Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. This is a common task for malware researchers who need to dump unpacked or injected code back to disk for analysis with static analysis tools such as IDA.
Process Dump works for 32 and 64 operating systems, uses an aggressive import reconstruction approach, and allows for dumping of regions without PE headers – in these cases PE headers and import tables will automatically be generated. Process Dump supports creation and use of a clean-hash database, so that dumping of clean files such as kernel32.dll can be skipped
Dump all modules from all processes (ignoring known clean modules):
Dump all modules from a specific process identifier:
pd64.exe -pid 0x18A
Dump all modules by process name:
pd64.exe -p .chrome.
Build clean-hash database. These hashes will be used to exclude modules from dumping with the above commands:
pd64.exe -db gen
Dump code from a specific address in PID 0x1a3:
pd64.exe -pid 0x1a3 -a 0xffb4000 Generates two files (32 and 64 bit) that can be loaded for analysis in IDA with generated PE headers and generated import table: notepad_exe_x64_hidden_FFB40000.exe notepad_exe_x86_hidden_FFB40000.exe