I had a program freeze (sql developer specifically) that had some unsaved files in it. I used sysinternal’s process explorer to create a dump file before killing the process. I really only lost a couple of hours of work but I thought it would be a good learning experience to see what I could extract from the dump file. So far I’ve downloaded and ran windbg and have found my text with:

s -u 0x00000000 L?0xffffffff "text I know exists in my file"

From there I got the relevent memory addresses and could view the text in the memory window along with much of the file. However, from here I’m a bit stuck. I know I could use the du command to dump text but what sort of strategy should I use to determine the begin and end range. This is a 1 Gig dump so I’m nevervous to dump 0x00000000 to 0xffffffff as I wouldn’t have text file that most editors could open. Is there a way to just dump user memory or non-code memory, etc? It doesn’t have to be perfect by any means. I was content just opening the dump file in textpad, but unicode data doesn’t show up, only the occational ascii (presumably because textpad cant detect the type or because it’s a 64 bit dump).