- Category:
- Windows CE
- Tags:
-
[Text]
- File Size:
- 2kb
- Update:
- 2012-11-26
- Downloads:
- 0 Times
- Uploaded by:
- 王明
Description: KeCapturePersistentThreadState capture the current thread, get _DUMP_HEADER structure content, which is interesting is the content of the DumpHead-> PsLoadedModuleList, DumpHead-> PsActiveProcessHead, DumpHead-> PfnDataBase...
The next step is to _DUMP_HEADER structure content wrote a DMP files, ZwCreateFile- > ZwWriteFile...
To Search:
File list (Check if you may need any files):
模仿dmp文件转存.txt