-
-
Notifications
You must be signed in to change notification settings - Fork 410
FS_Process_Minidump
The directory minidump exists as a sub-directory in each process directory.
The minidump directory contains a WinDbg compatible full process minidump.dmp file that may be used for debugging.
The minidump file contains:
- process memory including stacks, heaps and PE images.
- active process thread information including some CPU register information.
- active process modules (.dll/.exe).
Minidump files are reconstructed on a best-effort basis. Process memory may be valid, missing or zero-padded depending whether the backing memory is available or inaccessible due to paging.
Minidump files are only generated if certain prerequisites are met:
- The process must be an active user-mode process. Special processes such as System, Registry, LSASS and MemCompression won't have minidump files generated.
- If debug symbols from the Microsoft symbol server is missing certain functionality will be missing (Threads). The minidump will however still be generated.
The minidump.dmp file is read-only.
The example below shows the files minidump.dmp and readme.txt for the explorer.exe process. The file minidump.dmp is open directly in WinDbg for a debugging session showing some information about the callstack and CPU registers related to one of the threads.
The minidump sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_proc_minidump.c in the vmm project.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: /~https://github.com/sponsors/ufrisk
Thank You 💖