Changelog Process-Dump v2.0:
+ Added new flag ‘-closemon’ which runs Process Dump in a monitoring mode. It will pause and dump any process just as it closes. This is designed to work well with malware analysis sandboxes, to be sure to dump malware from memory beofre the malicious process closes.
+ Upgraded Process Dump to be multi-threaded. Commands that dump or get hashes from multiple processes will run separate threads per operation. Default number of threads is 16, which speeds up the general Process Dump dumping processing significantly.
+ Upgraded Process Dump to dump unattached code chunks found in memory. These are identified as executable regions in memory which are not attached to a module and do not have a PE header. It also requires that the codechunk refer to at least 2 imports to be considered valid in order to reduce noise. When dumped, a PE header is recreated along with an import table. Code chunks are fully supported by the clean hash database.
+ Added flags to control the filepath to the clean hash database as well as the output folder for dumped files.
+ Fix to generating clean hash database from user path that was causing a crash.
+ Fix to the flag ‘-g’ that forces generation of PE headers. Before even if this flag was set, system dumps (-system), would ignore this flag when dumping a process.
+ Various performance improvements.
+ Upgraded project to VS2015.
Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. This is a common task for malware researchers who need to dump unpacked or injected code back to disk for analysis with static analysis tools such as IDA.
Process Dump works for 32 and 64 operating systems, uses an aggressive import reconstruction approach, and allows for dumping of regions without PE headers – in these cases PE headers and import tables will automatically be generated. Process Dump supports creation and use of a clean-hash database, so that dumping of clean files such as kernel32.dll can be skipped
Dump all modules from all processes (ignoring known clean modules):
Dump all modules from a specific process identifier:
pd64.exe -pid 0x18A
Dump all modules by process name:
pd64.exe -p .chrome.
Build clean-hash database. These hashes will be used to exclude modules from dumping with the above commands:
pd64.exe -db gen
Dump code from a specific address in PID 0x1a3:
pd64.exe -pid 0x1a3 -a 0xffb4000 Generates two files (32 and 64 bit) that can be loaded for analysis in IDA with generated PE headers and generated import table: notepad_exe_x64_hidden_FFB40000.exe notepad_exe_x86_hidden_FFB40000.exe
Download executable file for Windows 32&64 bit : pd_v2.0.zip
or you can build itself using Visual Studio:
git clone https://github.com/glmcdona/Process-Dump && cd Process-Dump
right click pd.sln open with Visual Studio then build solution