I am debugging a kernel application and want to dump a specific part of memory. I want to copy a driver (meaning its PE header and all of its sections) after breaking at a specific point, into a dump file. I have tried to use a regular memory dump and cut out the irrelevant sections but oddly the kernel dump seems to split up PE files scattering their sections across a massive 300mb dump, making it basically useless to me. Is there a way I could dump a section of memory using Windbg, or possibly write an extension that could add such functionality?

CodePudding user response：

(was meant to be a comment but is a bit too long)

In a perfect world the easiest thing would be to do lmvm <driver_name> (see lm command), look at the base and end of the driver mapping and then do a .writemem on the mapping range.

Alas, some drivers sections are discardable (they are mapped when the control flow reaches the entry but will be unmapped, usually after the DriverEntry execution) and other sections will be paged out (written to disk) by the system during the driver's life (and mapped back in case of a page fault). Also, (iirc) .writemem fails entirely if it can't read a portion of the memory range.

Your best bet is to dump the driver at the entry point (I think Windows doesn't lazy load driver sections).

Technically, you can loop around all pages and if one is missing you can try to .pagein the missing block(s), but it happens to fail sometimes too (without any means to know why)...

.pagein is quite fiddly as you ask for a page range so the debugger can page in the requested memory from disk, but you also need to have the system run (.pagein needs to be followed by a g) so the filesystem driver stack can be asked by the debugger to actually get back the pages into memory. During that time, the system runs...

If you're doing this on a memory dump, you can't obviously .pagein so it won't work; you'll need a live system.