Decomposing Memory Dumps via DumpFilter

This research was motivated during the work on a memory dump differing tool called DumpLogic that can do logical and arithmetic operations between memory snapshots, for example, take a difference between them for further visualization. This tool resulted in another simple tool called DumpFilter. The latter allows filtering certain unsigned integer (DWORD) values from a memory dump (or any binary file) by replacing them with 0xFFFFFFFF and all other values with 0×00000000. The resultant binary file can be visualized by any data visualization package or transformed to a bitmap file using Dump2Picture (Volume 1, page 532) to see the distribution of filtered values.

As a filtering example we used TestDefaultDebugger64 (Volume 1, page 641) to generate a process user memory dump. It was converted to a BMP file by Dump2Picture: