2

I am currently trying to design a memory dump tool that could get the memory dump of a crashed process from another process. But I am totally new to this and I want to take this as an opportunity to get a solid understanding of memory dump techniques.

I want to know the working paradigm of creating a memory dump for the crashed process. My current wild imagination is like below:

When a process crashed, the operating system will always know that (I don't know how but it should be able to). Then the OS launched some kind of mechanism to copy the content of the crashed process' virtual address space to the so-called dump file. Then we could use WinDbg to debug with the dump file.

I am wondering, if we can copy the whole of the virtual address space of the crashed process into the dump file, would't the file be too huge? Or could we specify which virtual address space (kernel/user) to dump?

Could anyone provide me some references for me to start with, especially on the following aspects:

  1. what is memory dump?

  2. If there are so-called kernel dump and user-mode dump, what are they?

  3. On windows platform, what APIs will I need? Would functions such as MiniDumpWriteDump() be relevant?

  4. When OS detect certain process crashed, is there any signal that I can monitor so that my Dump Tool will be notified to start dumping?

Thanks for taking time to see my words.

ADD1:

(5) What are mini-dumps? How is it related to kernel/user mode dumps?

(6) When we talk about memory dump, which memory are we talking about? Virtual Memory or Physical Memory? From this picture, I think it should be Physical Memory.

ADD2:

I just found a good reference about writing MiniDump with APIs contained in DbgHelp.dll. I'd like to share it. If you can provide other good materials related to this, would you mind sharing it? Thanks.

(BTW: I will keep updating this thread with my progress. Any comments would be deeply appreciated.)

smwikipedia
  • 61,609
  • 92
  • 309
  • 482
  • I like your interest in the inner workings of Windows, but out of curiosity: Why do you want to create a memory dump tool with no experience in kernel debugging? Why do you want to create your own tool with readily available alternatives? Of the top of my head: Sysinternals ProcDump or your mentioned WinDbg – Dennis G Nov 02 '10 at 08:08
  • It's the interest that drives me forward, always. ;) – smwikipedia Nov 02 '10 at 08:19

1 Answers1

6

Why do this yourself? There are plenty of tools that do this already. Debugging Tools for Windows includes adplus and ProcDump from sysinternals can both do this. They both support a wealth of options and have been tested thoroughly. Both are free.

As for your other questions:

1) A memory dump is a dump of the memory space for a given process. There are various dumps with different levels of details. The help file for WinDbg has all the details.

2) For user applications you don't need kernel dumps. Kernel dumps are used to debug kernel mode code - i.e. drivers and the OS itself.

3) You can create user mode dumps using dbgeng.dll (which is included in Debugging Tools for Windows), but as I said you should really consider the existing tools first.

4) Windows uses structured exception handling, so a crash is basically an unhandled exception. Debuggers can be notified of both first and second chance exceptions, so they can create dumps when the exception is raised as well as when no exception handler is available.

Brian Rasmussen
  • 114,645
  • 34
  • 221
  • 317