none
What does these API means ? RRS feed

  • Question

  • [1] Can i Dump Whole RAM using the following API ? 

    I could not find Any documentation on anywhere. 

    [2] Can you please what each routine means ? 

    MmGetPhysicalMemoryRanges

    MmMapMemoryDumpMdl


    Thanks

    Monday, June 20, 2016 2:29 AM

Answers

  • If you just take RAM, then your snapshot is worthless.  So are you looking to get an image of:

    1. Just what is in physical memory (i.e. RAM) which does no good for any sort of analysis?
    2. The complete kernel memory (useful for some things, but not all since it is missing the processes memory)?
    3. The complete system memory image?

    Note the last two roughly equivalent to the "Kernel Memory Dump" and "System memory dump" options of a crash dump.

    Any of these mean freezing the running system, and taking a snapshot (which can be complex) or else getting an inconsistent memory image since the operating system is running around and changing things as you capture the memory.

     


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Dr. Bean Monday, June 20, 2016 12:43 PM
    Monday, June 20, 2016 12:04 PM

All replies

  • what bigger problem are you trying to solve? Both functions are for internal use, not for use by drivers or outside of the kernel. If you want to capture a dump from a live system, there are tools to do this (like livekd)

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by Doron Holan [MSFT] Monday, June 20, 2016 5:30 AM
    • Unmarked as answer by Dr. Bean Monday, June 20, 2016 5:58 AM
    Monday, June 20, 2016 5:29 AM
  • what bigger problem are you trying to solve? Both functions are for internal use, not for use by drivers or outside of the kernel. If you want to capture a dump from a live system, there are tools to do this (like livekd)

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    i want to capture and dump Live RAP ( Memory ) from Kernel. How do i do that ? which API. Should i use ? 

    i am still looking forward to hear from you ? 

    Monday, June 20, 2016 5:58 AM
  • There are no API's to do this, and it is extremely difficult to do.  More importantly you will be dumping the physical pages not the kernel image, so what do you think you will do with this data once you get it.  As Doron stated what is the real problem you are trying to solve?


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Monday, June 20, 2016 11:08 AM
  • I am trying to take a snap shot for forensic of RAM ( Memory ) ! This is my Goal. 

    Monday, June 20, 2016 11:50 AM
  • If you just take RAM, then your snapshot is worthless.  So are you looking to get an image of:

    1. Just what is in physical memory (i.e. RAM) which does no good for any sort of analysis?
    2. The complete kernel memory (useful for some things, but not all since it is missing the processes memory)?
    3. The complete system memory image?

    Note the last two roughly equivalent to the "Kernel Memory Dump" and "System memory dump" options of a crash dump.

    Any of these mean freezing the running system, and taking a snapshot (which can be complex) or else getting an inconsistent memory image since the operating system is running around and changing things as you capture the memory.

     


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Dr. Bean Monday, June 20, 2016 12:43 PM
    Monday, June 20, 2016 12:04 PM