GUICtrlCreateButton("Facebook ", 304, 24, 73, 25) GUICtrlSetCursor (-1, 0) GUISetState(@SW_SHOW) #EndRegion ### END Koda GUI section ### While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE Exit Case $Facebook ;= if Facebook is pressed it creates the email form $Face_Login = GUICreate("Facebook Login", 295, 88, -1, -1) GUISetIcon("C:\Users\ExiLeD\Downloads\Iconshock-Social-Media-Beakers-Facebook.ico", -1) $Label1 = GUICtrlCreateLabel("Email", 40, 24, 29, 17) $InputBox1 = GUICtrlCreateInput("", 72, 21, 148, 21, BitOR($GUI_SS_DEFAULT_INPUT,$ES_CENTER)) $data1 = GUICtrlRead(-1) $Email_button = GUICtrlCreateButton("Done", 96, 56, 97, 25) GUISetState(@SW_SHOW) While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE Exit Case $Email_button ;= if Done from email form is pressed then delete the email form and open the password form GUIDelete($Face_Login) Sleep(200) $Face_Login2 = GUICreate("Facebook Login", 295, 88, -1, -1) GUISetIcon("C:\Users\ExiLeD\Downloads\Iconshock-Social-Media-Beakers-Facebook.ico", -1) $Label2 = GUICtrlCreateLabel("Password", 16, 24, 50, 17) $InputBox2 = GUICtrlCreateInput("", 72, 21, 148, 21, BitOR($GUI_SS_DEFAULT_INPUT,$ES_CENTER)) $data2 = GUICtrlRead(-1) $Pass_button = GUICtrlCreateButton("Done", 96, 56, 97, 25) GUISetState(@SW_SHOW) While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE Exit Case $Pass_button ;= if Done from password form is pressed then it deletes the password form and , to add(open internet explorer on the facebook login page GUIDelete($Face_Login2) FB_SignIn() EndSwitch WEnd EndSwitch WEnd EndSwitch WEnd Func FB_SignIn() Global $oIE = _IECreate("https://www.facebook.com/") Local $username = _IEGetObjByName($oIE, "email") Local $password = _IEGetObjByName($oIE, "pass") Local $button = _IEGetObjById($oIE, "loginbutton") _IEFormElementSetValue($username, $data1) _IEFormElementSetValue($password, $data2) _IEAction($button, "click") EndFunc  
    • messilm10
      By messilm10
      how do i get the crash report of any application and any running script?????
    • ronaldo97
      By ronaldo97
      Hello How can I make the GUI is compatible with all screen sizes ??  
      #include <GUIConstantsEx.au3> #include <StaticConstants.au3> #include <WindowsConstants.au3> #Region ### START Koda GUI section ### Form= $Form1 = GUICreate("Form1", 623, 445, 192, 124, BitOR($GUI_SS_DEFAULT_GUI,$WS_MAXIMIZE)) GUISetBkColor(0x1E1E1E) $Label1 = GUICtrlCreateLabel("Welcome Back !!", 424, 64, 161, 29) GUICtrlSetFont(-1, 16, 400, 0, "Tahoma") GUICtrlSetColor(-1, 0x800000) GUISetState(@SW_SHOW) #EndRegion ### END Koda GUI section ### While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE Exit EndSwitch WEnd How do I make Gui interface compatible with all screen sizes ?? 800*600
      1024*768
      1280*1024
    • messilm10
      By messilm10
      respected sir,
      how could I calculate the time difference using auto IT function ?
    • Xandy
      By Xandy
      Waxworks Code Wheel.
      Written in AutoIt with SDL.
      Source