Intel® System Debugger User Guide
ID | Date | Version | Classification |
---|---|---|---|
648476 | 10/17/2024 | Confidential |
Performing Raw Memory Dump
A raw memory dump is a collection of the memory target based on a memory map from such target. It creates a binary file. Creating a raw memory dump can be useful in cases where full memory dump can’t be created, like when hyperV is enabled.
- Requirements
To perform a raw memory dump using Intel(R) Debug Extensions for WinDbg*, you need:
Symbols from the Windows* target only to create the memory map
DMA protection disabled, Intel(R) Virtualization Technology (Intel(R) VT) for Directed I/O (Intel(R) VT-d).
In contrast to full memory dump, we can generate a raw memory dump when Virtual-Machine Extensions (VMX) are enabled, when Microsoft* Hyper-V is enabled.
To create a raw memory dump, first we need to create a memory map of the target. The memory map can be reused in different debugging sessions of the same target. For example, if we have several targets connected to the same host, we can generate one memory map for each target and use the corresponding map per target.
Ensure that the target is connected.
Launch Python* console for WinDbg* any of the following ways:
Click the desktop icon or open the Start Menu and search for Intel(R) Debug Extensions for WinDbg* <year> NDA <version>.
Run
windbg_iajtag_console.bat located at<install_dir>\system_debugger\<version> .Launch
isd_shell.bat located in the root installation directory and runwindbg_dci to invoke WinDbg*.
In the launched console, create a memory map of the target if there isn’t one already created:
forensic.write_memory_map(<map_filename>, timeout=<timeout>)
where
<map_filename> is the path to the memory map file, and<timeout> is the amount of time, in milliseconds, that Intel(R) Debug Extensions for WinDbg* will wait for response from the target system before failing. For example, you can use the following values:forensic.write_memory_map(r"c:\temp\memory_map.bin", timeout=60000)
Then we can generate the raw dump:
forensic.generate_raw_dump(<map_filename>, <dump_filename>)
where
<map_filename> is the path to the memory map file, and<map_filename> is the path to the memory dump. For example, you can use the following values:forensic.generate_raw_dump(r"C:\temp\memory_map.bin", r"C:\temp\rawdump.bin")
When Intel(R) Debug Extensions for WinDbg* complete the process of capturing the memory dump, the command prompt becomes active again.
We can also generate the memory map and raw dump from GUI. Once WinDbg* or Windbg preview* is launched, and target is halted, launch the following commands:
Generate a memory map, using the command
!writememmap <map_filename> :!writememmap C:\temp\memory_map.bin
Generate a raw dump, using the command
!writerawdump <map_filename> <dump_filename> :!writerawdump C:\temp\memory_map.bin C:\temp\rawdump.bin
Verifying the Dump File
- We can use some open source forensic tools to check the memory dump. For example, we can use volatility3 framework to analyze a dump:
For more information, please read https://volatilityfoundation.org/