Daeth

Process Dumping doesn't work

13 posts in this topic

I'm trying to dump a process' memory to a file in the temporary directory, similar to Microsoft's ProcDump. The code uses the MinidumpWriteDump function in the dbghelp.dll. Here is the following code. (You need to open Notepad to start)

#NoTrayIcon
#RequireAdmin
#include <WinAPI.au3>
Global Const $MiniDumpNormal = "0x00000000"
Global Const $MiniDumpWithDataSegs = "0x00000001"
Global Const $MiniDumpWithFullMemory = "0x00000002"
Global Const $MiniDumpWithHandleData = "0x00000004"
Global Const $MiniDumpFilterMemory = "0x00000008"
Global Const $MiniDumpScanMemory = "0x00000010"
Global Const $MiniDumpWithUnloadedModules = "0x00000020"
Global Const $MiniDumpWithIndirectlyReferencedMemory = "0x00000040"
Global Const $MiniDumpFilterModulePaths = "0x00000080"
Global Const $MiniDumpWithProcessThreadData = "0x00000100"
Global Const $MiniDumpWithPrivateReadWriteMemory = "0x00000200"
Global Const $MiniDumpWithoutOptionalData = "0x00000400"
Global Const $MiniDumpWithFullMemoryInfo = "0x00000800"
Global Const $MiniDumpWithThreadInfo = "0x00001000"
Global Const $MiniDumpWithCodeSegs = "0x00002000"
Global Const $MiniDumpWithoutAuxiliaryState = "0x00004000"
Global Const $MiniDumpWithFullAuxiliaryState = "0x00008000"
Global Const $MiniDumpWithPrivateWriteCopyMemory = "0x00010000"
Global Const $MiniDumpIgnoreInaccessibleMemory = "0x00020000"
Global Const $MiniDumpWithTokenInformation = "0x00040000"
Global Const $MiniDumpWithModuleHeaders = "0x00080000"
Global Const $MiniDumpFilterTriage = "0x00100000"
Global Const $MiniDumpValidTypeFlags = "0x001fffff"
Global $iProcessPID = ProcessWait("notepad.exe")
Global $hProcess = _WinAPI_OpenProcess("0x0400", 0, $iProcessPID)
Global $hFile = _WinAPI_CreateFile(@TempDir & "\test.dmp", 1)
ConsoleWrite("$iProcessPID = " & $iProcessPID & @CRLF & "$hProcess = " & $hProcess & @CRLF & "$hFile = " & $hFile & @CRLF)
DumpFile($hProcess, $iProcessPID, $hFile, $MiniDumpWithFullMemory)
_WinAPI_CloseHandle($hFile)
_WinAPI_CloseHandle($hProcess)
Exit

Func DumpFile($hProcess, $iPID, $hFile, $dDumpType)
    $hDLL = DllOpen(@SystemDir & "\dbghelp.dll")
    $aResult = DllCall($hDLL, "BOOL", "MiniDumpWriteDump", "HANDLE", $hProcess, "DWORD", $iPID, "HANDLE", $hFile, "DWORD", $dDumpType, "DWORD", Null, "DWORD", Null, "DWORD", Null)
    DllClose($hDLL)
    ConsoleWrite($aResult[0])
EndFunc

$aResult[0] always returns 0, and the "test.dmp" file is always 0 kilobytes.

Share this post


Link to post
Share on other sites



#3 ·  Posted (edited)

@JohnOne I still get a return value of 0 with that code. I tried with this, but still to no avail:

Global $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, $iProcessPID, True)

Could there be anything wrong with the DllCall?

Edited by Daeth

Share this post


Link to post
Share on other sites

@OP: you should be content - that zero as a return value means "success" a dump file was created!

Share this post


Link to post
Share on other sites

@PACaleala No, according to MSDN, it says the return value should be True if a successful dump file was written. Furthermore, the dump file created is 0 bytes.

Share this post


Link to post
Share on other sites

Comment the require admin line and insert the next line before the "Exit" line:

if FileExists(@TempDir & "\test.dmp") Then run ("notepad" & " " & @TempDir & "\test.dmp")

Now run the script from SciTe

Share this post


Link to post
Share on other sites

What is that meant to do? There's nothing in the dumpfile.

Share this post


Link to post
Share on other sites
#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile(@AutoItPID, $hFile)
_WinAPI_CloseHandle($hFile)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

ivbrlh.png

2 people like this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@Terenz Hmm that's odd, your code writes a dump file for @AutoItPID, so I tried using @AutoItPID, in my script as well - which actually works. How do I create a dump file of a system process or "notepad.exe". 

I tested the DumpFile on different applications such as "chrome.exe", but "notepad.exe" doesn't work. When I use the sysinternals 'ProcDump' tool and create a process dump of notepad.exe (procdump -ma notepad.exe), it worked fine.

Share this post


Link to post
Share on other sites

?

#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $iPID = Run("notepad.exe")
;~ Local $iPID = ProcessWait("notepad.exe")
Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile($iPID, $hFile)
_WinAPI_CloseHandle($hFile)
ProcessClose($iPID)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

35hqpn4.png

1 person likes this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@JohnOne you're a genius! That did the trick. How did you know that would solve the problem?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • JSmith312
      By JSmith312
      Hello Everyone! 
      I'm attempting to create a checklist app that performs other functions. For performance, I would like to check the box, then have the button to the right enabled. After that button is pressed, the second checkbox is enabled, and ready to be checked, allowing the second button to be pressed. After the second button is pressed, the completion/exit button is enabled/shown. I have my code that currently creates the GUI, creates the checkbox, but when you check it it enables the button and the next checkbox. Can't seem to figure out a Case for GUISetOnEvent. Any assistance would be appreciated!
      #include <GUIConstantsEx.au3> #include <WindowsConstants.au3> #include <StaticConstants.au3> #include <EditConstants.au3> #include <MsgBoxConstants.au3> ; Below is the GUI interface _DeploymentProcess() Func _DeploymentProcess() $aStep1 = GUICreate("Deployment Process", 475, 345, 500, 175) $CBcStep1 = GUICtrlCreateCheckbox("1. Step 01.", 15, 25, 300, 25) $BTNS1 = GUICtrlCreateButton("Email 01", 365, 25, 90, 20) $CBcStep2 = GUICtrlCreateCheckbox("2. Step 02.", 15, 50, 300, 25) $BTNS2 = GUICtrlCreateButton("Email 02", 365, 50, 90, 20) GUICtrlSetState($CBcStep2, $GUI_DISABLE) GUICtrlSetState($BTNS1, $GUI_DISABLE) $CBcStep3 = GUICtrlCreateButton("Hurray! You're Complete!", 85, 276, 300, 60) GUICtrlSetState($CBcStep3, $GUI_SHOW) ; Below are the button and checkbox enables/disables. GUISetState(@SW_SHOW) While 1 Switch GUIGetMsg() Case $GUI_EVENT_CLOSE GUIDelete($aStep1) Return ; Step 1 Case $CBcStep1 If GUICtrlRead($CBcStep1) = $GUI_CHECKED Then GUICtrlSetState($BTNS1, $GUI_ENABLE) GUICtrlSetState($CBcStep2, $GUI_ENABLE) Else GUICtrlSetState($BTNS1, $GUI_DISABLE) GUICtrlSetState($CBcStep2, $GUI_DISABLE) EndIf ; Step 2 Case $CBcStep2 If GUICtrlRead($CBcStep2) = $GUI_CHECKED Then GUICtrlSetState($BTNS2, $GUI_ENABLE) GUICtrlSetState($CBcStep3, $GUI_ENABLE) Else GUICtrlSetState($BTNS2, $GUI_DISABLE) GUICtrlSetState($CBcStep3, $GUI_DISABLE) EndIf Case $CBcStep3 If GUICtrlRead($CBcStep2) = $GUI_CHECKED Then GUICtrlSetState($BTNS10, $GUI_ENABLE) GUICtrlSetState($CBcStep3, $GUI_SHOW) Else GUICtrlSetState($CBcStep3, $GUI_EVENT_CLOSE) EndIf Case $GUI_EVENT_CLOSE, $CBcStep3 #comments-end Exit EndSwitch WEnd EndFunc  
    • RoundChecker
      By RoundChecker
      Hi everyone,

      Is there a way to determine whether the script that is running, is already running, without using;
       
      If WinExists ?

      Or is there a way to use "If WinExists" to determine the script itself?

      The reason I am asking this is because if I want someone to run the .Exe I have and they rename it to whatever they want, how could I then determine in the script to check if there's already an .Exe open, or the script itself is already open?

      Should I use Class, or how do I achieve this?

      Thanks in advance.
    • svenjatzu
      By svenjatzu
      Id like to build a little helpertool for my boss in office but i dont know how to sart it.
      thats no complicated task. im working for an insurancecenter and have to search the customers in different orders and different tags.
      due to my boss is old and not really commen with pc he saves the customers without system.
      eg, customer andreas statham got an insurenca for his car then i got to search for
      andreas statham car, andreas car statham, car andreas statham, statham andreas car, statham car andreas, car statham andreass etc to find all the files from this customer in the harddrive.
      some customers also are fmiliarnamed in one file like andreas statam and monika rog are married an both got a carinsurance then i got to earch for
      andreas statham monika rog car, andreas statham monika car rog,.... this can take real long to find the right customer if i do it from hand.
      how can i realise this someone in here got an excamlple script or has any sugestion?
       
       
    • X_xkijux_x
      By X_xkijux_x
      Ok so im using this program. clarify for school. I would like to have a program that takes every word i type in microsoft word and searches on it in claryfi. is this possible. I would like to have the program not stopping me from typing more after that word. Like when i type a word it auto search it on clarify without making me stop typing and if i want to change i can do that and if im fine that word i can just keep typing and it will search after the next word. 
    • Miliardsto
      By Miliardsto
      Is this possible to make program works like in diagram? There is so much encryption methods and UDFs are they give security? If the $Address will be crypted with some encryption algorithm could be possible to get the value of $Address in easy way? Of course We know its easy too look into autoit code and get value of variable and so We dont want to anyone see $Address value - there are functions Could func1.au3, func2.au3.. be for example func1.php or other type of file? As we know .php files are unnable to see. For example func1 would be read by FileRead() and then Execute() Is this generally possible to do?
      Will it give secure?
      What do you think about? Maybe there is something wrong in this concept or missed.