关于内存转储的问题

发布于 2024-09-29 21:05:34 字数 1181 浏览 9 评论 0原文

我目前正在尝试设计一个内存转储工具,可以从另一个进程获取崩溃进程的内存转储。但我对此完全陌生,我想以此为契机,深入了解内存转储技术。

我想知道为崩溃的进程创建内存转储的工作范例。我目前的疯狂想象如下:

当进程崩溃时,操作系统总是会知道(我不知道如何,但它应该能够)。然后操作系统启动某种机制将崩溃进程的虚拟地址空间的内容复制到所谓的转储文件中。然后我们可以使用 WinDbg 来调试转储文件。

我想知道,如果我们可以将崩溃进程的整个虚拟地址空间复制到转储文件中,文件会不会太大?或者我们可以指定要转储的虚拟地址空间(内核/用户)吗?

谁能给我提供一些参考资料供我开始,特别是在以下方面:

  1. 什么是内存转储?

  2. 如果有所谓的内核转储和用户模式转储,它们是什么?

  3. 在 Windows 平台上,我需要哪些 API? MiniDumpWriteDump() 等函数是否相关?

  4. 当操作系统检测到某些进程崩溃时,是否有任何信号我可以监控,以便通知我的转储工具开始转储?

感谢您抽出时间来看看我的文字。


ADD1:

(5)什么是小型转储?它与内核/用户模式转储有何关系?

(6) 当我们谈论内存转储时,我们谈论的是哪些内存? 虚拟内存还是物理内存来自此图片,我想应该是物理内存。

ADD2:

我刚刚找到了一个很好的参考,关于使用 DbgHelp.dll 中包含的 API 编写 MiniDump。我想分享一下。如果您能提供与此相关的其他好材料,您介意分享吗?谢谢。

顺便说一句:我将不断更新此帖子的进度。如有任何评论,我们将不胜感激。

I am currently trying to design a memory dump tool that could get the memory dump of a crashed process from another process. But I am totally new to this and I want to take this as an opportunity to get a solid understanding of memory dump techniques.

I want to know the working paradigm of creating a memory dump for the crashed process. My current wild imagination is like below:

When a process crashed, the operating system will always know that (I don't know how but it should be able to). Then the OS launched some kind of mechanism to copy the content of the crashed process' virtual address space to the so-called dump file. Then we could use WinDbg to debug with the dump file.

I am wondering, if we can copy the whole of the virtual address space of the crashed process into the dump file, would't the file be too huge? Or could we specify which virtual address space (kernel/user) to dump?

Could anyone provide me some references for me to start with, especially on the following aspects:

  1. what is memory dump?

  2. If there are so-called kernel dump and user-mode dump, what are they?

  3. On windows platform, what APIs will I need? Would functions such as MiniDumpWriteDump() be relevant?

  4. When OS detect certain process crashed, is there any signal that I can monitor so that my Dump Tool will be notified to start dumping?

Thanks for taking time to see my words.


ADD1:

(5) What are mini-dumps? How is it related to kernel/user mode dumps?

(6) When we talk about memory dump, which memory are we talking about? Virtual Memory or Physical Memory? From this picture, I think it should be Physical Memory.

ADD2:

I just found a good reference about writing MiniDump with APIs contained in DbgHelp.dll. I'd like to share it. If you can provide other good materials related to this, would you mind sharing it? Thanks.

(BTW: I will keep updating this thread with my progress. Any comments would be deeply appreciated.)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

赴月观长安 2024-10-06 21:05:35

为什么自己要这么做?已经有很多工具可以做到这一点。 Windows 调试工具包括 adplus 和 ProcDump 都可以做到这一点。它们都支持丰富的选项并且已经过彻底的测试。两者都是免费的。

至于您的其他问题:

1)内存转储是给定进程的内存空间转储。有各种具有不同细节级别的转储。 WinDbg 的帮助文件包含所有详细信息。

2)对于用户应用程序,您不需要内核转储。内核转储用于调试内核模式代码 - 即驱动程序和操作系统本身。

3) 您可以使用 dbgeng.dll(包含在 Windows 调试工具中)创建用户模式转储,但正如我所说,您应该首先考虑现有工具。

4) Windows 使用结构化异常处理,因此崩溃基本上是未处理的异常。调试器可以收到第一次和第二次机会异常的通知,因此它们可以在引发异常时以及没有可用的异常处理程序时创建转储。

Why do this yourself? There are plenty of tools that do this already. Debugging Tools for Windows includes adplus and ProcDump from sysinternals can both do this. They both support a wealth of options and have been tested thoroughly. Both are free.

As for your other questions:

1) A memory dump is a dump of the memory space for a given process. There are various dumps with different levels of details. The help file for WinDbg has all the details.

2) For user applications you don't need kernel dumps. Kernel dumps are used to debug kernel mode code - i.e. drivers and the OS itself.

3) You can create user mode dumps using dbgeng.dll (which is included in Debugging Tools for Windows), but as I said you should really consider the existing tools first.

4) Windows uses structured exception handling, so a crash is basically an unhandled exception. Debuggers can be notified of both first and second chance exceptions, so they can create dumps when the exception is raised as well as when no exception handler is available.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文