Jasi Native Assembly Dumper v1.0

[Jasi2169]

Jasi Native Assembly Dumper v1.1 By Jasi2169
(Runtime Catcher + Static Resources Scanner)

JasiNativeDumper is a command-line tool for capturing native Windows modules as they are loaded at runtime. It works by spawning the target process and polling its loaded module list - so every LoadLibrary call made by the target, including ones made by packers, protectors, or custom loaders, is intercepted and the raw PE bytes are written to disk.

It also includes a static scanner that inspects any PE file for embedded executables or DLLs hiding inside resources of any type, managed DLLs loaded by a native host are also flagged and an anti-debug module that patches common debugger
detection techniques before running the target.

Useful for reverse engineering packed or protected native applications where the real payload DLL is only extracted and loaded in memory at runtime, protected binary dumped might need PE reconstruction, fixing section raw offsets, rebuilding the import table etc as dumped is raw SizeOfImage byte copy.

Usage:
JasiNativeDumper --static <file> Static scan for PE blobs in all resource types
JasiNativeDumper --target <file> Spawn EXE and dump every module it loads
JasiNativeDumper --attach <pid> Attach to already-running process by PID
JasiNativeDumper --out <dir> Output directory (default: .\dumped)
JasiNativeDumper --dontskipknown Also dump system/runtime DLLs, by default skip known

Examples:
JasiNativeDumper --static packed.exe --out C:\dumps
JasiNativeDumper --target game.exe --out C:\dumps
JasiNativeDumper --attach 1234 --out C:\dumps
JasiNativeDumper --target app.exe --dontskipknown --out C:\dumps

Notes:
-> Use Build x64 for targeting 64-bit processes, build x86 for targeting 32-bit processes.
-> Static scan works regardless of build bitness, one build can scan any PE file.
-> Anti-debug only runs in --target and --attach modes, not in --static mode.
-> Runtime dumps are captured from process memory, means packed or protected targets are dumped in their unpacked/loaded state which is more useful for analysis, binary dumped might need PE reconstruction, fixing section raw offsets, rebuilding the import table etc to be able to run.
-> Also dump .NET assemblies from resources as well as memory if found.
-> You can also run using RunCommand.bat directly!

Changelog:
v1.1 (02/Jun/2026)
- Now using --target, dumps main exe + all DLLs before any code runs, .data/.bss/CRT/Delphi RTL all in clean on-disk state, nothing initialized. Best for unpacked targets
- Now using --attach, dumps main exe + all DLLs from a running process, .data has runtime state (heap pointers, init flags, CRT tables). Before saving, cleans up BSS tail zero-fill regions and zeroes runtime pointers. Best for packed targets after unpacking, or any target that must run first to reach a dumpable state

v1.0 (01/Jun/2026)
- Initial Release

Download: (Pwd: Jasi2169)
https://pixeldrain.com/u/aGGSTTLW

[Jasi2169]

v1.1 (02/Jun/2026)
- Now using --target, dumps main exe + all DLLs before any code runs, .data/.bss/CRT/Delphi RTL all in clean on-disk state, nothing initialized. Best for unpacked targets
- Now using --attach, dumps main exe + all DLLs from a running process, .data has runtime state (heap pointers, init flags, CRT tables). Before saving, cleans up BSS tail zero-fill regions and zeroes runtime pointers. Best for packed targets after unpacking, or any target that must run first to reach a dumpable state