Daeth

Process Dumping doesn't work

13 posts in this topic

I'm trying to dump a process' memory to a file in the temporary directory, similar to Microsoft's ProcDump. The code uses the MinidumpWriteDump function in the dbghelp.dll. Here is the following code. (You need to open Notepad to start)

#NoTrayIcon
#RequireAdmin
#include <WinAPI.au3>
Global Const $MiniDumpNormal = "0x00000000"
Global Const $MiniDumpWithDataSegs = "0x00000001"
Global Const $MiniDumpWithFullMemory = "0x00000002"
Global Const $MiniDumpWithHandleData = "0x00000004"
Global Const $MiniDumpFilterMemory = "0x00000008"
Global Const $MiniDumpScanMemory = "0x00000010"
Global Const $MiniDumpWithUnloadedModules = "0x00000020"
Global Const $MiniDumpWithIndirectlyReferencedMemory = "0x00000040"
Global Const $MiniDumpFilterModulePaths = "0x00000080"
Global Const $MiniDumpWithProcessThreadData = "0x00000100"
Global Const $MiniDumpWithPrivateReadWriteMemory = "0x00000200"
Global Const $MiniDumpWithoutOptionalData = "0x00000400"
Global Const $MiniDumpWithFullMemoryInfo = "0x00000800"
Global Const $MiniDumpWithThreadInfo = "0x00001000"
Global Const $MiniDumpWithCodeSegs = "0x00002000"
Global Const $MiniDumpWithoutAuxiliaryState = "0x00004000"
Global Const $MiniDumpWithFullAuxiliaryState = "0x00008000"
Global Const $MiniDumpWithPrivateWriteCopyMemory = "0x00010000"
Global Const $MiniDumpIgnoreInaccessibleMemory = "0x00020000"
Global Const $MiniDumpWithTokenInformation = "0x00040000"
Global Const $MiniDumpWithModuleHeaders = "0x00080000"
Global Const $MiniDumpFilterTriage = "0x00100000"
Global Const $MiniDumpValidTypeFlags = "0x001fffff"
Global $iProcessPID = ProcessWait("notepad.exe")
Global $hProcess = _WinAPI_OpenProcess("0x0400", 0, $iProcessPID)
Global $hFile = _WinAPI_CreateFile(@TempDir & "\test.dmp", 1)
ConsoleWrite("$iProcessPID = " & $iProcessPID & @CRLF & "$hProcess = " & $hProcess & @CRLF & "$hFile = " & $hFile & @CRLF)
DumpFile($hProcess, $iProcessPID, $hFile, $MiniDumpWithFullMemory)
_WinAPI_CloseHandle($hFile)
_WinAPI_CloseHandle($hProcess)
Exit

Func DumpFile($hProcess, $iPID, $hFile, $dDumpType)
    $hDLL = DllOpen(@SystemDir & "\dbghelp.dll")
    $aResult = DllCall($hDLL, "BOOL", "MiniDumpWriteDump", "HANDLE", $hProcess, "DWORD", $iPID, "HANDLE", $hFile, "DWORD", $dDumpType, "DWORD", Null, "DWORD", Null, "DWORD", Null)
    DllClose($hDLL)
    ConsoleWrite($aResult[0])
EndFunc

$aResult[0] always returns 0, and the "test.dmp" file is always 0 kilobytes.

Share this post


Link to post
Share on other sites



#3 ·  Posted (edited)

@JohnOne I still get a return value of 0 with that code. I tried with this, but still to no avail:

Global $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, $iProcessPID, True)

Could there be anything wrong with the DllCall?

Edited by Daeth

Share this post


Link to post
Share on other sites

@OP: you should be content - that zero as a return value means "success" a dump file was created!

Share this post


Link to post
Share on other sites

@PACaleala No, according to MSDN, it says the return value should be True if a successful dump file was written. Furthermore, the dump file created is 0 bytes.

Share this post


Link to post
Share on other sites

Comment the require admin line and insert the next line before the "Exit" line:

if FileExists(@TempDir & "\test.dmp") Then run ("notepad" & " " & @TempDir & "\test.dmp")

Now run the script from SciTe

Share this post


Link to post
Share on other sites

What is that meant to do? There's nothing in the dumpfile.

Share this post


Link to post
Share on other sites
#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile(@AutoItPID, $hFile)
_WinAPI_CloseHandle($hFile)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

ivbrlh.png

2 people like this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@Terenz Hmm that's odd, your code writes a dump file for @AutoItPID, so I tried using @AutoItPID, in my script as well - which actually works. How do I create a dump file of a system process or "notepad.exe". 

I tested the DumpFile on different applications such as "chrome.exe", but "notepad.exe" doesn't work. When I use the sysinternals 'ProcDump' tool and create a process dump of notepad.exe (procdump -ma notepad.exe), it worked fine.

Share this post


Link to post
Share on other sites

?

#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $iPID = Run("notepad.exe")
;~ Local $iPID = ProcessWait("notepad.exe")
Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile($iPID, $hFile)
_WinAPI_CloseHandle($hFile)
ProcessClose($iPID)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

35hqpn4.png

1 person likes this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@JohnOne you're a genius! That did the trick. How did you know that would solve the problem?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • Gorby7
      By Gorby7
      I have an Autoit-based client GUI that uses a single MS SQL Server database. I have no problem connecting to and executing queries against this database from my AutoIT code, with the below exception:
      One of the database's stored procedures I need to execute requires a parameter that is a table. I've set up the appropriate table_type on the database and everything works fine on the database itself when I execute the stored proc with a table variable for the parameter (no AutoIT involved). The problem is that I can't figure out how to pass a table parameter from AutoIT, assuming it's even possible. The code below shows the two methods I've tried, both methods return a RecordSet object that is at EOF.
      #include <Array.au3> Opt("MustDeclareVars", 0) $sDBSrv = "ITSQL01.domain.com" $sDBName = "INVDEV" $sADOName = "ADODB.Connection" $oSQLConn = ObjCreate($sADOName) $sConnStr = "Driver={SQL Server};Server=" & $sDBSrv & ";Database=" & $sDBName & ";Trusted_Connection=yes;" $oSQLConn.Open ($sConnStr) $rsoFacFriendly = $oSQLConn.Execute("SELECT TOP 5 FriendlyName FROM Facility") If Not $rsoFacFriendly.EOF Then $aFacFriendly = $rsoFacFriendly.GetRows() _ArrayDisplay($aFacFriendly) $rsoSPResults = $oSQLConn.Execute("EXEC spTableParameterPassTest " & $aFacFriendly) Select Case $rsoSPResults.EOF = False MsgBox(0, "sp exec1", "not end of file") $aSPResults = $rsoSPResults.GetRows() _ArrayDisplay($aSPResults) Case IsObj($rsoSPResults) = 0 MsgBox(0, "sp exec1", "rso isn't even an object") Case $rsoSPResults.EOF = True MsgBox(0, "sp exec1", "At end of file") Case Else MsgBox(0, "sp exec1", "Something else happened") EndSelect $rsoSPResults = 0 $rsoSPResults = $oSQLConn.Execute("EXEC spTableParameterPassTest " & $rsoFacFriendly) Select Case $rsoSPResults.EOF = False MsgBox(0, "sp exec2", "not end of file") $aSPResults = $rsoSPResults.GetRows() _ArrayDisplay($aSPResults) Case IsObj($rsoSPResults) = 0 MsgBox(0, "sp exec2", "rso isn't even an object") Case $rsoSPResults.EOF = True MsgBox(0, "sp exec2", "At end of file") Case Else MsgBox(0, "sp exec2", "Something else happened") EndSelect $rsoSPResults = 0 $rsoFacFriendly = 0 $oSQLConn.Close $oSQLConn = 0 Exit  
    • Swatcat
      By Swatcat
      Hi All,
      So I need Help.
      I am developing code to handle Authentication Popup For IE. The issue I am facing is that this code runs smoothly on unlock desktop but fails on VM machine and when machine is locked. So could you suggest what should I do to make it work. My automation Tool is a Selenium Based tool and is able to launch the script, but the AutoIT Script is unable to pass the username and password on the authentication popup.
      Below is the code.
      I am passing the values through Command line arguments.
      #include <Array.au3> Local $browser, $BAuthMode, $BWinAuthUserName, $BWinAuthPassword, $BChromeClaimsURL, $BChromePolicyURL, $BIEPolicyURL, $BIEClaimsURL; $browser = $CMDLine[1] $BAuthMode = $CMDLine[2] $BWinAuthUserName = $CMDLine[3] $BWinAuthPassword = $CMDLine[4] $BChromeClaimsURL = "" $BChromePolicyURL = "" $BIEURL = "" ;$BIEClaimsURL = "" If $browser = "chrome" And $BAuthMode = "m" Then If WinExists($BChromeClaimsURL,"") Then WinWaitActive($BChromeClaimsURL) ; set control to the window for proxy authentication Sleep(500) Send("{ESCAPE}") ElseIf WinExists($BChromePolicyURL,"") Then WinWaitActive($BChromePolicyURL) ; set control to the window for proxy authentication Sleep(500) Send("{ESCAPE}") EndIf ElseIf $browser = "ie" And $BAuthMode = "m" Then If WinExists($BIEPolicyURL,"") Then WinExists($BIEPolicyURL) ; set control to the window for proxy authentication Sleep(500) Send("{ESCAPE}") ElseIf WinExists($BIEClaimsURL,"") Then WinWaitActive($BIEClaimsURL) ; set control to the window for proxy authentication Sleep(500) Send("{ESCAPE}") EndIf ElseIf $browser = "ie" And $BAuthMode = "w" Then WinWaitActive($BIEURL,"","20") if(WinExists($BIEURL)) Then Sleep(500) Send($BWinAuthUserName & "{TAB}") ; send username and press TAB Sleep(100) Send($BWinAuthPassword & "{ENTER}") ; send the password and press enter Sleep(100) EndIf ElseIf $browser = "chrome" And $BAuthMode = "w" Then If WinExists($BChromeClaimsURL,"") Then WinWaitActive($BChromeClaimsURL) ; set control to the window for proxy authentication Sleep(500) Send($BWinAuthUserName & "{TAB}") ; send username and press TAB Send($BWinAuthPassword & "{ENTER}") ; send the password and press enter ElseIf WinExists($BChromePolicyURL,"") Then WinWaitActive($BChromePolicyURL) ; set control to the window for proxy authentication Sleep(500) Send($BWinAuthUserName & "{TAB}") ; send username and press TAB Send($BWinAuthPassword & "{ENTER}") ; send the password and press enter EndIf EndIf WinSetState("[ACTIVE]", "", @SW_RESTORE) Sleep(500) WinSetState("[ACTIVE]", "", @SW_MAXIMIZE)  
       
       
       
    • Gowrisankar
      By Gowrisankar
      Dear members of the forum,
      I'm new to AutoIt and I'm having a good time exploring and enjoying the features of AutoIt.
      For one of my tasks, I've to open few particular mails from outlook based on subject of the mails and then print the mails. Can someone please guide me how to do it?
      My question could be very silly for experts. But I'm just a beginner. Kindly advice.
      Thanks and regards,
      Gowrisankar R.
    • Valnurat
      By Valnurat
      I have a
      Global $aResult[0][2] For $i = 0 to UBound($aNames) -1 Local $aUserInfo = _AD_GetObjectsInOU($aNames[$i],"","","displayName,distinguishedName") _ArrayDisplay($aUserInfo) _ArrayConcatenate($aResult, $aUserInfo, 1) _ArrayDisplay($aResult, 'AD ' & UBound($aResult)) Next I do receive empty info that's added to my array.
      How can I delete empty records?
    • FrancescoDiMuro
      By FrancescoDiMuro
      Good morning
      I'd like to know if someone else here has already tried to use an AutoIt script which work on the same DB ( i.e. SQLite ) on different Computers.
      If yes, please answer here, because I'd like to develop it, and I don't know where to start ( i.e. , I don't know how the script would work if 2 or more users are writing/reading in the same moment... )  
      Thanks!