Memdump
memdump [process] [dump file] [bytes per line] {bytes to read} {start address} {nohex} {noascii}
# [process]: The process that its memory will be dumped. It can be the path of the process filename, process name, or Process ID.
# [dump file]: The name of the file to save the output.
# [bytes per line]: Number of bytes in each line in the dump file.
# {bytes to read}: How many bytes to read.
# {start address}: Start process dumping from this address.
# {nohex}: Optional. Do not save memory data in Hexadecimal format.
# {noascii}: Optional. Do not save memory data in Ascii format.
memdump iexplore.exe “d:\evidence\dump.txt" "16" "0x10000" "0x400000“
memdump srvchost.exe " d:\evidence\srvchost.txt" "32" "0x30000" "0x400000" nohex
memdump /525 " d:\evidence\dump2.txt" "16" "0x100000" "0x120000" noascii
Última actualización 1yr ago