description |
---|
Description of the '.dump' command in HyperDbg. |
.dump
.dump [FromAddress (hex)] [ToAddress (hex)] [pid ProcessId (hex)] [path Path (string)]
Saves a range of the virtual memory into a file.
[FromAddress (hex)]
The start virtual address of where it needs to be dumped.
[ToAddress (hex)]
The end of the virtual address of where it needs to be dumped.
[pid ProcessId (hex)] (optional)
The Process ID in hex format that we want to see the memory from its context (cr3).
[path Path (string)]
The path of where the dump file needs to be saved.
{% hint style="info" %} If you don't specify the pid, then the default pid is the current process (HyperDbg) process layout of memory. {% endhint %}
{% hint style="danger" %} In the Debugger Mode, the pid (parameter) is ignored. If you want to view another process memory, use the '.process' command to switch to another process memory layout. {% endhint %}
The following command saves the virtual memory from the address fffff801deadb000
to fffff801deade054
in the file c:\rev\dump1.dmp
.
HyperDbg> .dump fffff801deadb000 fffff801deade054 path c:\rev\dump1.dmp
the dump file is saved at: c:\rev\dump1.dmp
The following command saves the virtual memory from the address 401000
to 40b000
located at a process with pid equal to 0x1c0 in the file c:\rev\dump2.dmp
.
HyperDbg> .dump 401000 40b000 pid 1c0 path c:\rev\dump2.dmp
the dump file is saved at: c:\rev\dump2.dmp
The following command saves the virtual memory from the address 401000
to 401000+ff00
located at the current process in the file c:\rev\dump3.dmp
.
HyperDbg> .dump 401000 401000+ff00 path c:\rev\dump3.dmp
the dump file is saved at: c:\rev\dump3.dmp
This command reads the memory in the 4KB chunks and is the same as this command, just you have to set the memory reading Style
to DEBUGGER_SHOW_COMMAND_DUMP
.
Starting from v0.6, this command was added to the HyperDbg debugger.
The '!dump' command is used for dumping the physical memory.
If you're performing a dump of a large memory range, you may come across an "invalid address" error at certain addresses. If you're sure that the address is valid then the address is either paged out or not currently accessible in the current CR3 page table. You can utilize the '.pagein' command. This command loads the corresponding page table into memory and injects a page fault (#PF). You can check whether the address is valid or not by examining the page tables using the '!pte' command.
This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.
None
!dump (save the physical memory into a file)