利用windbg的插件pykd以虚拟地址导出虚拟机的整个内存
赵英哲
import sys
from pykd import *
import string
import os
pagesize = 0x1000 #32位进程页大小为4KB
looptime = 0x100000000 / 0x1000
def getmem():
# for i in 262144
temp_filepath = "F:\Temp_memory" #保存当前页
whole_filepath = "F:\win7_whole_memory"
zero_filepath = "F:\zero_memory" #4KB的0,当前页不存在时用0填充
whole_file = open(whole_filepath,'wb+')
zero_file = open(zero_filepath, 'rb')
zero_file_read = zero_file.read()
for i in range(looptime):
commandstr_dd = "dd " + hex(i * pagesize)[0:10] + " " + hex(i * pagesize + 1)[0:10]
# print commandstr_dd
result = dbgCommand(commandstr_dd) #执行命令,如 dd FFDFF000
if(result[10:11] == '?'): #命令输出? 表示当前页不存在
whole_file.write(zero_file_read)
else:
commandstr = ".writemem " + temp_filepath + " " + hex(i * pagesize)[0:10] + " " + hex((i+1) * pagesize-1)[0:10]
# print commandstr
dbgCommand(commandstr) #执行命令,如 .writemem F:\Temp_memory 00000000 00001000
temp_file = open(temp_filepath,'rb')
temp_file_read = temp_file.read()
# print os.path.getsize(temp_filepath)
whole_file.write(temp_file_read)
temp_file.close()
whole_file.close()
def run():
if not isWindbgExt():
if not loadDump( sys.argv[1] ):
dprintln( sys.argv[1] + " - load failed" )
return
if not isKernelDebugging():
dprintln( "not a kernel debugging" )
return
getmem()
if __name__ == "__main__":
run()
类似资料: