I am having trouble finding a reasonable way to dump another process memory into a file.
After an extensive search, I was able to find a good article in CodeProject that has the * most * functionality that I want:
Performing a hex dump of another process memory. This does a good job of resolving permissions and creates a good foundation.
However, with this utility, I saw that even a small process, such as a clean Notepad.exe or an instance of Calc.exe, can generate a dump file larger than 24 MB, while the process itself runs under 20 KB in memory according to the TaskManager.
In this article, it seemed to me that perhaps this is also dumping things in shared memory, possibly in a DLL space, etc. For example, a Calc.exe dump will include sections containing method names (and presumably memory) from Kernel32.dll:
²³´µKERNEL32.dll ActivateActCtx AddAtomA AddAtomW AddConsoleAliasA AddConsoleAliasW AddLocalAlternateComputerNameA AddLocalAlternateComputerNameW AddRefActCtx AddVectoredExceptionHandler AllocConsole AllocateUserPhysicalPages AreFileApisANSI AssignProcessToJobObject AttachConsole BackupRead BackupSeek BackupWrite BaseCheckAppcompatCache BaseCleanupAppcompatCache
Is there a better way to dump the memory of another process that does not lead to this overhead, or perhaps improve the related article code that solves this problem? I want to get a memory that actually belongs to the process itself. It would be nice for me to dump the memory space of functions that are actually used in DLLs, but it seems that there is no need to unload * all the contents of several DLLs to get the current memory of the process.
30-60 30 , 25 30 . , , , .
.
. , GUI, CodeProject, .