编程自实现
指定要转储的进程PID,以命令行的方式运行,比如:>procdump.exe 1254(高权进程需要管理员权限)
#include <stdio.h>
#include <windows.h>
#include <Dbghelp.h>
#pragma comment(lib, "Dbghelp.lib")
bool EnableDebugPrivilege();
int main(int argc, char **argv) {
DWORD PID = atoi(argv[1]);
HANDLE hProc = NULL;
HANDLE hFile = NULL;
BOOL bSuccess = FALSE;
if (EnableDebugPrivilege())
{
printf("EnableDebugPrivilege ok!\n");
}
else
{
printf("EnableDebugPrivilege failed!\n");
}
printf("Trying to dump PID: %d\n", PID);
hProc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, PID);
printf("Process HANDLE 0x%p\n", hProc);
if (hProc == NULL) {
printf("HANDLE is NULL. Exiting (%ld)\n", GetLastError());
ExitProcess(0);
}
hFile = CreateFileA(
"memory.dmp", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL,
CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
printf("memory.dmp HANDLE 0x%p\n", hFile);
if (hFile == INVALID_HANDLE_VALUE) {
printf("Can't create memory.dmp. Exiting (%ld)\n", GetLastError());
CloseHandle(hProc);
ExitProcess(0);
}
bSuccess = MiniDumpWriteDump(
hProc, PID, hFile,
/* MiniDumpNormal |*/ /*MiniDumpWithDataSegs | */MiniDumpWithFullMemory,
NULL, NULL, NULL);
printf("Process Completed (%d)(%X)", (DWORD)bSuccess, GetLastError());
CloseHandle(hProc);
CloseHandle(hFile);
return 0;
}
bool EnableDebugPrivilege()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
return false;
}
return true;
}
参考链接: