!dump (save the physical memory into a file)

Description of '!dump' command in HyperDbg.

Command

!dump

Syntax

!dump [FromAddress (hex)] [ToAddress (hex)] [path Path (string)]

Description

Saves a range of the physical memory into a file.

Parameters

[FromAddress (hex)]

The start physical address of where it needs to be dumped.

[ToAddress (hex)]

The end of the physical address of where it needs to be dumped.

[path Path (string)]

The path of where the dump file needs to be saved.

Examples

The following command saves the physical memory from the address bd000 to bf000 in the file c:\rev\dump1.dmp.

HyperDbg> .dump bd000 bf000 path c:\rev\dump1.dmp
the dump file is saved at: c:\rev\dump1.dmp

The following command saves the physical memory from the address bd000 to bd000+6000 in the file c:\rev\dump2.dmp.

HyperDbg> .dump bd000 bd000+6000 path c:\rev\dump2.dmp
the dump file is saved at: c:\rev\dump2.dmp

IOCTL

Remarks

Starting from v0.6, this command was added to the HyperDbg debugger.

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

Previous!pa2va (convert physical address to virtual address)Next!pcitree (show PCI/PCIe device tree)

Last updated 9 months ago

!dump (save the physical memory into a file)

Description of '!dump' command in HyperDbg.

Command

!dump

Syntax

!dump [FromAddress (hex)] [ToAddress (hex)] [path Path (string)]

Description

Saves a range of the physical memory into a file.

Parameters

[FromAddress (hex)]

The start physical address of where it needs to be dumped.

[ToAddress (hex)]

The end of the physical address of where it needs to be dumped.

[path Path (string)]

The path of where the dump file needs to be saved.

Examples

The following command saves the physical memory from the address bd000 to bf000 in the file c:\rev\dump1.dmp.

HyperDbg> .dump bd000 bf000 path c:\rev\dump1.dmp
the dump file is saved at: c:\rev\dump1.dmp

The following command saves the physical memory from the address bd000 to bd000+6000 in the file c:\rev\dump2.dmp.

HyperDbg> .dump bd000 bd000+6000 path c:\rev\dump2.dmp
the dump file is saved at: c:\rev\dump2.dmp

IOCTL

The '' command is used for dumping the virtual memory.

This command reads the memory in the 4KB chunks and is the same as command, just you have to set the memory reading Style to DEBUGGER_SHOW_COMMAND_DUMP.

Remarks

Starting from v0.6, this command was added to the HyperDbg debugger.

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

Previous!pa2va (convert physical address to virtual address)Next!pcitree (show PCI/PCIe device tree)

Last updated 9 months ago

Command

Syntax

Description

Parameters

Examples

IOCTL

Remarks

Requirements

Related

Command

Syntax

Description

Parameters

Examples

IOCTL

Remarks

Requirements

Related