Matthieu Suiche’s blog !

Archive for November, 2008

Today’s a new day: win32dd 1.2 out!

by Matthieu Suiche on Nov.05, 2008, under Windows


Download win32dd v1.2.20081105 now!


New features coming into this version — but the most notable feature is the capacity to generate Microsoft crash dump file without rebooting or generating a BSOD. This mean you can load your memory snapshot into WinDbg.

Here is a sample of output using WinDbg

  1. Symbol search path is: SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
  2. Executable search path is:
  3. Windows Server 2008 Kernel Version 6001 (Service Pack 1) UP Free x86 compatible
  4. Product: WinNt, suite: TerminalServer SingleUserTS
  5. Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
  6. Kernel base = 0×81818000 PsLoadedModuleList = 0×8192fc70
  7. Debug session time: Wed Nov  5 01:43:02.460 2008 (GMT-8)
  8. System Uptime: 0 days 0:10:45.293
  9. WARNING: Process directory table base 3DA26440 doesn‘t match CR3 00122000
  10. WARNING: Process directory table base 3DA26440 doesn’t match CR3 00122000
  11. Loading Kernel Symbols
  12. …………………………………………………………………………………………………………………….
  13. Loading User Symbols
  14. …………
  15. Loading unloaded module list
  16. …..
  17. kd> !process 0 0
  18. **** NT ACTIVE PROCESS DUMP ****
  19. PROCESS 82f58910  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
  20.     DirBase: 00122000  ObjectTable: 862000b8  HandleCount: 512.
  21.     Image: System
  22.  
  23. PROCESS 852032d0  SessionId: none  Cid: 0190    Peb: 7ffdf000  ParentCid: 0004
  24.     DirBase: 3da26020  ObjectTable: 87bd8008  HandleCount:  28.
  25.     Image: smss.exe
  26.  
  27. PROCESS 84b58b68  SessionId: 0  Cid: 0200    Peb: 7ffd8000  ParentCid: 01f4
  28.     DirBase: 3da26060  ObjectTable: 8c954fc8  HandleCount: 406.
  29.     Image: csrss.exe
  30. [..]
  31. kd> lm
  32. start    end        module name
  33. 00400000 00413000   win32dd_400000   (deferred)            
  34. 77290000 7733a000   msvcrt     (deferred)            
  35. 77340000 77403000   RPCRT4     (deferred)            
  36. 77410000 7748d000   USP10      (deferred)            
  37. 77720000 777e6000   ADVAPI32   (deferred)            
  38. 777f0000 7788d000   USER32     (deferred)            
  39. 77890000 7796b000   kernel32   (deferred)            
  40. 77b50000 77c18000   MSCTF      (deferred)            
  41. 77c20000 77d47000   ntdll      (pdb symbols)          C:\WINDOWS\Symbols\ntdll.pdb\B958B2F91A5A46B889DAFAB4D140CF252\ntdll.pdb
  42. 77d50000 77d59000   LPK        (deferred)            
  43. 77d80000 77d9e000   IMM32      (deferred)            
  44. 77e30000 77e7b000   GDI32      (deferred)            
  45. 80406000 8040e000   kdcom      (deferred)            
  46. 8040e000 8041f000   PSHED      (deferred)            
  47. 8041f000 80427000   BOOTVID    (deferred)            
  48. 80427000 80468000   CLFS       (deferred)      
  49. [..]

In addition to \\Device\\PhysicalMemory reading, win32dd 1.2 provides an option (level) to directly use physical memory address mapping (Microsoft API) to avoid to access the physical memory device.

The crashdump generation take care of the previous blogpost. And works from Windows 2000 to Windows 2008 and probably Windows Seven.

Feel free to give some feedback!

I’d like to thanks Aaron for his positive influence on win32dd developement :)

3 Comments more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...