Hello OSR community,
I am trying to implement an optimized memory dump mechanism.
The basic idea is, that I want to dump READ/WRITE memory form a user space process (e.g. firefox.exe) on specific events. The events on which my dumping mechanism is triggered,
are specific packets within the WSPSend/WSPRecv calls from the mswsock.dll.
I have implemented a DLL which intercepts the send and recv calls inside the target process and performs the dumping when the dumping condition is triggered.
I use VirtualQueryEx to filter the memory regions. As mentioned before I am interested in
READ/WRITE memory. I also skip the thread stacks because I don't need them even if they are READ/WRITE. The problem with this approach is that every dump is about 90 mb (firefox.exe).
To optimize the dump, the idea would be to track the memory which was written since the last dump. This should lead to smaller dumps on subsequent triggers.
The idea now would be to implement a kernel driver and utilize the additional information from kernel mode.
The previously mentioned DLL should now send a dump request to the driver (on the same trigger events) and the driver would would peform the dumping.
What i have done so far is to traverse the process VAD tree, and to retrieve the PTE while looping through the region start until region end by adding 0x1000 to the start address. I encountered a few problems. First i have to suspend all the threads except the running one within the user process (firefox.exe), otherwise the VAD traversal will result BSOD.
How can i implement a proper synchonization solution for the VAD traversal, such that the structure is not changed during the traversal. I have tried to use the eprocess->AddressCreationLock with the macro LOCK_ADDRESS_SPACE which passes the EX_PUSH_LOCK to KeAcquireGuardedMutex, but the types seems not to be equal and it results in a BSOD. The operating system i am using for testing is Windows 7 64 Bit SP1.
The macro LOCK_ADDRESS_SPACE uses the KeAcquireGuardedMutex function, which requires a PKGUARDED_MUTEX as parameter but the AddressCreationLock is EX_PUSH_LOCK in Win 7 (dumped with windbg).
I would like to get the pages modified since the last dump and only dump the changed ones, such that the dump size is minimal.
Does anybody know if this can be done in another way and if my approach may have any wrong assumptions?
Thanks in advance!