#1
|
|||
|
|||
NativeDumper
NativeDumper:
Native module dumper, just select a process do right mouse click and choose "Dump main module" or "Modules" to enumerate modules, select target module, do right mouse click an choose "Dump". Advantage over other dumpers: - Small dump file size ( with default dumping options more exactly with "Fix Raw" option unchecked (off). NativeDumper .zip (binary) and NativeDumper(Src).zip (source code Visual C++) attached. |
The Following 7 Users Say Thank You to CodeCracker For This Useful Post: | ||
alephz (06-30-2016), besoeso (03-09-2017), cachito (06-24-2016), Mahmoudnia (03-09-2017), niculaita (06-22-2016), pnta (10-08-2016), wilson bibe (06-22-2016) |
#2
|
|||
|
|||
also we can use
------------------------------ Process Dump v1.4 Copyright й 2015, Geoff McDonald http://www.split-code.com/ Process Dump (pd.exe) is a tool used to dump both 32 and 64 bit executable modules back to disk from memory within a process address space. This tool is able to find and dump hidden modules, and it uses a clean hash database to exclude dumping of known clean files. This tool uses an aggressive import reconstruction approach that links all DWORD/QWORDs that point to an export in the process to the corresponding export function. ------------------------------ |
The Following User Says Thank You to FoxB For This Useful Post: | ||
niculaita (06-22-2016) |
#3
|
|||
|
|||
Quote:
Direct download link of compiled v1.5 : http://split-code.com/files/pd_latest.zip |
The Following User Says Thank You to TechLord For This Useful Post: | ||
FoxB (06-24-2016) |
#4
|
|||
|
|||
New options:
"Round raw size" - Not actually necessary, will round raw size of sections to FileAlignment "Current EIP" to change the EntryPoint - you should stop at old entry point with Olly or other debugger, "Sections info from" Memory or File. Raw options: "Original raw" - don't make any change to raws (raw address and raw size) of sections, note that this will fail for 99% of packers/protectors Good for application virtualizators like Spoon Studio to get original untoched module from memory. "RAW=VA" - set RAW address = Virtual Address and RAW Size = Virtual size of section, using this option you will have working dumps but a bit larger dumps. "Calculate raw" - preferable option, will try to recalculate raw addresses and raw sizes. |
The Following User Gave Reputation+1 to CodeCracker For This Useful Post: | ||
papi (03-10-2017) |
The Following 4 Users Say Thank You to CodeCracker For This Useful Post: | ||
besoeso (03-09-2017), Codeman (06-28-2017), Kla$ (03-08-2017), serseri_1453 (04-24-2018) |
#5
|
|||
|
|||
Quote:
alternativ download link please |
#6
|
||||
|
||||
Code:
http://rgho.st/82XKmrkQK |
Thread Tools | |
Display Modes | |
|
|