|
|
|
|
|
|
NirCmd Command Reference - memdump
|
memdump [process] [dump file] [bytes per line] {bytes to read} {start address} {nohex} {noascii}
Reads the memory of process according to the parameters you specify, and writes it
into a text file.
The parameters:
- [process]: The process that you want to dump its
memory. You can specify the full path of the process filename, the process name only,
or the Process ID - by adding the '/' chararcter as prefix (e.g.: /520)
- [dump file]: The filename to save the memory content
of the specified process.
- [bytes per line]: Number of memory bytes per line
in the saved dump file.
- {bytes to read}: Number of bytes to read.
- {start address}: Start the dumping process from this memory address.
- {nohex}: Optional. If you specify this parameter, the memory data won't be saved in Hexadecimal format.
- {noascii}: Optional. If you specify this parameter, the memory data won't be saved in Ascii format.
Examples:
memdump iexplore.exe "c:\temp\dump.txt" "16" "0x10000" "0x400000"
memdump calc.exe "c:\temp\calc.txt" "32" "0x30000" "0x400000" nohex
memdump /525 "c:\temp\dump.txt" "16" "0x100000" "0x120000" noascii
Other commands:
NirCmd Web Page
Download NirCmd
NirSoft Web Site
|
|
|
