image/svg+xml

Process Dump (PD): dump memory modules to disk

PD is a Windows OS reverse-engineering tool to dump malware memory components back to disk for analysis. It uses an aggressive import reconstruction approach to make analysis easier, and supports 32- and 64-bit modules. Dumping of regions without PE headers is supported and in these cases PE headers and import tables will automatically be generated. PD supports creation and use of a clean-hash database, so that dumping of clean files such as kernel32.dll can be skipped.

Download

PD comes in .zip format and supports Windows x86 and x64.

This tool depends on Microsoft Visual C++ 2015 Redstributable.

Source Code

The source code for PD is available through GitHub. Contributions are welcome.

Example Usage

Full Help Page

Process Dump v2.1

Copyright 2017 Geoff McDonald

www.geoffmcdonald.ca

https://github.com/glmcdona/Process-Dump

Options Description
-system Dumps all modules not matching the clean hash database from all accessible processes into the working directory.
-pid <pid> Dumps all modules not matching the clean hash database from the specified PID into the current working directory; use a 0x prefix to specify a hex PID.
-closemon Runs in monitor mode; when any processes are terminating, PD will first dump the process.
-p <regex> Dumps all modules not matching the clean hash database from all processes with process names matching the specified regex pattern into the current working directory.
-g Forces generation of PE headers from scratch, ignoring existing headers.
-o <path> Sets the default output root folder for dumped components.
-v Verbose.
-nh No header is printed in the output.
-nr Disable recursion on hash database directory add or remove commands.
-ni Disable import reconstruction.
-nc Disable dumping of loose code regions.
-nt Disable multithreading.
-t <count> Sets the number of threads to use (default 16).
-c <path> Full filepath to the clean hash database to use for this run.
-db gen Automatically processes a few common folders as well as all the currently running processes and adds the found module hashes to the clean hash database. It will add all files recursively in:
  • %WINDIR%
  • %HOMEPATH%
  • C:\Program Files\
  • C:\Program Files (x86)\
  • and all modules in all running processes
-db genquick Adds the hashes from all modules in all processes to the clean hash database; run this on a clean system.
-db add <path> Adds all the files in the specified directory recursively to the clean hash database.
-db rem <path> Removes all the files in the specified directory recursively from the clean hash database.
-db clean Clears the clean hash database.
-db ignore Ignores the clean hash database when dumping a process this time. All modules will be dumped even if a match is found.

Figures

PD Screen Shot 1
Fig. 1 - Main help page of Process Dump.
PD Screen Shot 2
Fig. 2 - Dump components from memory will be dropped in the working directory by default.
PD Screen Shot 3
Fig. 3 - Imports will be reconstructed even if they weren't part of the original module's IAT.

Version History

Back to top