From 4287ac6d3c75b33e9d62df75244885d3240e342f Mon Sep 17 00:00:00 2001
From: Alexander Vostres <alex.vostres@gmail.com>
Date: Wed, 23 Aug 2017 20:14:52 +0300
Subject: [PATCH] Initial commit

---
 .gitignore                        |   4 +
 Dumper.sln                        |  25 +++++
 Dumper/App.config                 |   8 ++
 Dumper/Dumper.csproj              |  50 ++++++++++
 Dumper/Program.cs                 | 154 ++++++++++++++++++++++++++++++
 Dumper/Properties/AssemblyInfo.cs |  35 +++++++
 Dumper/SafeProcessHandle.cs       |  30 ++++++
 LICENSE                           |  21 ++++
 README.md                         |  21 ++++
 9 files changed, 348 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Dumper.sln
 create mode 100644 Dumper/App.config
 create mode 100644 Dumper/Dumper.csproj
 create mode 100644 Dumper/Program.cs
 create mode 100644 Dumper/Properties/AssemblyInfo.cs
 create mode 100644 Dumper/SafeProcessHandle.cs
 create mode 100644 LICENSE
 create mode 100644 README.md

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f93df06
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+/.vs
+bin
+obj
+*.user
diff --git a/Dumper.sln b/Dumper.sln
new file mode 100644
index 0000000..7306aa7
--- /dev/null
+++ b/Dumper.sln
@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.26730.10
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dumper", "Dumper\Dumper.csproj", "{F7BE8C16-6765-4B5E-9EA4-E13E6B8B580C}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{F7BE8C16-6765-4B5E-9EA4-E13E6B8B580C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{F7BE8C16-6765-4B5E-9EA4-E13E6B8B580C}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{F7BE8C16-6765-4B5E-9EA4-E13E6B8B580C}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{F7BE8C16-6765-4B5E-9EA4-E13E6B8B580C}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {74C43012-6EB3-4F30-B0A7-A3886ACE8BAF}
+	EndGlobalSection
+EndGlobal
diff --git a/Dumper/App.config b/Dumper/App.config
new file mode 100644
index 0000000..1d03b41
--- /dev/null
+++ b/Dumper/App.config
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+    <startup> 
+      <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/>
+      <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
+      <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5"/>
+    </startup>
+</configuration>
diff --git a/Dumper/Dumper.csproj b/Dumper/Dumper.csproj
new file mode 100644
index 0000000..031eecf
--- /dev/null
+++ b/Dumper/Dumper.csproj
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{F7BE8C16-6765-4B5E-9EA4-E13E6B8B580C}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <RootNamespace>Dumper</RootNamespace>
+    <AssemblyName>Dumper</AssemblyName>
+    <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
+    <TargetFrameworkProfile>Client</TargetFrameworkProfile>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="SafeProcessHandle.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="App.config" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>
\ No newline at end of file
diff --git a/Dumper/Program.cs b/Dumper/Program.cs
new file mode 100644
index 0000000..a46cd30
--- /dev/null
+++ b/Dumper/Program.cs
@@ -0,0 +1,154 @@
+using System;
+using System.Diagnostics;
+using System.Globalization;
+using System.IO;
+using System.IO.MemoryMappedFiles;
+using System.Linq;
+using System.Runtime.InteropServices;
+
+namespace Dumper
+{
+    [Flags]
+    public enum ProcessAccessFlags : uint
+    {
+        All = 0x001F0FFF,
+        Terminate = 0x00000001,
+        CreateThread = 0x00000002,
+        VirtualMemoryOperation = 0x00000008,
+        VirtualMemoryRead = 0x00000010,
+        VirtualMemoryWrite = 0x00000020,
+        DuplicateHandle = 0x00000040,
+        CreateProcess = 0x000000080,
+        SetQuota = 0x00000100,
+        SetInformation = 0x00000200,
+        QueryInformation = 0x00000400,
+        QueryLimitedInformation = 0x00001000,
+        Synchronize = 0x00100000
+    }
+
+    class Program
+    {
+        [DllImport("kernel32.dll", SetLastError = true)]
+        public static extern SafeProcessHandle OpenProcess(
+            ProcessAccessFlags processAccess,
+            bool bInheritHandle,
+            int processId
+        );
+        
+
+        [DllImport("kernel32.dll")]
+        public static extern bool ReadProcessMemory(IntPtr hProcess,
+            IntPtr lpBaseAddress, IntPtr lpBuffer, IntPtr dwSize, out IntPtr lpNumberOfBytesRead);
+
+
+        public static bool TryParse(string str, out long value)
+        {
+
+            return long.TryParse(str, NumberStyles.Any, CultureInfo.InvariantCulture, out value) ||
+                   TryParseHex(str, out value);
+        }
+        public static bool TryParseHex(string str, out long value)
+        {
+            value = 0;
+            if (str.Length < 3) return false;
+            if (!str.StartsWith("0x")) return false;
+
+            return long.TryParse(str.Substring(2), NumberStyles.HexNumber, CultureInfo.InvariantCulture, out value);
+        }
+
+        static void Main(string[] args)
+        {
+            if (args.Length != 3)
+            {
+                Console.WriteLine("Wrong argument count.\nUsage:\ndumper.exe <debugged process id or name> <memory_start_addr> <memory_length>");
+                return;
+            }
+
+            if (!TryParse(args[1], out var address))
+            {
+                Console.WriteLine($"Bad address value {args[1]}");
+                return;
+            }
+
+            if (!TryParse(args[2], out var length))
+            {
+                Console.WriteLine($"Bad length value {args[2]}");
+                return;
+            }
+
+            if (!int.TryParse(args[0], out var processId))
+            {
+                var processName = args[0];
+                var process = Process.GetProcessesByName(processName);
+                if (process.Length == 0)
+                {
+                    Console.WriteLine($"Process {processName} not found");
+                    return;
+                }
+                if (process.Length > 1)
+                {
+                    Console.WriteLine($"Found more than one instance of process with name {processName}");
+                    return;
+                }
+                processId = process.Single().Id;
+            }
+
+            using (var process = OpenProcess(ProcessAccessFlags.VirtualMemoryRead, false, processId))
+            {
+                if (process.IsInvalid)
+                {
+                    Console.WriteLine($"Opening process {processId} failed with error {Marshal.GetLastWin32Error()}");
+                    return;
+                }
+
+                var outFileName = $"{args[0]}-{args[1]}-{args[2]}";
+
+                outFileName = GetNextFreeName(outFileName, ".dmp");
+
+                Console.WriteLine($"Saving contents of process {processId} to {outFileName}");
+
+                try
+                {
+                    Dump(process, outFileName, new IntPtr(address), new IntPtr(length));
+                    Console.WriteLine("Done");
+                }
+                catch (Exception e)
+                {
+                    Console.WriteLine($"Writing file failed with exception {e}");
+                }
+            }
+        }
+
+        private static void Dump(SafeProcessHandle process, string outFileName, IntPtr address, IntPtr length)
+        {
+            using (var file = File.Create(outFileName))
+            using (var mmf = MemoryMappedFile.CreateFromFile(file, null, length.ToInt64(), MemoryMappedFileAccess.ReadWrite, null, HandleInheritability.None, false))
+            using (var accessor = mmf.CreateViewAccessor(0, 0, MemoryMappedFileAccess.Write))
+            {
+                var buffer = (SafeBuffer)accessor.SafeMemoryMappedViewHandle;
+                var ptr = buffer.DangerousGetHandle();
+                if (!ReadProcessMemory(process.DangerousGetHandle(), address, ptr, length, out var read))
+                {
+                    Console.WriteLine($"Reading process memory failed with error {Marshal.GetLastWin32Error()}");
+                }
+                if (read != length)
+                {
+                    Console.WriteLine($"Data was read partially - {read.ToInt64()} bytes out of {length.ToInt64()} bytes requested");
+                    file.SetLength(read.ToInt64());
+                }
+            }
+        }
+
+        private static string GetNextFreeName(string outFileName, string ext)
+        {
+            var currName = outFileName;
+            var counter = 0;
+            while (File.Exists(currName + ext))
+            {
+                counter++;
+                currName = $"{outFileName}({counter})";
+            }
+            return currName + ext;
+        }
+    }
+}
diff --git a/Dumper/Properties/AssemblyInfo.cs b/Dumper/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000..75df373
--- /dev/null
+++ b/Dumper/Properties/AssemblyInfo.cs
@@ -0,0 +1,35 @@
+using System.Reflection;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("Dumper")]
+[assembly: AssemblyDescription("Simple partial memory dump tool")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("Alexander Vostres")]
+[assembly: AssemblyProduct("Dumper")]
+[assembly: AssemblyCopyright("Copyright © 2017 Alexander Vostres")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("f7be8c16-6765-4b5e-9ea4-e13e6b8b580c")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
diff --git a/Dumper/SafeProcessHandle.cs b/Dumper/SafeProcessHandle.cs
new file mode 100644
index 0000000..aa84c24
--- /dev/null
+++ b/Dumper/SafeProcessHandle.cs
@@ -0,0 +1,30 @@
+using System;
+using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
+
+public sealed class SafeProcessHandle : SafeHandleZeroOrMinusOneIsInvalid
+{
+    [DllImport("kernel32.dll", SetLastError = true)]
+    public static extern bool CloseHandle(IntPtr handle);
+
+    public SafeProcessHandle()
+        : base(true)
+    {
+    }
+
+    public SafeProcessHandle(IntPtr handle)
+        : base(true)
+    {
+        base.SetHandle(handle);
+    }
+
+    public void InitialSetHandle(IntPtr handlePtr)
+    {
+        handle = handlePtr;
+    }
+
+    protected override bool ReleaseHandle()
+    {
+        return CloseHandle(handle);
+    }
+}
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..8282e09
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Alexander Vostres
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..fd3653a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,21 @@
+Dumper
+======
+
+This is fairly simple tool to dump portion of process memory under Windows operating system.
+It's intended usage is to augment somewhat limited Memory View in Visual Studio in terms of copying process memory contents.
+
+Command syntax:
+```
+dumper.exe <debugged process id or name> <memory_start_addr> <memory_length>
+```
+
+Example usage:
+```
+Dumper.exe notepad 0x24D3EF98 0x17
+```
+
+This will find process called notepad.exe, open it, create file called notepad-0x24D3EF98-0x17.dmp and copy 23 bytes of data into file starting and memory address 0x24D3EF98.
+
+Both address and length can be hex or decimal sting, instead of process name it's possible to supply process ID in decimal format.
+
+Inspired by [StackOverflow answer](https://stackoverflow.com/a/8017023) and long gone user142207 (whoever that is!) 
\ No newline at end of file