[PATCH 0/5] Improve dumper megion region selection

Jon Turney jon.turney@dronecode.org.uk
Sat Jul 18 15:00:23 GMT 2020

Improve how dumper determines if a memory region should be dumped:

Currently we open and read the PE file for each module, and exclude regions
corresponding to sections marked 'DEBUGGING' or 'CODE'.

This doesn't work correctly if the DLL has been loaded to an address other
than the ImageBase recorded in the PE header.  It fails to produce a useful
dump if there's a collision in excluded region addresses (which will always
occur on x86_64, as kernel32.dll has an ImageBase which collides with the

This probably also doesn't produce correct dumps if the protection on memory
regions corresponding to 'CODE' sections is manipulated using VirtualProtect().

Instead, dump memory region based on their type, protection and sharability:

- state is MEM_COMMIT (i.e. is not MEM_RESERVE or MEM_FREE), and
-- type is MEM_PRIVATE and protection allows reads (i.e. not a guardpage), or
-- type is MEM_IMAGE and attribute is non-sharable (i.e. it was WC, got 
   written to, and is now a RW copy)

Jon Turney (5):
  Cygwin: Show details of all memory regions details in dumper debug
  Cygwin: Remove reading of PE for section flags from dumper
  Cygwin: Drop excluded regions list from dumper
  Cygwin: Don't dump non-writable image regions

 winsup/doc/utils.xml     |   8 +-
 winsup/utils/Makefile.in |   8 +-
 winsup/utils/dumper.cc   | 214 +++++++++++++++++++++++++++------------
 winsup/utils/dumper.h    |  19 ----
 winsup/utils/parse_pe.cc | 107 --------------------
 5 files changed, 155 insertions(+), 201 deletions(-)
 delete mode 100644 winsup/utils/parse_pe.cc


More information about the Cygwin-patches mailing list