PE minidump
42 views
Skip to first unread message
Peter
Apr 7, 2025, 10:11:12 AMApr 7
to DynamoRIO Users
Hi guys, I am trying to write a dumper which is dumping a PE snapshot, regs, memory, etc at a certain point which is loadable into a debugger later on.
I am using DynamoRio 10 on Windows 11 (24H2) itm.
I first tried with:
...
dr_memory_dump_spec_t spec = { 0 };
spec.size = sizeof(spec);
spec.flags = DR_MEMORY_DUMP_LDMP ;
spec.label = "My memory dump"; // reason for the dump
spec.ldmp_path = ldmp_path;
spec.ldmp_path_size = sizeof(ldmp_path);
if (dr_create_memory_dump(&spec)) {
dr_printf("[INFO] Memory dump created:\n LDMP: %s\n", ldmp_path);
}
else {
dr_printf("[ERROR] Failed to create memory dump.\n");
}
...
It produces the ldmp file, but it seems not to work with x64 files (there is only an ldmp.exe in bin32, not in bin64 ) and or Windows 11.
$ ./ldmp.exe ../logs/hello_world_x64.exe.9116.00000000.ldmp ./dummy.exe
opening ldump file ../logs/hello_world_x64.exe.9116.00000000.ldmp
ldmp.exe may not work fully on Vista+ (i#397)
**************************************************
Message:
0
**************************************************
Assertion failed: res == 1, file D:\a\dynamorio\dynamorio\tools\ldmp.c, line 1090
than I tried it with the M$ API like:
...
MINIDUMP_EXCEPTION_INFORMATION dumpInfo;
dumpInfo.ThreadId = dr_get_thread_id(drcontext);
dumpInfo.ExceptionPointers = NULL;
dumpInfo.ClientPointers = FALSE;
BOOL success = MiniDumpWriteDump(
hProcess,
pid,
hFile,
MiniDumpWithFullMemory,
&dumpInfo,
NULL,
NULL);
...
Which leads to the following error (the client runs fine if I out comment the MiniDumpWriteDump function):
$ "C:\tools\DynamoRIO-Windows-10.0.0\bin64\drrun.exe" -no_follow_children -c "Z:\research\engineering\docs_and_code\C\tracer\x64\Release\tracer.dll" -s 140001490 -e 1400014B9 -m hello_world_x64.exe -- "Z:\research\engineering\docs_and_code\C\tracer\x64\Release\hello_world_x64.exe"
<Application Z:\research\engineering\docs_and_code\C\tracer\x64\Release\hello_world_x64.exe (11000). Unable to load client library: ucrtbase.dll: library initializer failed..>
I guess the DynamoRio loader and DBI confuses the dbghelp.lib ? The latter doesn't surprise me as far as it is not a normal PE execution.
So, long story short, any ideas how to solve the issue and create a kind of mindump or PE file from the status of a loaded PE file ? Are there any other function or am I doing something wrong ?
thx,
Peter
dr_memory_dump_spec_t spec = { 0 };
spec.size = sizeof(spec);
spec.flags = DR_MEMORY_DUMP_LDMP ;
spec.label = "My memory dump"; // reason for the dump
spec.ldmp_path = ldmp_path;
spec.ldmp_path_size = sizeof(ldmp_path);
if (dr_create_memory_dump(&spec)) {
dr_printf("[INFO] Memory dump created:\n LDMP: %s\n", ldmp_path);
}
else {
dr_printf("[ERROR] Failed to create memory dump.\n");
}
...
It produces the ldmp file, but it seems not to work with x64 files (there is only an ldmp.exe in bin32, not in bin64 ) and or Windows 11.
$ ./ldmp.exe ../logs/hello_world_x64.exe.9116.00000000.ldmp ./dummy.exe
opening ldump file ../logs/hello_world_x64.exe.9116.00000000.ldmp
ldmp.exe may not work fully on Vista+ (i#397)
**************************************************
Message:
0
**************************************************
Assertion failed: res == 1, file D:\a\dynamorio\dynamorio\tools\ldmp.c, line 1090
than I tried it with the M$ API like:
...
MINIDUMP_EXCEPTION_INFORMATION dumpInfo;
dumpInfo.ThreadId = dr_get_thread_id(drcontext);
dumpInfo.ExceptionPointers = NULL;
dumpInfo.ClientPointers = FALSE;
BOOL success = MiniDumpWriteDump(
hProcess,
pid,
hFile,
MiniDumpWithFullMemory,
&dumpInfo,
NULL,
NULL);
...
Which leads to the following error (the client runs fine if I out comment the MiniDumpWriteDump function):
$ "C:\tools\DynamoRIO-Windows-10.0.0\bin64\drrun.exe" -no_follow_children -c "Z:\research\engineering\docs_and_code\C\tracer\x64\Release\tracer.dll" -s 140001490 -e 1400014B9 -m hello_world_x64.exe -- "Z:\research\engineering\docs_and_code\C\tracer\x64\Release\hello_world_x64.exe"
<Application Z:\research\engineering\docs_and_code\C\tracer\x64\Release\hello_world_x64.exe (11000). Unable to load client library: ucrtbase.dll: library initializer failed..>
I guess the DynamoRio loader and DBI confuses the dbghelp.lib ? The latter doesn't surprise me as far as it is not a normal PE execution.
So, long story short, any ideas how to solve the issue and create a kind of mindump or PE file from the status of a loaded PE file ? Are there any other function or am I doing something wrong ?
thx,
Peter
Abhinav Sharma
Apr 7, 2025, 10:58:38 AMApr 7
to DynamoRIO Users
Hi Peter,
> It produces the ldmp file, but it seems not to work with x64 files (there is only an ldmp.exe in bin32, not in bin64 ) and or Windows 11.
Indeed, 64-bit ldmp is not supported today: https://github.com/DynamoRIO/dynamorio/issues/118.
As far as I'm aware, we don't have any plan to work on this anytime soon. We welcome open-source contributions, so if you're interested in helping out, let us know and we can put together some pointers.
> Which leads to the following error (the client runs fine if I out comment the MiniDumpWriteDump function):
The error looks similar to https://github.com/DynamoRIO/dynamorio/issues/6962, for which a short term workaround was submitted in Sept 2024 (https://github.com/DynamoRIO/dynamorio/pull/7003).
> I am using DynamoRio 10 on Windows 11 (24H2) itm.
DynamoRIO 10.0.0 was released in Aug 2023 (https://github.com/DynamoRIO/dynamorio/releases/tag/release_10.0.0). Could you retry with a DynamoRIO build after Sept 2024?
Hopefully this helps.
Regards,
Abhinav
Peter
Apr 8, 2025, 4:25:48 AMApr 8
to DynamoRIO Users
thx for the quick answer Abhinav ! I ll update and try the workaround.
Peter
Apr 8, 2025, 11:40:07 AMApr 8
to DynamoRIO Users
ok, I tried it with DynamoRIO-Windows-11.3.0. It is better, the client dll is executed, loads the targetapp and all instrumentation before the call works, but the MiniDumpWriteDump() function fails with segfault. If you want me to post more details on it pls advice. I assume the
MiniDumpWriteDump() function crashes because the PE is instrumented, but if you have technical details I would be interested. Any idea how to solve this would be of course highly welcome too.
Abhinav Sharma
Apr 8, 2025, 2:44:39 PMApr 8
to DynamoRIO Users
Good to know that the previous crash is resolved.
Re the crash:
- Maybe it'll be useful to first ensure that MiniDumpWriteDump works as expected when compiled in source code, without DynamoRIO. I read that in-process use of MiniDumpWriteDump can be tricky.
- When run under DynamoRIO, MiniDumpWriteDump would also be instrumented, so there can potentially be some unhandled interactions. Do you have a stack trace from the MiniDumpWriteDump crash?
Maybe +Derek would have more useful suggestions.
Abhinav
Peter
Apr 9, 2025, 10:17:26 AMApr 9
to DynamoRIO Users
No, I don't have a stack trace. TBH I am not sure how to generate this under a DynamoRio instrumented app ?
Abhinav Sharma
Apr 9, 2025, 2:34:29 PMApr 9
to DynamoRIO Users
See https://dynamorio.org/page_debugging.html#autotoc_md153 for Windows suggestions on getting the crash callstack and symbolizing it.
Derek Bruening
Apr 11, 2025, 1:08:26 AMApr 11
to Abhinav Sharma, DynamoRIO Users
Getting system library routines to work yet be isolated from the application is not easy and can be inherently fragile and break across different OS versions; even on Linux we have considered dropping support for private system libraries altogether as it is difficult to maintain. I think it would be easier and more robust to implement 64-bit support in DR's memory dump interface: https://github.com/DynamoRIO/dynamorio/issues/118.
--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dynamorio-users/70885ba7-8bb7-444a-8793-1f8cb2ff93d7n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages