Open s0i37 opened 5 years ago
This sounds like quite some work.
In order to get it done with this library, one would need to at minimum do the following:
Also please note that this is the bare minimum to get something working. The resulting image will not be usable for example debugging purposes, as it will be missing exception info/thread info etc. Also note that currently it is not possible to create something which is fully following the standard, as Microsoft "forgot" to document all stream types...
Sounds sad( By the way, a volatility tools can create minidump and moreover this mdmp is could be opened with windbg. But volatility can not support specify another pid which wasn't actived in moment creating full memory dump.
May you please tell me are you plaining to implement this in the nearest time? Or ever?
Yes, it is on the roadmap and I started developing it, however I can't say it for sure when it will be ready. I am aiming for this month.
On 17 Sep 2019, at 17:49, s0i37 notifications@github.com wrote:
May you please tell me are you plaining to implement this in the nearest time? Or ever?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
@s0i37 I'm making some progress but still not there yet
Good day. Please tell me how can I create a minidump with your library from scratch? The live case: I need to create a dump of some virtual memory of some process from physical dump. Volatility/rekall provide just flat memory dump + memory mapping. It is very strange that nowadays we have not any ways for creating minidump with third party libraries (not winapi)