Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Some advice on how to load a windows process dump into IDA Pro?
Register Forum Rules FAQ Calendar

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-06-2025, 23:46
rcer rcer is offline
Friend
  
Join Date: Dec 2008
Posts: 171
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 6
Thanks Rcvd at 30 Times in 22 Posts
rcer Reputation: 9
Quote:
Originally Posted by wx69wx2023 View Post
from chatgpt:
When analyzing a process dump from procdump, the dumped file is not a standard executable but a memory snapshot. Because of this, IDA won’t automatically find an entry point like it does with a PE file. Here’s how you can locate the entry point manually:

1. Check the PEB for the Entry Point

The Process Environment Block (PEB) contains information about the loaded executable, including the entry point. You can find this in the dump:

Open the memory dump in IDA.

Locate the PEB structure in memory (usually at fs:[0x30] in 32-bit processes or gs:[0x60] in 64-bit).

Find the ImageBaseAddress and EntryPoint fields.

.
Maybe I am missing something (or everything), but when I load the memory dump into IDA, I see the following:

seg000:00000000 ;
seg000:00000000 ; +-------------------------------------------------------------------------+
seg000:00000000 ; | This file was generated by The Interactive Disassembler (IDA) |
seg000:00000000 ; | Copyright (c) 2024 Hex-Rays, <[email protected]> |
seg000:00000000 ; | License info: 48-0000-0000-00 |
seg000:00000000 ; | TOM_RUS |
seg000:00000000 ; +-------------------------------------------------------------------------+
seg000:00000000 ;
seg000:00000000 ; Input SHA256 : 50CFFADE61B2095CA37D84FDAB1DCE4D5809D19208C0DC92102DD283132900D0
seg000:00000000 ; Input MD5 : 943FDC8ECCA542FAF3666B8A0E2ABCF4
seg000:00000000 ; Input CRC32 : 253FA370
seg000:00000000
seg000:00000000 ; File Name : E:\01-Support\01-Hardware\Rohde & Schwarz\03-Signal Generators\SMU200A\RCE\ComponentEnvironmentServer_240530_195655.dmp
seg000:00000000 ; Format : Binary file
seg000:00000000 ; Base Address: 0000h Range: 0000h - 1504CE2Fh Loaded length: 1504CE2Fh
seg000:00000000
seg000:00000000 .686p
seg000:00000000 .mmx
seg000:00000000 .model flat
seg000:00000000
seg000:00000000 ; ===========================================================================
seg000:00000000
seg000:00000000 ; Segment type: Pure code
seg000:00000000 seg000 segment byte public 'CODE' use32
seg000:00000000 assume cs:seg000
seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing

So IDA only lists cs:seg000, but no segment fs:
Reply With Quote
The Following User Says Thank You to rcer For This Useful Post:
niculaita (03-09-2025)
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Update Dump (WUA) [C++ source] HarrySpoofer Source Code 2 07-23-2022 23:14
How to find out what process issued a windows service start? DavidXanatos General Discussion 9 05-21-2020 18:46
Load and Execute unsigned code into kernel in Windows 10x64 TechLord General Discussion 1 03-12-2017 16:30


All times are GMT +8. The time now is 07:52.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )