How in IDA can save memory dump with command or script?
13,214
Solution 1
yes that works, but it's very slow writing a single byte at a time. try this for instant dumping:
auto fname = "C:\\dump_mem.bin";
auto address = 0x0400000;
auto size = 0x0300000;
auto file= fopen(fname, "wb");
savefile(file, 0, address, size);
fclose(file);
Solution 2
Using the IDA Python API, you can save off a region of memory using the following script, which will prompt you to specify where the resulting file should be saved:
filename = AskFile(1, "*.bin", "Output file name")
address = 0x009DD5B8
size = 0x37a0
dbgr = False
with open(filename, "wb") as out:
data = GetManyBytes(address, size, use_dbg=dbgr)
out.write(data)
If you want to save off the bytes corresponding to a memory region that you've highlighted in the graphical interface, you can use the following in the script above:
address = idc.read_selection_start()
if address == idc.BADADDR:
raise Exception("No memory region selected")
size = idc.read_selection_end() - address
Set dbgr to True if the script is run during a debugger session.
Solution 3
Press Shift + F2 in IDA, and paste this script:
auto file, fname, i, address, size, x;
address = 0x0159ADB0;
size = 0xEA90;
fname = "C:\\dump_mem.bin";
file = fopen(fname, "wb");
for (i=0; i<size; i++, address++)
{
x = DbgByte(address);
fputc(x, file);
}
fclose(file);
Run script , u ll get dump_mem.bin file from 0x0159ADB0 and size 0xEA90
Author by
Dino Balloons
Updated on June 04, 2022Comments
-
Dino Balloons almost 2 years
- IDA, Hex-View
- I select with mouse zone of bytes from StartAddress to EndAddress
- Right Click -> Save to File
- Got memory dump.
How do the same with command?Like: SaveDump(StartAddress , EndAddress) SaveDump(0x00001000 , 0x00002000)
-
Dino Balloons about 7 yearsNo hackers here? Its so bad.
- IDA, Hex-View
-
Thomson over 6 yearsDbgByte doesn't work if the executable is not launched for debugging?