Picturing Computer Memory

An alternative to converting memory dumps to picture files is to save a memory range to a binary file and then convert it to a BMP file. Thus you can view the particular DLL or driver mapped into address space, heap or pool region, etc.

To save a memory range to a file use WinDbg .writemem command:

.writemem d2p-range.bin 00800000 0085e000


.writemem d2p-range.bin 00400000 L20000

I wrote a WinDbg script that saves a specified memory range and then calls a shell script which automatically converts saved binary file to a BMP file and then runs whatever picture viewer is registered for .bmp extension.

The WinDbg script code (mempicture.txt):

.writemem d2p-range.bin ${$arg1} ${$arg2}
.if (${/d:$arg3})
  .shell -i- mempicture.cmd d2p-range ${$arg3}
  .shell -i- mempicture.cmd d2p-range

The shell script (mempicture.cmd):

dump2picture %1.bin %1.bmp %2

Because WinDbg installation folder is assumed to be the default directory for both scripts and Dump2Picture.exe they should be copied to the same folder where windbg.exe is located. On my system it is

C:\Program Files\Debugging Tools for Windows

Both scripts are now included in Dump2Picture package available for free download:

Dump2Picture package

To call the script from WinDbg use the following command:

$$>a< mempicture.txt Range [bits-per-pixel]

where Range can be in Address1 Address2 or Address Lxxx format, bits-per-pixel can be 8, 16, 24 or 32. By default it is 32.

For example, I loaded a complete Windows x64 memory dump and visualized HAL (hardware abstraction layer) module:

kd> lm
start             end                 module name
fffff800`00800000 fffff800`0085e000   hal
fffff800`01000000 fffff800`0147b000   nt
fffff97f`ff000000 fffff97f`ff45d000   win32k

kd> $$>a< mempicture.txt fffff800`00800000 fffff800`0085e000
Writing 5e001 bytes...

C:\Program Files\Debugging Tools for Windows>dump2picture d2p-range.bin d2p-range.bmp

Dump2Picture version 1.1
Written by Dmitry Vostokov, 2007

        1 file(s) copied.

C:\Program Files\Debugging Tools for Windows>d2p-range.bmp
<.shell waiting 10 second(s) for process>
.shell: Process exited

and Windows Picture and Fax Viewer application was launched and displayed the following picture:

Enjoy :-)

- Dmitry Vostokov @ DumpAnalysis.org -

9 Responses to “Picturing Computer Memory”

  1. Dmitry Vostokov Says:

    Security warning:


  2. Dmitry Vostokov Says:

    Source code for Dump2Picture:


  3. Crash Dump Analysis » Blog Archive » Music for Debugging: Visual Computer Memories Says:

    […] at computer memory visual images combined with listening to the incredible nostalgic music composed by Oystein Sevag is highly […]

  4. Crash Dump Analysis » Blog Archive » The First Computer Memory Visualization Book Says:

    […] Memory Dump Analysis Anthology, Volume 1 and Volume 2 have numerous articles related to computer memory visualization techniques using Dump2Picture and Microsoft debugger WinDbg. […]

  5. Crash Dump Analysis » Blog Archive » Visual Learning Guide to Stack Traces Says:

    […] Thread stackprints were generated from a complete memory dump using WinDbg scripts and Dump2Picture. […]

  6. Crash Dump Analysis » Blog Archive » Journey to the Centre of Pagefile Says:

    […] (0×7D9) - The Year of DebuggingI made a beautiful 100 x 18400 slice of pagefile.bmp generated by Dump2Picture using ImageMagick (1.5Mb JPEG […]

  7. Crash Dump Analysis » Blog Archive » Memory Map Visualization Tools (Revised) Says:

    […] WinDbg scripts […]

  8. Crash Dump Analysis » Blog Archive » Software Glitches as Art Says:

    […] with glitches on the cover similar to the fabric of memory and some pictures from inside remind me natural memory visualization images you can find in the print form in DLL List Landscape: The Art from Computer Memory […]

  9. Crash Dump Analysis » Blog Archive » The Memory Visualization Question from Webinar Says:

    […] colorimetric structure of those regions: 0`00470000  0`007f0000 and 0`01f10000  0`02290000 using MemPicture WinDbg script and they seem to conform with the magnified picture […]

Leave a Reply

You must be logged in to post a comment.