Visualizing Memory Dumps

As the first step towards Memory Dump Tomography I created a small program that interprets a memory dump as a picture. You can visualize crash dumps with it. The tool is available for free download:

Download Dump2Picture

Simply run it from the command prompt and specify full paths to a dump file and an output BMP file. The memory dump file will be converted by default into true color, 32 bits-per-pixel bitmap. You can specify other values: 8, 16 and 24.

C:\Dump2Picture>Dump2Picture.exe

Dump2Picture version 1.0
Written by Dmitry Vostokov, 2007

Usage: Dump2Picture dumpfile bmpfile [8|16|24|32]

For example:

C:\Dump2Picture>Dump2Picture.exe MEMORY.DMP MEMORY.BMP 8

Dump2Picture version 1.0
Written by Dmitry Vostokov, 2007

MEMORY.BMP
MEMORY.DMP
        1 file(s) copied.

Below are some screenshots of bitmap files created by the tool. Think about them as visualized kernel or user address spaces. 

Vista kernel memory dump (8 bits-per-pixel):

Vista kernel memory dump (16 bits-per-pixel):

Vista kernel memory dump (24 bits-per-pixel):

Vista kernel memory dump (32 bits-per-pixel):

Notepad process user memory dump (8 bits-per-pixel):

Notepad process user memory dump (16 bits-per-pixel):

Notepad process user memory dump (24 bits-per-pixel):

Notepad process user memory dump (32 bits-per-pixel):

Mspaint process user memory dump (32 bits-per-pixel):

Mspaint process user memory dump after loading “Toco Toucan.jpg” from Vista Sample Pictures folder (32 bits-per-pixel):

Citrix ICA client process (wfica32.exe) user memory dump (32 bits-per-pixel):

Enjoy :-)

- Dmitry Vostokov @ DumpAnalysis.org -

37 Responses to “Visualizing Memory Dumps”

  1. Volker von Einem Says:

    You are crazy ;-)

  2. ClickF1 Says:

    +1 =) May I see source code? :)
    P.S. Cool blog! Has to be bookmarked !

  3. Dmitry Vostokov Says:

    The algorithm is very simple: bitmap dimensions are calculated based on specified bits-per-pixel and the number of bytes in a dump. Then a small BMP header file is written with appropriate fields in BITMAPFILEHEADER and BITMAPINFOHEADER. Then I use system call to run copy shell command to append the dump file to that small BMP header file. The resulting file becomes the true BMP file.

    The same scheme is implemented for Dump2Wave where WAVEFILEHDR file is created first.

    In plain words crash dump bytes are just interpreted as sound or bitmap bytes. I’m planning to release source code soon after I do some code cleaning and release the next version of Dump2Picture where you can specify the optional initial bitmap width. The current version of Dump2Picture creates only squared bitmaps.

    Thanks,
    Dmitry

  4. ClickF1 Says:

    Thanks. Shall wait source code.:)

  5. Crash Dump Analysis » Blog Archive » Visualizing Memory Leaks Says:

    […] Dump2Picture can be used to explore memory leaks visually. I created the following small program in Visual C++ that leaks 64Kb every second: […]

  6. Dmitry Vostokov Says:

    Version 1.1 is available with improvements for 8 bits-per-pixel bitmaps:

    http://www.dumpanalysis.org/blog/index.php/2007/08/13/dump2picture-update-version-11/

  7. Dmitry Vostokov Says:

    I also created a script to visualize memory directly from WinDbg:

    http://www.dumpanalysis.org/blog/index.php/2007/08/15/picturing-computer-memory/

  8. Dmitry Vostokov Says:

    Security warning:

    http://www.dumpanalysis.org/blog/index.php/2007/08/15/memory-visualization-and-security/

  9. William Says:

    Nice tool!
    However… running it on a 900MB dump produces a 900MB bmp…
    Do you know of any tools to view such a large bmp on a machine with only 2GB RAM? does your tool allow for the generation of JPEGS?

  10. Dmitry Vostokov Says:

    Thanks! I was able to view 1Gb bmp on Windows 2004 x64 server with just 1Gb of memory using standard Windows Picture and Fax Viewer. However it took some time (5-10 minutes or so to load and display) . I think with 2GB it might be a bit faster. If you want to convert to JPEG I’m sure there are plenty of command line tools available. I used ones long time ago in pre-Windows epoch.

  11. Yulia Says:

    Hiay, am absolutely knocked by the images you’ve created, let along the way you kinda came across through! brilliant, awesome! Am gonna use them for my Theatre in Fashion Museum of labyrinths of dresses replicated by the audience for my further clothes development inspiration that is gonna be the proposal for performance at my uni’s project.
    Hope you dont mind and again -thanks for such quality thinking.

    All the best,
    Yulia

  12. Dmitry Vostokov Says:

    Source code is available here:

    http://www.dumpanalysis.org/blog/index.php/2008/02/05/dump2picture-v11-source-code/

  13. Crash Dump Analysis » Blog Archive » Final TOC for MDAA Volume 1 Says:

    […] Note that the back cover image is the picture of Windows Vista 1Gb complete memory dump generated by Dump2Picture: […]

  14. Steven Says:

    You do realise that by placing an image of the Windows Vista 1Gb complete memory dump on the back cover of a book both violates copyright and intellectual property rights, as the picture is generated from copyrighted material ?

    Instead you may prefer to generate an image dump from some freeware application.

  15. Dmitry Vostokov Says:

    I disagree to the best of my understanding. Otherwise I would have been in trouble since August, 2007. This picture is just the visualized physical memory for illustration purposes only. What about disassembling a function to illustrate a bug? Or dumping memory like a thread structure? Or printing a screenshot from Performance Monitor or Task Manager to illustrate CPU spike? Or a stack trace from a complete memory dump? Does it violate copyright and intellectual property rights because it is generated from copyrighted material? What about the front cover then, showing book spines of hundreds of copyrighted books? If Microsoft asks me to remove the picture, certainly, I’ll do it and reprint the book. And, surely, a memory dump of a freeware program will definitely contain portions of copyrighted material, like ntdll.dll, kernel32.dll or accidental 3rd-party hooks. Regarding a complete memory dump copyrighted material might have been paged out from physical memory and not included in file contents. Do you admit that printing a CRC number violates property rights because it was generated from copyrighted material? Due to the mathematical nature of involved algorithms it is not possible to reconstruct binary code from the printed cover picture which could have been created artificially as well.

    I will also put a separate blog post addressing this issue.

    Thanks for bringing this to my attention,
    Dmitry

  16. Steven Says:

    “What about disassembling a function to illustrate a bug?” If that function is clearly copyrighted, then showing the disassembled code in another product (eg. a book) without copyright consent from the original owner, then yes, I would say it would be infringing copyright. However, things like “dumping memory like a thread structure? Or printing a screenshot from Performance Monitor or Task Manager to illustrate CPU spike?”would not be (but the first could violate the terms of a license agreement).

    A CRC number would not violate copyright, as there would be many different ways to arrive at the same value, as can be demonstrated quite easily (the same with many other hashing algorithms, such as MD5).

    However, how would get the exact same picture as the one on the back of your book without attaching the dump to a BMP file header?

    The front cover is not showing copyrighted material, only book titles. However, if you copied the inside of those books into a buffer, and then appended that buffer to a BMP header to convert it into a picture, it would certainly then be in breach of copyright, wouldn’t you say?

  17. Dmitry Vostokov Says:

    Using my CRC example, there are many ways (different code and data) to get the same picture because it was first preprocessed and reduced from 16128×16128 to 2167×3254 format and further processed by JPEG algorithm. How would I get exactly the same picture form a different code and data? Exactly the same way I can generate the same CRC! Regarding the disassembly DMCA applies only to copyright protection systems like DRM and in EU we have Directive on the Legal Protection of Computer Programs that overrides license agreements in case of interoperability which memory dump analysis and visualization is all about.

  18. Dmitry Vostokov Says:

    Regarding this procedure “you copied the inside of those books into a buffer, and then appended that buffer to a BMP header to convert it into a picture” I would say that we have a different interpretation of the data if the original data is not possible to reconstruct or if there is ambiguity in original data reconstruction, like in CRC case. Also we will never get the same picture from different memory dumps even from the same system because memory contents and layout change with every CPU tick.

  19. Dmitry Vostokov Says:

    I actually found that a user dump of one of my applications is much better and vivid picture to illustrate. So I’ll replace the picture in the final book. To sleep better :-)

  20. Steven Says:

    :-)

  21. Crash Dump Analysis » Blog Archive » Colometric Computer Memory Dating (Part 1) Says:

    […] Dump2Picture image is this (0×00000000 address is at the […]

  22. deepesh reja Says:

    my laptop memory dumps.It shows “Vista Kernel Memory Dump:32-bit per pixel”. How can I correct it?

  23. Dmitry Vostokov Says:

    Specify different bits per pixel value in Dump2Picture parameters. Hope this helps :-)

  24. Crash Dump Analysis » Blog Archive » MDAA Volume 2 is coming out soon Says:

    […] Back cover features visualized virtual process memory generated from a memory dump of colometric computer memory dating sample using Dump2Picture. […]

  25. Crash Dump Analysis » Blog Archive » The First Computer Memory Visualization Book Says:

    […] 1 and Volume 2 have numerous articles related to computer memory visualization techniques using Dump2Picture and Microsoft debugger […]

  26. Crash Dump Analysis » Blog Archive » On Extraterrestrial Problem Says:

    […] quadrimemorillion of them in the absence of symbol files and suitable memory dump reader. Perhaps memory visualization techniques provide a direction to solving extraterrestrial problems too. This SETI association […]

  27. Crash Dump Analysis » Blog Archive » Memory Auralization: Computational Opera Says:

    […] computational operations into audible artifacts. Computational threads are fiber bundled with native memory visualization techniques to create audio and visual images of powerful memory topoi. This opens the new era […]

  28. Crash Dump Analysis » Blog Archive » The Art of Memory Corruption Says:

    […] as a pixel. The printing company initially rejected the interior of my DLL Art book containing pictures from process memory dumps because they thought that the art images were corrupt in PDF file I submitted. They accepted the […]

  29. Crash Dump Analysis » Blog Archive » Decomposing Memory Dumps via DumpFilter Says:

    […] file can be visualized by any data visualization package or transformed to a bitmap file using Dump2Picture to see distribution of filtered […]

  30. Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 26) Says:

    […] Note: it features a fragment from a B/W image generated by Dump2Picture. […]

  31. Crash Dump Analysis » Blog Archive » New Twitter Page Design Says:

    […] Twitter page for DumpAnalysis now has the background picture of a memory dump generated by Dump2Picture: […]

  32. Crash Dump Analysis » Blog Archive » Memory Map Visualization Tools (Revised) Says:

    […] Dump2Picture (Windows) […]

  33. Crash Dump Analysis » Blog Archive » Can A Memory Dump Be Blue? Says:

    […] it can. Here’s the Dump2Picture image of a kernel memory dump (3 GB) from a 128 GB […]

  34. Crash Dump Analysis » Blog Archive » Virtual to Physical Memory Mapping Says:

    […] to physical memory mapping on systems with paging like Windows. Here is another approach that uses natural memory visualization technique. An image of a user process was generated and juxtaposed to an image of kernel memory […]

  35. Crash Dump Analysis » Blog Archive » The Memory Visualization Question from Webinar Says:

    […] The image above was scaled by ImageMagic from a bitmap generated by Dump2Picture: […]

  36. Rick Says:

    Is it just me or are the images produced upside down?

  37. Dmitry Vostokov Says:

    Yes, they are upside down

Leave a Reply

You must be logged in to post a comment.