Skip to content

Windows static lib for dumping malware PE files from memory back to disk for analysis.

License

Notifications You must be signed in to change notification settings

nkaskov/ProcessDump

This branch is 4 commits ahead of, 56 commits behind glmcdona/Process-Dump:main.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

10e28a7 · Jan 30, 2018

History

29 Commits
Jan 30, 2018
Nov 21, 2015
Nov 21, 2015
Jan 30, 2018
Jan 30, 2018

Repository files navigation

ProcessDump

ProcessDump is a Windows reverse-engineering static lib to dump malware memory components back to disk for analysis. Often malware files are packed and obfuscated before they are executed in order to avoid AV scanners, however when these files are executed they will often unpack or inject a clean version of the malware code in memory. A common task for malware researchers when analyzing malware is to dump this unpacked code back from memory to disk for scanning with AV products or for analysis with static analysis tools such as IDA.

Process Dump works for Windows 32 and 64 bit operating systems and can dump memory components from specific processes or from all processes currently running.

Compiling source code

This is designed for Visual Studio 2017 and works with the free Community edition. Just open the project file with VS2017 and compile, it should be that easy!

Example Usage

Dump all modules and hidden code chunks from a specific process identifier:

  • void ProcessDumpById(unsigned long pid, wchar_t* output_folder);

Dump all modules and hidden code chunk by process name:

  • void ProcessDumpById(unsigned long pid, wchar_t* output_folder);

About

Windows static lib for dumping malware PE files from memory back to disk for analysis.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 89.2%
  • C 10.8%