Windows内存dump

钞sir

已于 2022-03-22 10:28:52 修改

阅读量1.6w

点赞数

分类专栏： Windows 文章标签： windows

于 2021-04-30 17:17:34 首次发布

钞sir

本文链接：https://blog.csdn.net/qq_40827990/article/details/116307038

版权

Windows 专栏收录该内容

16 篇文章 4 订阅

订阅专栏

天地之间，物各有主…

#include <stdio.h>
#include <wchar.h>
#include <inttypes.h>
#include <windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>

typedef struct _dump_t {
    uint64_t addr;
    uint32_t size;
    uint32_t state;
    uint32_t type;
    uint32_t protect;
} dump_t;

HANDLE open_process(uint32_t pid)
{
    HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    if(process_handle == NULL) {
        printf("[-] printf getting access to process: %ld!\n", GetLastError());
    }

    return process_handle;
}


int dump(uint32_t pid, const wchar_t *filepath,
    uintptr_t addr, uint32_t length)
{
    SYSTEM_INFO si; MEMORY_BASIC_INFORMATION mbi; DWORD written_bytes;
    HANDLE process_handle, file_handle; DWORD_PTR read_bytes;
    uint8_t buf[0x1000]; dump_t d;

    GetSystemInfo(&si);

    file_handle = CreateFileW(filepath, GENERIC_WRITE, 0,
        NULL, CREATE_ALWAYS, 0, NULL);
    if(file_handle == NULL) {
        printf("[-] printf opening dump filepath: %S\n", filepath);
    }

    process_handle = open_process(pid);

    uint8_t *ptr = si.lpMinimumApplicationAddress;

    while (ptr < (uint8_t *) si.lpMaximumApplicationAddress) {
        if(VirtualQueryEx(process_handle, ptr, &mbi, sizeof(mbi)) == FALSE) {
            ptr += 0x1000;
            continue;
        }

        if((mbi.State & MEM_COMMIT) == 0 || (mbi.Protect & PAGE_GUARD) != 0 ||
                (mbi.Type & (MEM_IMAGE | MEM_MAPPED | MEM_PRIVATE)) == 0) {
            ptr += mbi.RegionSize;
            continue;
        }

        d.addr = (uintptr_t) ptr;
        d.size = mbi.RegionSize;
        d.state = mbi.State;
        d.type = mbi.Type;
        d.protect = mbi.Protect;

        // If --dump-block is specified, restrict to a particular block.
        if(addr != 0 && length != 0 && (
                d.addr < addr || d.addr > addr + length)) {
            ptr += 0x1000;
            continue;
        }

        WriteFile(file_handle, &d, sizeof(d), &written_bytes, NULL);

        for (uint8_t *end = ptr + mbi.RegionSize; ptr < end; ptr += 0x1000) {
            if(ReadProcessMemory(process_handle, ptr, buf, sizeof(buf),
                    &read_bytes) == FALSE || read_bytes != sizeof(buf)) {
                printf("[-] Unable to read a full page?!");
            }

            WriteFile(file_handle, buf, sizeof(buf), &written_bytes, NULL);
        }
    }

    CloseHandle(process_handle);
    CloseHandle(file_handle);
    return 0;
}

int main(){
    int pid;
    scanf("%d",&pid);
    const wchar_t *file_name = "uuu.dmp";
    uintptr_t start_addr = 0x40000;
    uint32_t length = 0x200;
    dump(pid, file_name, start_addr, length);
    return 0;
}