.dump (save the virtual memory into a file)
Description of the '.dump' command in HyperDbg.
.dump
.dump [FromAddress (hex)] [ToAddress (hex)] [pid ProcessId (hex)] [path Path (string)]
Saves a range of the virtual memory into a file.
[FromAddress (hex)]
The start virtual address of where it needs to be dumped.
[ToAddress (hex)]
The end of the virtual address of where it needs to be dumped.
[pid ProcessId (hex)] (optional)
The Process ID in hex format that we want to see the memory from its context (cr3).
[path Path (string)]
The path of where the dump file needs to be saved.
If you don't specify the pid, then the default pid is the current process (HyperDbg) process layout of memory.
In the Debugger Mode, the pid (parameter) is ignored. If you want to view another process memory, use the '.process' command to switch to another process memory layout.
The following command saves the virtual memory from the address
fffff801deadb000 to fffff801deade054 in the file c:\rev\dump1.dmp.HyperDbg> .dump fffff801deadb000 fffff801deade054 path c:\rev\dump1.dmp
the dump file is saved at: c:\rev\dump1.dmp
The following command saves the virtual memory from the address
401000 to 40b000 located at a process with pid equal to 0x1c0 in the file c:\rev\dump2.dmp.HyperDbg> .dump 401000 40b000 pid 1c0 path c:\rev\dump2.dmp
the dump file is saved at: c:\rev\dump2.dmp
The following command saves the virtual memory from the address
401000 to 401000+ff00 located at the current process in the file c:\rev\dump3.dmp.HyperDbg> .dump 401000 401000+ff00 path c:\rev\dump3.dmp
the dump file is saved at: c:\rev\dump3.dmp
This command reads the memory in the 4KB chunks and is the same as this command, just you have to set the memory reading
Style to DEBUGGER_SHOW_COMMAND_DUMP.Starting from v0.6, this command was added to the HyperDbg debugger.
If you're performing a dump of a large memory range, you may come across an "invalid address" error at certain addresses. If you're sure that the address is valid then the address is either paged out or not currently accessible in the current CR3 page table. You can utilize the '.pagein' command. This command loads the corresponding page table into memory and injects a page fault (#PF). You can check whether the address is valid or not by examining the page tables using the '!pte' command.
This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.
None
Last modified 22d ago