Daeth

Process Dumping doesn't work

13 posts in this topic

I'm trying to dump a process' memory to a file in the temporary directory, similar to Microsoft's ProcDump. The code uses the MinidumpWriteDump function in the dbghelp.dll. Here is the following code. (You need to open Notepad to start)

#NoTrayIcon
#RequireAdmin
#include <WinAPI.au3>
Global Const $MiniDumpNormal = "0x00000000"
Global Const $MiniDumpWithDataSegs = "0x00000001"
Global Const $MiniDumpWithFullMemory = "0x00000002"
Global Const $MiniDumpWithHandleData = "0x00000004"
Global Const $MiniDumpFilterMemory = "0x00000008"
Global Const $MiniDumpScanMemory = "0x00000010"
Global Const $MiniDumpWithUnloadedModules = "0x00000020"
Global Const $MiniDumpWithIndirectlyReferencedMemory = "0x00000040"
Global Const $MiniDumpFilterModulePaths = "0x00000080"
Global Const $MiniDumpWithProcessThreadData = "0x00000100"
Global Const $MiniDumpWithPrivateReadWriteMemory = "0x00000200"
Global Const $MiniDumpWithoutOptionalData = "0x00000400"
Global Const $MiniDumpWithFullMemoryInfo = "0x00000800"
Global Const $MiniDumpWithThreadInfo = "0x00001000"
Global Const $MiniDumpWithCodeSegs = "0x00002000"
Global Const $MiniDumpWithoutAuxiliaryState = "0x00004000"
Global Const $MiniDumpWithFullAuxiliaryState = "0x00008000"
Global Const $MiniDumpWithPrivateWriteCopyMemory = "0x00010000"
Global Const $MiniDumpIgnoreInaccessibleMemory = "0x00020000"
Global Const $MiniDumpWithTokenInformation = "0x00040000"
Global Const $MiniDumpWithModuleHeaders = "0x00080000"
Global Const $MiniDumpFilterTriage = "0x00100000"
Global Const $MiniDumpValidTypeFlags = "0x001fffff"
Global $iProcessPID = ProcessWait("notepad.exe")
Global $hProcess = _WinAPI_OpenProcess("0x0400", 0, $iProcessPID)
Global $hFile = _WinAPI_CreateFile(@TempDir & "\test.dmp", 1)
ConsoleWrite("$iProcessPID = " & $iProcessPID & @CRLF & "$hProcess = " & $hProcess & @CRLF & "$hFile = " & $hFile & @CRLF)
DumpFile($hProcess, $iProcessPID, $hFile, $MiniDumpWithFullMemory)
_WinAPI_CloseHandle($hFile)
_WinAPI_CloseHandle($hProcess)
Exit

Func DumpFile($hProcess, $iPID, $hFile, $dDumpType)
    $hDLL = DllOpen(@SystemDir & "\dbghelp.dll")
    $aResult = DllCall($hDLL, "BOOL", "MiniDumpWriteDump", "HANDLE", $hProcess, "DWORD", $iPID, "HANDLE", $hFile, "DWORD", $dDumpType, "DWORD", Null, "DWORD", Null, "DWORD", Null)
    DllClose($hDLL)
    ConsoleWrite($aResult[0])
EndFunc

$aResult[0] always returns 0, and the "test.dmp" file is always 0 kilobytes.

Share this post


Link to post
Share on other sites



#3 ·  Posted (edited)

@JohnOne I still get a return value of 0 with that code. I tried with this, but still to no avail:

Global $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, $iProcessPID, True)

Could there be anything wrong with the DllCall?

Edited by Daeth

Share this post


Link to post
Share on other sites

@OP: you should be content - that zero as a return value means "success" a dump file was created!

Share this post


Link to post
Share on other sites

@PACaleala No, according to MSDN, it says the return value should be True if a successful dump file was written. Furthermore, the dump file created is 0 bytes.

Share this post


Link to post
Share on other sites

Comment the require admin line and insert the next line before the "Exit" line:

if FileExists(@TempDir & "\test.dmp") Then run ("notepad" & " " & @TempDir & "\test.dmp")

Now run the script from SciTe

Share this post


Link to post
Share on other sites

What is that meant to do? There's nothing in the dumpfile.

Share this post


Link to post
Share on other sites
#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile(@AutoItPID, $hFile)
_WinAPI_CloseHandle($hFile)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

ivbrlh.png

2 people like this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@Terenz Hmm that's odd, your code writes a dump file for @AutoItPID, so I tried using @AutoItPID, in my script as well - which actually works. How do I create a dump file of a system process or "notepad.exe". 

I tested the DumpFile on different applications such as "chrome.exe", but "notepad.exe" doesn't work. When I use the sysinternals 'ProcDump' tool and create a process dump of notepad.exe (procdump -ma notepad.exe), it worked fine.

Share this post


Link to post
Share on other sites

?

#include <WinAPI.au3>
;~ #RequireAdmin try to un-comment if not work for you

Local $iPID = Run("notepad.exe")
;~ Local $iPID = ProcessWait("notepad.exe")
Local $hFile = _WinAPI_CreateFile(@ScriptDir & "\Test.dmp", 1) ; Creates a new file. If a file exists, it is overwritten
_DumpFile($iPID, $hFile)
_WinAPI_CloseHandle($hFile)
ProcessClose($iPID)

Func _DumpFile($iPID, $hFile, $dDumpType = 0)
    Local $hProcess = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x0450, "bool", 0, "dword", $iPID)
    If @error Then Return SetError(@error, @extended, 0)
    $aResult = DllCall("dbghelp.dll", "bool", "MiniDumpWriteDump", "handle", $hProcess[0], "dword", $iPID, "handle", $hFile, "dword", $dDumpType, "dword", "", "dword", "", "dword", "")
    DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess[0])
    If $aResult[0] = 0 Then Return SetError(@error, @extended, False)
    Return $aResult[0]
EndFunc

35hqpn4.png

1 person likes this

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

@JohnOne you're a genius! That did the trick. How did you know that would solve the problem?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • anub13
      By anub13
      Hi,

      I am having difficulties wondering why my code bugging like this,
      the symptom : I have a form with combo box, and details in bottom of the app, when user choose another option the details changes immediately but when I go to details, it goes up and down endlessly
      here is the code
       
      Global $cChkPatrol, $YES= "YES", $NO = "NO" if GUICtrlRead($combo1) = "YES" Then $cChkPatrol = $YES Else $cChkPatrol = $NO EndIf func StartForm() GUICtrlSetData($txtInfo,"ADDITIONAL INFORMATION THAT WILL BE SENT WITH THE MESSAGE:" & @CRLF & asdfgSystemInfo()) GUISetState(@SW_SHOW) AdlibRegister("_CheckPatrol") While 1 $nMsg = GUIGetMsg() Select case $nMsg = $txtEmailAddress GUICtrlSetData($txtInfo,"ADDITIONAL INFORMATION THAT WILL BE SENT WITH THE MESSAGE:" & @CRLF & asdfgSystemInfo()) case $nMsg = $txtPhone GUICtrlSetData($txtInfo,"ADDITIONAL INFORMATION THAT WILL BE SENT WITH THE MESSAGE:" & @CRLF & asdfgSystemInfo()) case $nMsg = $txtFullName GUICtrlSetData($txtInfo,"ADDITIONAL INFORMATION THAT WILL BE SENT WITH THE MESSAGE:" & @CRLF & asdfgSystemInfo()) case $nMsg = $cChkPatrol GUICtrlSetData($txtInfo,"ADDITIONAL INFORMATION THAT WILL BE SENT WITH THE MESSAGE:" & @CRLF & asdfgSystemInfo()) case $nMsg = $cmdScreenShot $gScreenShotFile = SaveScreenShot() case $nMsg = $cmdSubmit if ValidateForm() then if asdfgSubmit() Then UpdateStatus("Your request has been sent successfully") MsgBox(0,"Help Requested","Your request has been sent successfully") ExitLoop Else MsgBox(0,"Help Failed","Something is wrong you request was not sent, please try again") Endif endIf case $nMsg = $cmdAttach $gAttachFile = AttachFile() Case $nMsg = $GUI_EVENT_CLOSE ExitLoop EndSelect WEnd AdlibUnRegister("_CheckPatrol") EndFunc func asdfgSystemInfo() dim $asdfgInfo $asdfgInfo = "" & @CRLF if $isAdminVersion=1 then $asdfgInfo = $asdfgInfo & @CRLF & " Ticket Tags:" & @CRLF $asdfgInfo = $asdfgInfo & "~#userphone='" & GUICtrlRead($txtPhone) & "'" & @CRLF $asdfgInfo = $asdfgInfo & "~#submitterphone='" & GUICtrlRead($txtPhone) & "'" & @CRLF dim $MachineID $MachineID = KaseyaIni($gKIniFile,"SERVER COMMUNICATIONS","User_Name","NotFound") $asdfgInfo = $asdfgInfo & "~#machineid='" & $MachineID & "'" & @CRLF dim $OrgGroups $OrgGroups= StringSplit($MachineID,".") dim $OrgGroupIndex $OrgGroupIndex = UBound($OrgGroups) - 1 $asdfgInfo = $asdfgInfo & "~#organization='" & $OrgGroups[$OrgGroupIndex] & "'" & @CRLF dim $EmailUser $EmailUser = GUICtrlRead($txtEmailAddress) $EmailUser = StringMid($EmailUser,1,StringInStr($EmailUser,"@") - 1) & @CRLF & @CRLF $asdfgInfo = $asdfgInfo & "~#username='" & $EmailUser & "'" & @CRLF ;dim ;Call("isChecked") ;$categ = GUICtrlRead($chkPatrol) ;$asdfgInfo = $asdfgInfo & "-#category='" & $categ & "'" & @CRLF EndIf $asdfgInfo = $asdfgInfo & "Email:" & GUICtrlRead($txtEmailAddress) & @CRLF & @CRLF $asdfgInfo = $asdfgInfo & "Full Name:" & GUICtrlRead($txtFullName) & @CRLF & @CRLF $asdfgInfo = $asdfgInfo & "Phone:" & GUICtrlRead($txtPhone) & @CRLF & @CRLF $asdfgInfo = $asdfgInfo & "DateTime:" & _Now() & @CRLF $asdfgInfo = $asdfgInfo & "MachineName:" & @ComputerName & @CRLF $asdfgInfo = $asdfgInfo & "UserName:" & @UserName & @CRLF $asdfgInfo = $asdfgInfo & "OS:" & @OSType & " " & @OSVersion & @CRLF $asdfgInfo = $asdfgInfo & "LogonDomain:" & @OSType & " " & @LogonDomain & @CRLF $asdfgInfo = $asdfgInfo & "LogonDNSDomain:" & @OSType & " " & @LogonDNSDomain & @CRLF $asdfgInfo = $asdfgInfo & "OS:" & @OSType & " " & @OSVersion & @CRLF $asdfgInfo = $asdfgInfo & "IP Address:" & @IPAddress1 & @CRLF $asdfgInfo = $asdfgInfo & "Public IP Address:" & GetPublicIP() &@CRLF ;$asdfgInfo = $asdfgInfo & "Public IP Address:" & _GetIP () &@CRLF $asdfgInfo = $asdfgInfo & "OS:" & NetAdapterInfo() $asdfgInfo = $asdfgInfo & "KaseyaInstalled:" & KaseyaInstalled() & @CRLF $asdfgInfo = $asdfgInfo & "KaseyaRunning:" & KaseyaRunning() & @CRLF $asdfgInfo = $asdfgInfo & "KaseyaAgentGUID:" & KaseyaIni($gKIniFile,"SERVER COMMUNICATIONS","Agent_Guid","NotFound") & @CRLF $asdfgInfo = $asdfgInfo & "asdfgPaid:" & isasdfgIDPaid() & @CRLF if $isAdminVersion=0 then $asdfgInfo = $asdfgInfo & @CRLF & " Ticket Tags:" & @CRLF $asdfgInfo = $asdfgInfo & "~userphone='" & GUICtrlRead($txtPhone) & "'" & @CRLF $asdfgInfo = $asdfgInfo & "~submitterphone='" & GUICtrlRead($txtPhone) & "'" & @CRLF dim $MachineID $MachineID = KaseyaIni($gKIniFile,"SERVER COMMUNICATIONS","User_Name","NotFound") $asdfgInfo = $asdfgInfo & "~machineid='" & $MachineID & "'" & @CRLF dim $OrgGroups $OrgGroups= StringSplit($MachineID,".") dim $OrgGroupIndex $OrgGroupIndex = UBound($OrgGroups) - 1 $asdfgInfo = $asdfgInfo & "~organization='" & $OrgGroups[$OrgGroupIndex] & "'" & @CRLF dim $EmailUser $EmailUser = GUICtrlRead($txtEmailAddress) $EmailUser = StringMid($EmailUser,1,StringInStr($EmailUser,"@") - 1) $asdfgInfo = $asdfgInfo & "~username='" & $EmailUser & "'" & @CRLF dim $categ $categ = $chkPatrol $asdfgInfo = $asdfgInfo & "~category='" & $categ & "'" & @CRLF dim $track $track = $cChkPatrol $asdfgInfo = $asdfgInfo & "~test='" & $cChkPatrol & "'" & @CRLF $asdfgInfo = $asdfgInfo & "~afterhour='" & $AfterHour & "'" & @CRLF endif Return $asdfgInfo endFunc  
      Yes it was same app as previous post in the forum I asked, I also having experience this happening before but I fail to understand the reason why this is happening. Thanks in advance.
      ButtonSupport - Copy.au3
    • Fhelipe
      By Fhelipe
      So I wanted to use my machine as a server for a program that had a unique login system. It can only log in 1 person and the password is in the script itself. I would like to adptar my code or change it completely so that I can create a database and the Script At Time Of Login Get Database Login And Log In
      Experience with Autoit: Basic                      (sorry for bad English)
      Experience with SQL: None                              (translator only)
      Code Currently Used To Login:
      ;=========================================================
      While 1
          $MSG = GUIGetMsg()
          Switch $MSG
          Case $ButtonOk
              If VerifyLogin(GUICtrlRead($USERNAME),GUICtrlRead($PASSWORD)) = 1 Then
                  GUIDelete($Form1)
                  MsgBox(-1,"Logado com Sucesso","Login Sucedido, Para Parar o Aimbot Pressione ESC!")
                  Run ("C:\Program Files (x86)\Steam\steamapps\common\Mitos.is The Game\Mitosis.exe")
                  RunP()
              Else
                  MsgBox(-1,"Error","Usúario ou Senha está incorreto, Ou Ainda Não Pagou!")
               EndIf
          Case -3
              Exit
           Case $ButtonCancel
              Exit
                Case $HelpButton
               MsgBox(-1, "Criadores", "Criadores: Zummey & Ralta")
      Case $Register
         MsgBox(-1, "ERRO", "PROGRAMA EM DESENVOLVIMENTO FUNÇÃO DESABILITADA")
          EndSwitch
      WEnd
      Func VerifyLogin($USERNAME,$PASSWORD)
          If $USERNAME = "Zummey" And $PASSWORD = "xd90fe10" Then
              Return 1
          Else
              Return 0
          EndIf
      EndFunc; End login
      ;=========================================================
    • IamKJ
      By IamKJ
      I am trying to allow the GUI to gather info as to when to execute a function.  I am having trouble doing this.  So far this is what I have.
       
      ;Timer Func timer () If Not IsDeclared("iMsgBoxAnswer") Then Local $iMsgBoxAnswer $iMsgBoxAnswer = MsgBox(36,"Timer","Please format your answer in 00:00:00:000") Select Case $iMsgBoxAnswer = 6 ;Yes Global $infotime = InputBox ('Time', 'What time to execute?') Do $rawtimer = ToolTip(@Hour & ':' & @Min & ':' & @Sec & ':' & _MSec()) until $rawtimer = $infotime if $rawtimer = $infotime Then msgbox (0,'Worked','Worked') Else EndIf Case $iMsgBoxAnswer = 7 ;No Exit EndSelect EndFunc Func _MSec() Local $stSystemTime = DllStructCreate('ushort;ushort;ushort;ushort;ushort;ushort;ushort;ushort') DllCall('kernel32.dll', 'none', 'GetSystemTime', 'ptr', DllStructGetPtr($stSystemTime)) $sMilliSeconds = StringFormat('%03d', DllStructGetData($stSystemTime, 8)) $stSystemTime = 0 Return $sMilliSeconds EndFunc I have also tried _GUIToolTip_GetText in order to read the tooltip until the time specified, but it still doesn't work.  Any help would be great.
    • IamKJ
      By IamKJ
      So I have a lot of different functions in the little program I'm making.  Most of them use the Do statement, such as finding images, clicking buttons, etc.
       
      The question I have is how would I be able to both
      1) Create a hotkey to pause whatever I am doing at the moment.  If I have to put something into every function in the program, I don't mind.
      2) Create a hotkey to exit whatever I am doing and stop all loops or commands and bring back the main GUI?
    • Manivel
      By Manivel
      Hi,
      Can any one please share the Connection string for SQL Developer. 
      How to Connect the SQL Developer from AutoIT. We need to execute the query through AutoIt. is that possible ?