process dump v2.0

Process-Dump v2.0 ~ Windows tool for dumping malware PE files from memory.

Changelog Process-Dump v2.0:
+ Added new flag ‘-closemon’ which runs Process Dump in a monitoring mode. It will pause and dump any process just as it closes. This is designed to work well with malware analysis sandboxes, to be sure to dump malware from memory beofre the malicious process closes.
+ Upgraded Process Dump to be multi-threaded. Commands that dump or get hashes from multiple processes will run separate threads per operation. Default number of threads is 16, which speeds up the general Process Dump dumping processing significantly.
+ Upgraded Process Dump to dump unattached code chunks found in memory. These are identified as executable regions in memory which are not attached to a module and do not have a PE header. It also requires that the codechunk refer to at least 2 imports to be considered valid in order to reduce noise. When dumped, a PE header is recreated along with an import table. Code chunks are fully supported by the clean hash database.
+ Added flags to control the filepath to the clean hash database as well as the output folder for dumped files.
+ Fix to generating clean hash database from user path that was causing a crash.
+ Fix to the flag ‘-g’ that forces generation of PE headers. Before even if this flag was set, system dumps (-system), would ignore this flag when dumping a process.
+ Various performance improvements.
+ Upgraded project to VS2015.

process dump v2.0

process dump v2.0

Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. This is a common task for malware researchers who need to dump unpacked or injected code back to disk for analysis with static analysis tools such as IDA.

Windows tool for dumping malware PE files from memory back to disk for analysis

Windows tool for dumping malware PE files from memory back to disk for analysis

Process Dump works for 32 and 64 operating systems, uses an aggressive import reconstruction approach, and allows for dumping of regions without PE headers – in these cases PE headers and import tables will automatically be generated. Process Dump supports creation and use of a clean-hash database, so that dumping of clean files such as kernel32.dll can be skipped
Example Usage:

Download executable file for Windows 32&64 bit : pd_v2.0.zip
or you can build itself using Visual Studio:

Source : https://github.com/glmcdona | Our Post Before