Solved

memory dump

Posted on 2006-06-27
13
513 Views
Last Modified: 2012-06-27
how can i show memory contents of certian mamory location to the screen or out put file
0
Comment
Question by:szcuny
  • 3
  • 3
  • 2
  • +2
13 Comments
 
LVL 86

Accepted Solution

by:
jkr earned 100 total points
ID: 16997862
You can do that e.g. like

#include <fstream>
#include <iomanip>
#include <stdlib.h>

using namespace std;

typedef unsigned char BYTE;
typedef unsigned long DWORD;

void DumpMemory ( const BYTE* pMem, const size_t sz, const char* pFile) {

    DWORD dw;

    //
    //  Try to remove files that have the same name
    //
    _unlink ( pFile );

    ofstream os;

    os.open ( pFile );

    os << setbase ( 16 );

    //
    //  Write the data with a width of 40 columns
    //
    for ( dw = 1; dw <= sz; ++dw ) {

        os << ( long) pMem [ dw ] << " ";

        if ( !( dw % 40 ) ) os << endl;
    }

    os.close ();
}

int main () {

    BYTE test [ 120 ];

    for ( int i = 0; i < 120; ++i) test [ i ] = i;

    DumpMemory ( test, 120, "memdump.txt" );

    return 0;
}
0
 
LVL 18

Assisted Solution

by:JoseParrot
JoseParrot earned 100 total points
ID: 16999007
Hi,

The following code in Borland C++ Builder would access the memory by absolute address, but causes an Access Violation:
void __fastcall TForm1::Button1Click(TObject *Sender)
{
  int i;
  register ax;

  asm {
  mov bx,0
  mov es,bx
  mov ax,[es:bx] <--- actually makes an addressing violation when attempt to read [0000:0000]
  }
  i=ax;
  Edit1->Text=i;
}

This other also (try to) access directly the memory:
void __fastcall TForm1::Button1Click(TObject *Sender)
{
   int *p;

   p = (int *)100;
   Edit1->Text=*p;
}

Conclusion: In Windows, which is a protected operating system, you will need to write a real device driver, using the Microsoft DDK. Similar occurs to Linux.

What you can is only is get a byte inside a variable, for example:
   char c = string[4];

Good times of the old DOS and Basic's PICK and POKE...

Jose
0
 

Assisted Solution

by:aveo
aveo earned 100 total points
ID: 17008204
Hi,
There is an API  ReadProcessMemory().You can search it thru MSDN.
This function reads data from an area of memory.

aveo
0
 
LVL 39

Assisted Solution

by:itsmeandnobodyelse
itsmeandnobodyelse earned 100 total points
ID: 17009585
Or use that:

#include <iostream>
#include <iomanip>

// print memory in hex and as strings
void dumpMemory(ostream& os, void* p, int nsiz)
{
    os << hex << p << " " << dec << nsiz << endl;
    unsigned char* pb = (unsigned char*)p;
    for (int j = 0; j < nsiz; j+=16)
    {  
        int jj;
        for (jj = j; jj < j + 16 && jj < nsiz; jj++)
        {
            os << setw(2) << setfill('0') << hex << (unsigned int)pb[jj] << dec << ' ';
        }
        for (jj = j; jj < j + 16 && jj < nsiz; jj++)
        {
            if ((pb[jj] < ' ' || pb[jj] > '~') && pb[jj] != '|')
                os << '.';
            else
                os << (char)pb[jj];
        }
        os << endl;
    }
}

That can be used like that:

int main()
{
     void* p = 0x06852410;  // any valid memory address or pointer != NULL

     dumpMemory(cout, p, 512);  // use a multiple of 16 to get a proper output
     return 0;
}


For output on file pass a ofstream object instead of cout. For output to Windows use a ostringstream object and put the contents of the stringstream string to a window using a monodistant font.

   #include <sstream>
   
   ...
   ostringstream oss;
   dumpMemory(oss, p, 512);  // use a multiple of 16 to get a proper output
   ...
   LOGFONT lf = { 0 };
   strcpy(lf.lfFaceName, "Courier");
   lf.lfHeight = 100;
   lf.lfPitchAndFamily = FIXED_PITCH;
   HFONT hf = CreatePointFontIndirect(&lf);
   SendMessage(hwnd, WM_SETFONT, (WPARAM)hf, 0)
   SetWindowText(hwnd, oss.str().c_str());

Regards, Alex


Regards, Alex
0
 
LVL 4

Assisted Solution

by:havman56
havman56 earned 100 total points
ID: 17011089


very easy no need of any programming code .........ha ha

go to ur cmd prompt

1. type debug
2. then type -d 8000 80ff
3. displays ur memory
4. copy and save it in file

wowwwwwwww so easy !  curious whether this is what u need .

here i used 8000, 80ff as example u can give ur own address

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 17011453
>>>> wowwwwwwww so easy

A GUI debugger has some advantages over a commandline debugger that hardly can be compensated  by a memory dump output.

It's 16 years ago I lastly used a commandline debugger. And I do not regret.

Regards, Alex
0
 
LVL 18

Expert Comment

by:JoseParrot
ID: 17012600
As per my understanding, havman56 answer satisfy 100% what stated in the question. The only constraint is that we are in a C++ Programming area, so it is implicit that szcuny waits for some hints on C++ programing to pick memory content.

Random access to memory outside the addresses reserved by Windows for the program will be stoped by Windows, as an access violation.

If the objective is to watch the memory area occupied by a variable, it is trivial. I think what szcuny waits is a way of, given any valid address, say 00000010:00000100, get the values in a predifined range and show the contents of such memory space.

The only way I know is to write a low level program with freedom to access any memory address. This is why I pointed to the DDK - Device Drive Kit.

Jose
0
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 17015972
Maybe there is some confusion here:

if starting the debugger from the commandline not passing an executable to debug, the addresses that could be dumped are *physical* memory addresses. If you got a pointer in your progrgram it's *virtual* memory mapped from the OS. So entering an address of your virtual memory to the debugger won't show you the contents you ainterested of. You either would need to recalculate the virtual address to a physical one - what might be difficult or impossible if the memory actually was swapped - or start the executable in question via the (commandline) debugger what is a different game either.

Note, the dump output function I posted above has an equivalent output to that of the debugger.

Regards, Alex




0
 
LVL 4

Expert Comment

by:havman56
ID: 17020421
yeah i agree for both of u .

but when u need memory dump command line dump is suffient . i guess so :)

i also agree when u need mapped memory or paging, virtual memory etc .....  u cannot do command line

jose many thanks for support for my answer . i dunno whether i deserve it !
0
 
LVL 4

Expert Comment

by:havman56
ID: 17265258


mmmmmmmmmmm?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Templates For Beginners Or How To Encourage The Compiler To Work For You Introduction This tutorial is targeted at the reader who is, perhaps, familiar with the basics of C++ but would prefer a little slower introduction to the more ad…
Many modern programming languages support the concept of a property -- a class member that combines characteristics of both a data member and a method.  These are sometimes called "smart fields" because you can add logic that is applied automaticall…
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
The viewer will learn how to clear a vector as well as how to detect empty vectors in C++.

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now