Menu
I am interested in the internals of ProcDump (a Sysinternals utility): is it essentially a debugger? How does it manage to dump a process on exceptions, first chance exceptions and even managed (CLR) exceptions?
I can see that it has imports such as DebugActiveProcess from kernel32.dll. Its strings also contain names of CLR libraries so I assume it dynamically loads them to make use of the CLR debugging API (although I don't see mscordbi.dll in the strings - should I?).
666
asked Jan 21 '26 06:01
I will try to give an elementary answer to my own question, after taking a look at ProcDump with IDA Pro.
At least for the unmanaged side, ProcDump seems to make use of the Win32 debugging API: it uses DebugActiveProcess and a debug loop of WaitForDebugEvent & ContinueDebugEvent. Then, depending on the startup parameters, it can e.g. inspect an exception and dump the contents from ReadProcessMemory into a IO device.
119
answered Jan 23 '26 20:01
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With