PD is a Windows OS reverse-engineering tool to dump malware memory components back to disk for analysis. It uses an aggressive import reconstruction approach to make analysis easier, and supports 32- and 64-bit modules. Dumping of regions without PE headers is supported and in these cases PE headers and import tables will automatically be generated. PD supports creation and use of a clean-hash database, so that dumping of clean files such as
kernel32.dll can be skipped.
PD comes in .zip format and supports Windows x86 and x64.
This tool depends on Microsoft Visual C++ 2015 Redstributable.
The source code for PD is available through GitHub. Contributions are welcome.
pd.exe -pid 0x18A
pd.exe -p .*chrome.*
pd.exe -db gen
pd.exe -pid 0x1a3 -a 0xffb4000
Copyright 2017 Geoff McDonald
pd.exe) is a tool used to dump both 32- and 64-bit executable modules back to disk from memory within a process address space. This tool is able to find and dump hidden modules and loose executable code chunks, and it uses a clean hash database to exclude dumping of known clean files. This tool uses an aggressive import reconstruction approach that links all DWORD/QWORDs that point to an export in the process to the corresponding export function. PD can be used to dump all unknown code from memory (
-systemflag), dump specific processes, or run in a monitoring mode that dumps all processes just before they terminate.
pd -db gen
pd -db genquick
pd -pid 419
pd -pid 0x1a3
pd -pid 0x1a3 -a 0x401000 -o c:\dump\ -c c:\dump\test\clean.db
pd -p chrome.exe
pd -p "(?i).*chrome.*"
||Dumps all modules not matching the clean hash database from all accessible processes into the working directory.|
||Dumps all modules not matching the clean hash database from the specified PID into the current working directory; use a
||Runs in monitor mode; when any processes are terminating, PD will first dump the process.|
||Dumps all modules not matching the clean hash database from all processes with process names matching the specified regex pattern into the current working directory.|
||Forces generation of PE headers from scratch, ignoring existing headers.|
||Sets the default output root folder for dumped components.|
||No header is printed in the output.|
||Disable recursion on hash database directory add or remove commands.|
||Disable import reconstruction.|
||Disable dumping of loose code regions.|
||Sets the number of threads to use (default 16).|
||Full filepath to the clean hash database to use for this run.|
||Automatically processes a few common folders as well as all the currently running processes and adds the found module hashes to the clean hash database. It will add all files recursively in:
||Adds the hashes from all modules in all processes to the clean hash database; run this on a clean system.|
||Adds all the files in the specified directory recursively to the clean hash database.|
||Removes all the files in the specified directory recursively from the clean hash database.|
||Clears the clean hash database.|
||Ignores the clean hash database when dumping a process this time. All modules will be dumped even if a match is found.|
-closemonwhich runs PD in a monitoring mode. It will pause and dump any process just as it closes. This is designed to work well with malware analysis sandboxes, to be sure to dump malware from memory before the malicious process closes.
-gthat forces generation of PE headers. Before, even if this flag was set, system dumps (
-system), would ignore this flag when dumping a process.
-a [address to dump]flag to dump a specific address. It will generate PE headers and build an import table for the address.
-niflag to skip new import reconstruction algorithm.
-gflag to force generation of new PE header even if there exists one when dumping a module. This is good if the PE header is malformed, for example.