I had a program freeze (especially for the SQL developer) in which there were some unsaved files. I used sysinternal process explorer to create a dump file before killing the process. I really only lost a couple of hours of work, but I thought it was a good experience to learn what I could extract from the dump file. So far I have downloaded and run windbg and found my text with:
s -u 0x00000000 L?0xffffffff "text I know exists in my file"
From there, I got the corresponding memory addresses and could view the text in the memory window along with most of the file. However, from here I am a bit stuck. I know that I can use the du command to output text, but what strategy should I use to determine the range of start and end. This is a 1 Gig dump, so I never dump 0x00000000 to 0xffffffff, since I will not have a text file that most editors can open. Is there a way to simply reset user memory or memory without code, etc.? It should not be perfect in any way. I was pleased that I just opened the dump file in the text panel, but the data in unicode is not displayed, only octave ascii (presumably because the text panel cannot determine the type or because of a 64-bit dump).
source share