Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-22-2016, 19:59
CodeCracker CodeCracker is offline
Family
 
Join Date: Jun 2011
Posts: 272
Rept. Given: 16
Rept. Rcvd 238 Times in 66 Posts
Thanks Given: 12
Thanks Rcvd at 900 Times in 203 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
NativeDumper

NativeDumper:
Native module dumper, just select a process
do right mouse click and choose "Dump main module"
or "Modules" to enumerate modules, select target module,
do right mouse click an choose "Dump".

Advantage over other dumpers:
- Small dump file size ( with default dumping options
more exactly with "Fix Raw" option unchecked (off).

NativeDumper .zip (binary)
and
NativeDumper(Src).zip (source code Visual C++) attached.
Attached Files
File Type: zip NativeDumper.zip (10.7 KB, 48 views)
File Type: zip NativeDumper(Src).zip (48.4 KB, 52 views)
Reply With Quote
The Following 7 Users Say Thank You to CodeCracker For This Useful Post:
alephz (06-30-2016), besoeso (03-09-2017), cachito (06-24-2016), Mahmoudnia (03-09-2017), niculaita (06-22-2016), pnta (10-08-2016), wilson bibe (06-22-2016)
  #2  
Old 06-22-2016, 22:22
FoxB FoxB is offline
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 693
Rept. Given: 13
Rept. Rcvd 102 Times in 68 Posts
Thanks Given: 6
Thanks Rcvd at 419 Times in 178 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
also we can use

------------------------------
Process Dump v1.4
Copyright й 2015, Geoff McDonald
http://www.split-code.com/

Process Dump (pd.exe) is a tool used to dump both 32 and 64 bit executable modules back to disk from memory within a process address space. This tool is able to find and dump hidden modules, and it uses a clean hash database to exclude dumping of known clean files. This tool uses an aggressive import reconstruction approach that links all DWORD/QWORDs that point to an export in the process to the corresponding export function.
------------------------------
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
niculaita (06-22-2016)
  #3  
Old 06-24-2016, 09:19
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 786
Rept. Given: 389
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 806
Thanks Rcvd at 2,056 Times in 596 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
Quote:
Originally Posted by FoxB View Post
also we can use

------------------------------
Process Dump v1.4
Copyright й 2015, Geoff McDonald
http://www.split-code.com/

...
Now actually v1.5 is available...

Direct download link of compiled v1.5 :

http://split-code.com/files/pd_latest.zip
Reply With Quote
The Following User Says Thank You to TechLord For This Useful Post:
FoxB (06-24-2016)
  #4  
Old 03-08-2017, 18:14
CodeCracker CodeCracker is offline
Family
 
Join Date: Jun 2011
Posts: 272
Rept. Given: 16
Rept. Rcvd 238 Times in 66 Posts
Thanks Given: 12
Thanks Rcvd at 900 Times in 203 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
New options:
"Round raw size" - Not actually necessary, will round raw size of sections to FileAlignment
"Current EIP" to change the EntryPoint - you should stop at old entry point with Olly or other debugger,

"Sections info from" Memory or File.

Raw options:
"Original raw" - don't make any change to raws (raw address and raw size) of sections, note that this will fail for 99% of packers/protectors
Good for application virtualizators like Spoon Studio to get original untoched module from memory.
"RAW=VA" - set RAW address = Virtual Address and RAW Size = Virtual size of section, using this option you will have working dumps but a bit larger dumps.
"Calculate raw" - preferable option, will try to recalculate raw addresses and raw sizes.
Attached Files
File Type: zip NativeDumper.zip (11.7 KB, 50 views)
Reply With Quote
The Following User Gave Reputation+1 to CodeCracker For This Useful Post:
papi (03-10-2017)
The Following 4 Users Say Thank You to CodeCracker For This Useful Post:
besoeso (03-09-2017), Codeman (06-28-2017), Kla$ (03-08-2017), serseri_1453 (04-24-2018)
  #5  
Old 04-24-2018, 03:34
serseri_1453 serseri_1453 is offline
Friend
 
Join Date: Mar 2014
Location: Turkey
Posts: 20
Rept. Given: 40
Rept. Rcvd 13 Times in 4 Posts
Thanks Given: 72
Thanks Rcvd at 3 Times in 3 Posts
serseri_1453 Reputation: 13
Quote:
Originally Posted by CodeCracker View Post
New options:
"Round raw size" - Not actually necessary, will round raw size of sections to FileAlignment
"Current EIP" to change the EntryPoint - you should stop at old entry point with Olly or other debugger,

"Sections info from" Memory or File.

Raw options:
"Original raw" - don't make any change to raws (raw address and raw size) of sections, note that this will fail for 99% of packers/protectors
Good for application virtualizators like Spoon Studio to get original untoched module from memory.
"RAW=VA" - set RAW address = Virtual Address and RAW Size = Virtual size of section, using this option you will have working dumps but a bit larger dumps.
"Calculate raw" - preferable option, will try to recalculate raw addresses and raw sizes.

alternativ download link please
Reply With Quote
  #6  
Old 04-24-2018, 03:44
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Family
 
Join Date: Nov 2012
Location: Iran
Posts: 192
Rept. Given: 58
Rept. Rcvd 137 Times in 45 Posts
Thanks Given: 92
Thanks Rcvd at 151 Times in 75 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
Quote:
Originally Posted by serseri_1453 View Post
alternativ download link please
Code:
http://rgho.st/82XKmrkQK
__________________
All about software security references
https://t.me/securebyte
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 17:31.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX