Thread: Some advice on how to load a windows process dump into IDA Pro?
View Single Post
  #6  
Old 03-06-2025, 23:46
rcer rcer is offline
Friend
  
Join Date: Dec 2008
Posts: 171
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 6
Thanks Rcvd at 30 Times in 22 Posts
rcer Reputation: 9
Quote:
Originally Posted by wx69wx2023 View Post
from chatgpt:
When analyzing a process dump from procdump, the dumped file is not a standard executable but a memory snapshot. Because of this, IDA won’t automatically find an entry point like it does with a PE file. Here’s how you can locate the entry point manually:

1. Check the PEB for the Entry Point

The Process Environment Block (PEB) contains information about the loaded executable, including the entry point. You can find this in the dump:

Open the memory dump in IDA.

Locate the PEB structure in memory (usually at fs:[0x30] in 32-bit processes or gs:[0x60] in 64-bit).

Find the ImageBaseAddress and EntryPoint fields.

.
Maybe I am missing something (or everything), but when I load the memory dump into IDA, I see the following:

seg000:00000000 ;
seg000:00000000 ; +-------------------------------------------------------------------------+
seg000:00000000 ; | This file was generated by The Interactive Disassembler (IDA) |
seg000:00000000 ; | Copyright (c) 2024 Hex-Rays, <[email protected]> |
seg000:00000000 ; | License info: 48-0000-0000-00 |
seg000:00000000 ; | TOM_RUS |
seg000:00000000 ; +-------------------------------------------------------------------------+
seg000:00000000 ;
seg000:00000000 ; Input SHA256 : 50CFFADE61B2095CA37D84FDAB1DCE4D5809D19208C0DC92102DD283132900D0
seg000:00000000 ; Input MD5 : 943FDC8ECCA542FAF3666B8A0E2ABCF4
seg000:00000000 ; Input CRC32 : 253FA370
seg000:00000000
seg000:00000000 ; File Name : E:\01-Support\01-Hardware\Rohde & Schwarz\03-Signal Generators\SMU200A\RCE\ComponentEnvironmentServer_240530_195655.dmp
seg000:00000000 ; Format : Binary file
seg000:00000000 ; Base Address: 0000h Range: 0000h - 1504CE2Fh Loaded length: 1504CE2Fh
seg000:00000000
seg000:00000000 .686p
seg000:00000000 .mmx
seg000:00000000 .model flat
seg000:00000000
seg000:00000000 ; ===========================================================================
seg000:00000000
seg000:00000000 ; Segment type: Pure code
seg000:00000000 seg000 segment byte public 'CODE' use32
seg000:00000000 assume cs:seg000
seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing

So IDA only lists cs:seg000, but no segment fs:
Reply With Quote
The Following User Says Thank You to rcer For This Useful Post:
niculaita (03-09-2025)