DownloadResearchTutorialhwdbg

.dump (save the virtual memory into a file)

Description of the '.dump' command in HyperDbg.

Command

.dump

Syntax

.dump [FromAddress (hex)] [ToAddress (hex)] [pid ProcessId (hex)] [path Path (string)]

Description

Saves a range of the virtual memory into a file.

Parameters

[FromAddress (hex)]

The start virtual address of where it needs to be dumped.

[ToAddress (hex)]

The end of the virtual address of where it needs to be dumped.

[pid ProcessId (hex)] (optional)

The Process ID in hex format that we want to see the memory from its context (cr3).

[path Path (string)]

The path of where the dump file needs to be saved.

If you don't specify the pid, then the default pid is the current process (HyperDbg) process layout of memory.

In the Debugger Mode, the pid (parameter) is ignored. If you want to view another process memory, use the '.process' command to switch to another process memory layout.

Examples

The following command saves the virtual memory from the address fffff801deadb000 to fffff801deade054 in the file c:\rev\dump1.dmp.

HyperDbg> .dump fffff801deadb000 fffff801deade054 path c:\rev\dump1.dmp
the dump file is saved at: c:\rev\dump1.dmp

The following command saves the virtual memory from the address 401000 to 40b000 located at a process with pid equal to 0x1c0 in the file c:\rev\dump2.dmp.

HyperDbg> .dump 401000 40b000 pid 1c0 path c:\rev\dump2.dmp
the dump file is saved at: c:\rev\dump2.dmp

The following command saves the virtual memory from the address 401000 to 401000+ff00 located at the current process in the file c:\rev\dump3.dmp.

HyperDbg> .dump 401000 401000+ff00 path c:\rev\dump3.dmp
the dump file is saved at: c:\rev\dump3.dmp

IOCTL

This command reads the memory in the 4KB chunks and is the same as this command, just you have to set the memory reading Style to DEBUGGER_SHOW_COMMAND_DUMP.

Remarks

Starting from v0.6, this command was added to the HyperDbg debugger.

The '!dump' command is used for dumping the physical memory.

If you're performing a dump of a large memory range, you may come across an "invalid address" error at certain addresses. If you're sure that the address is valid then the address is either paged out or not currently accessible in the current CR3 page table. You can utilize the '.pagein' command. This command loads the corresponding page table into memory and injects a page fault (#PF). You can check whether the address is valid or not by examining the page tables using the '!pte' command.

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

Related

!dump (save the physical memory into a file)

db, dc, dd, dq (read virtual memory)

.pagein (bring the page into the RAM)

Previous.pagein (bring the page into the RAM)Next.formats (show number formats)

Last updated