skelsec
commented
5 years ago This sounds like quite some work.
In order to get it done with this library, one would need to at minimum do the following:
- implement the serialization (to_bytes) function for Memory64ListStream, MemoryInfoListstream, SystemInfoStream, ModuleListStream, (optionally) ThreadInfoListStream and ThreadListStream
- implement an interface which gathers all required information for the aforementioned streams except for the Memory64ListStream and stores them in memory. Then when all side-info is gathered and serialized the file should be constructed which again requires serialization, finally start reading the memory and immediately appending it to said file, so you'll use the minimum amount of memory for the operation.
- make this interface as a virtual object, so it can be extendd to support the forensics tool/live system you are using to generate the minidump file
- (opt) make an interface for changing already existing minidumps, but that would take even more effort
s0i37
Good day. Please tell me how can I create a minidump with your library from scratch? The live case: I need to create a dump of some virtual memory of some process from physical dump. Volatility/rekall provide just flat memory dump + memory mapping. It is very strange that nowadays we have not any ways for creating minidump with third party libraries (not winapi)