In order to write parts of the process memory to a file use the .writemem command.
Syntax is .writemem FileName Address Range
Example:
You want to dump a huge BSTR into a file:
Address of the BSTR: 0x0d900024
Get the size (The DWORD receedig the actual string contains the size):
0:000> dc 0x0d900024 - 4
0d900020 005f7a1c ...
.writemem c:\temp\string_content.txt 0x0d900024 L?005f7a1c
Please note the "?" in the size parameter to avoid build in size checks.
Tuesday, August 08, 2006
How to write parts of the process memory to a file
Subscribe to:
Post Comments (Atom)
Posts
1 comment:
Good god that's a handy command for writing a loaded module in kernel memory to file. Just what I was looking for, thanks!
Post a Comment