ufrisk
commented
1 year ago if wishing to dump process memory there are two good options:
1) copy the minidump file from the virtual file system. (there are APIs for this too). The minidump file should contain pretty much all process information.
2) look into VAD memory ranges and dump each one of those. VMMDLL_Map_GetVad(...)
Task manager reports process private memory (active private working set). MemProcFS will also dump module (exe and dll) memory which is shared - so this will be larger than what task manager reports.
The wSize property is just the size of the c-struct so it's totally uninteresting in your case.
Hope this explains it a bit. Please let me know how it goes.
Creastoff
Hi again Ulf,
I can see that it is possible to dump memory ranges, so I am trying to find out how to get the base address and size of the application. Size of the application is so that I can calculate the offset address.
I was using VMMDLL_ProcessGetInformation and can see there is wSize property of the response, but that doesn't seem to reflect the proper size of an application I am dumping, i.e. explorer.exe. Task Manager reporting ~22MB, PCILeech reporting 448.
I am also having trouble finding the base address of applications, are you able to assist with this?
Thanks, Chris