This brief post again provides you with a snippet to go into your magic(5). It allows file(1) to determine whether the page file contains a memory dump. We will then use this information in order to to extract the memory dump from a pagefile.sys.
So here is the code for your magic(5):
0 string PAGEDUMP >0xf88 lelong 1 Microsoft Windows full memory dump >0xf88 lelong 2 Microsoft Windows kernel memory dump >0xf88 lelong 3 Microsoft Windows small memory dump >0x068 lelong x \b, %d pages
After the crash dump has been written the system is not restarted. Instead pagefile.sys is extracted, for example using EnCase or the free FTK Imager. file(1) now identifies the memory dump which is contained in the page file:
$ file pagefile.sys pagefile.sys: Microsoft Windows full memory dump, 32653 pages
Now it's easy to extract the memory dump from the page file with the help of dd. Therefore blocksize (bs) is set to 4096 bytes, which is the size of a memory page. Take the amount of pages reported by file(1) and add 1 for the dump file header, giving the block count:
$ dd if=pagefile.sys of=memory.dmp bs=4096 count=32654 32654+0 records in 32654+0 records out 133750784 bytes (134 MB) copied, 5.85614 s, 22.8 MB/s
So it's no longer necessary to reboot a system in order to let savedump.exe create the memory dump file.
Andreas, I can't seem to follow you here... what is magic(5)? Where do you insert this code?
Thank You!
Hi Tim,
"magic(5)" is a common notation in the UNIX world. It says that the manual page for "magic" can be found in section no. 5 of the online manual. This section provides information about file formats and conventions. So, on a UNIX host, you'd type "man magic 5" to get more information. Does this answer your question?