利用windbg的插件pykd以虚拟地址导出虚拟机的整个内存

import sysfrom pykd import *import stringimport ospagesize = 0x1000   #32位进程页大小为4KBlooptime = 0x100000000 / 0x1000def getmem():#    for i in 262144    temp_filepath = "F:\Temp_memory"    #保存当前页    whole_filepath = "F:\win7_whole_memory"    zero_filepath = "F:\zero_memory"    #4KB的0，当前页不存在时用0填充    whole_file = open(whole_filepath,'wb+')    zero_file = open(zero_filepath, 'rb')    zero_file_read = zero_file.read()        for i in range(looptime):        commandstr_dd = "dd " + hex(i * pagesize)[0:10] + " " + hex(i * pagesize + 1)[0:10]#        print commandstr_dd        result = dbgCommand(commandstr_dd)  #执行命令，如 dd FFDFF000        if(result[10:11] == '?'):           #命令输出? 表示当前页不存在            whole_file.write(zero_file_read)            else:                   commandstr = ".writemem " + temp_filepath + " " + hex(i * pagesize)[0:10] + " " + hex((i+1) * pagesize-1)[0:10]#            print commandstr            dbgCommand(commandstr)          #执行命令，如 .writemem F:\Temp_memory 00000000 00001000            temp_file = open(temp_filepath,'rb')            temp_file_read = temp_file.read()   #            print os.path.getsize(temp_filepath)                        whole_file.write(temp_file_read)            temp_file.close()    whole_file.close()        def run():    if not isWindbgExt():        if not loadDump( sys.argv[1] ):             dprintln( sys.argv[1] + " - load failed" )             return    if not isKernelDebugging():        dprintln( "not a kernel debugging" )        return                        getmem()if __name__ == "__main__":    run()