How is ProcDump implemented? Is it essentially a debugger?

Question

I am interested in the internals of ProcDump (a Sysinternals utility): is it essentially a debugger? How does it manage to dump a process on exceptions, first chance exceptions and even managed (CLR) exceptions?

I can see that it has imports such as DebugActiveProcess from kernel32.dll. Its strings also contain names of CLR libraries so I assume it dynamically loads them to make use of the CLR debugging API (although I don't see mscordbi.dll in the strings - should I?).

score 2 · Answer 1 · answered Apr 25 '16 at 11:55

I will try to give an elementary answer to my own question, after taking a look at ProcDump with IDA Pro.

At least for the unmanaged side, ProcDump seems to make use of the Win32 debugging API: it uses DebugActiveProcess and a debug loop of WaitForDebugEvent & ContinueDebugEvent. Then, depending on the startup parameters, it can e.g. inspect an exception and dump the contents from ReadProcessMemory into a IO device.

How is ProcDump implemented? Is it essentially a debugger?

1 Answers1