!dump (save the physical memory into a file)

Description of '!dump' command in HyperDbg.

Command

!dump

Syntax

!dump [FromAddress (hex)] [ToAddress (hex)] [path Path (string)]

Description

Saves a range of the physical memory into a file.

Parameters

[FromAddress (hex)]

The start physical address of where it needs to be dumped.

[ToAddress (hex)]

The end of the physical address of where it needs to be dumped.

[path Path (string)]

The path of where the dump file needs to be saved.

Examples

The following command saves the physical memory from the address bd000 to bf000 in the file c:\rev\dump1.dmp.

HyperDbg> .dump bd000 bf000 path c:\rev\dump1.dmp
the dump file is saved at: c:\rev\dump1.dmp

The following command saves the physical memory from the address bd000 to bd000+6000 in the file c:\rev\dump2.dmp.

HyperDbg> .dump bd000 bd000+6000 path c:\rev\dump2.dmp
the dump file is saved at: c:\rev\dump2.dmp

IOCTL

The '.dump' command is used for dumping the virtual memory.

This command reads the memory in the 4KB chunks and is the same as this command, just you have to set the memory reading Style to DEBUGGER_SHOW_COMMAND_DUMP.

Remarks

Starting from v0.6, this command was added to the HyperDbg debugger.

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

.dump (save the virtual memory into a file)

!db, !dc, !dd, !dq (read physical memory)

Previous!pa2va (convert physical address to virtual address)Next!apic (dump local APIC entries in XAPIC and X2APIC modes)

Last updated 3 months ago