Listening to Computer Memory
An alternative to converting memory dumps to sound files is to save a memory range to a binary file and then convert it to a wave file. The latter is better for complete memory dumps which can be several Gb in size.
To save a memory range to a file use WinDbg .writemem command:
.writemem d2w-range.bin 00400000 00433000
or
.writemem d2w-range.bin 00400000 L200
I wrote a WinDbg script that saves a specified memory range and then calls a shell script which automatically converts saved binary file to a wave file and then runs whatever sound program is registered for .wav extension. On many systems it is Microsoft Media Player unless you installed any other third-party player.
The WinDbg script code (memsounds.txt):
.writemem d2w-range.bin ${$arg1} ${$arg2}
.if (${/d:$arg5})
{
.shell -i- memsounds.cmd d2w-range ${$arg3} ${$arg4} ${$arg5}
}
.elsif (${/d:$arg4})
{
.shell -i- memsounds.cmd d2w-range ${$arg3} ${$arg4}
}
.elsif (${/d:$arg3})
{
.shell -i- memsounds.cmd d2w-range ${$arg3}
}
.else
{
.shell -i- memsounds.cmd d2w-range
}
The shell script (memsounds.cmd):
dump2wave %1.bin %1.wav %2 %3 %4
%1.wav
Because WinDbg installation folder is assumed to be the default directory for both scripts and Dump2Wave.exe they should be copied to the same folder where windbg.exe is located. On my system it is
C:\Program Files\Debugging Tools for Windows
Both scripts are included in Dump2Wave package available for free download:
To call the script from WinDbg use the following command:
$$>a< memsounds.txt Range [Freq] [Bits] [Channels]
where Range can be in Address1 Address2 or Address Lxxx format, Freq can be 44100, 22050, 11025 or 8000, Bits can be 8 or 16, Channels can be 1 or 2. By default it is 44100, 16, 2.
If you have a live debugging session or loaded a crash dump you can listen to a memory range immediately. For example, the range of memory from 00400000 to 00433000 interpreted as 44.1KHz 16bit stereo:
0:000> $$>a< memsounds.txt 00400000 00433000
Writing 33001 bytes...
C:\Program Files\Debugging Tools for Windows>dump2wave d2w-range.bin d2w-range.wav
Dump2Wave version 1.2.1
Written by Dmitry Vostokov, 2006
d2w-range.wav
d2w-range.bin
1 file(s) copied.
C:\Program Files\Debugging Tools for Windows>d2w-range.wav
.shell: Process exited
0:000>
or the same range interpreted as 8KHz 8bit mono:
0:000> $$>a< memsounds.txt 00400000 00433000 8000 8 1
Writing 33001 bytes...
C:\Program Files\Debugging Tools for Windows>dump2wave d2w-range.bin d2w-range.wav 8000 8 1
Dump2Wave version 1.2.1
Written by Dmitry Vostokov, 2006
d2w-range.wav
d2w-range.bin
1 file(s) copied.
C:\Program Files\Debugging Tools for Windows>d2w-range.wav
.shell: Process exited
0:000>
The script starts Windows Media Player on my system and I only need to push the play button to start listening.
Enjoy 
- Dmitry Vostokov @ DumpAnalysis.org -
August 1st, 2007 at 7:41 am
Dmitry
You are simply amazing and one of the most creative person i have ever seen, this artcile just is simpllllllllllllllly amazing
and totally out of this world.
Thanks,
Manohara
August 1st, 2007 at 11:10 am
Thanks
August 1st, 2007 at 8:06 pm
Dmitry
Another Idea ,
dump memory , then make bmp / image and c what it looks look ,
Thanks,
Manohara
August 2nd, 2007 at 11:17 am
Manohara,
Will try to convert to BMP and let you know
Dump Tomography:
http://www.dumpanalysis.org/blog/index.php/2006/10/22/dump-tomography/
Thanks for reminding me. I was also thinking that images from several consecutive dumps can be used for “video” or even live process changes can be visualized like heap size, etc.
For user dumps this should be trivial. Complete memory dumps are snapshots of physical memory so I expect much noise there due to random page mapping. I think kernel memory dumps are stored as a virtual address range. If this is the case there is no need to reconstruct virtual address space from physical.
Thanks,
Dmitry
August 4th, 2007 at 4:26 pm
As promised here is Dump2Picture v1.0:
http://www.dumpanalysis.org/blog/index.php/2007/08/04/visualizing-memory-dumps/
August 12th, 2007 at 12:20 am
You are crazy
I’m shocked!
August 15th, 2007 at 3:51 pm
Security warning:
http://www.dumpanalysis.org/blog/index.php/2007/08/15/memory-visualization-and-security/
February 8th, 2008 at 12:32 pm
Source code for Dump2Wave:
http://www.dumpanalysis.org/blog/index.php/2008/02/08/dump2wave-v121-source-code/
September 8th, 2008 at 6:46 am
[…] music for this album will be written with the help of Dump2Wave technology Stay statically tuned to further […]
September 8th, 2008 at 8:42 am
Very creative person. Good luck man.
January 17th, 2009 at 9:57 am
[…] of a module, a product or a system built on December 12 (generated with the help of Dump2Wave) is more important characteristic than what they are saying. In order to grow December 12 […]
May 7th, 2009 at 12:35 pm
[…] is the enhanced version of Dump2Wave technology that allows to transform computational operations into audible artifacts. Threads are […]