Home

Awesome

Edited to fit League of Legends new Anti-Cheat system.

Process Dump

Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. Often malware files are packed and obfuscated before they are executed in order to avoid AV scanners, however when these files are executed they will often unpack or inject a clean version of the malware code in memory. A common task for malware researchers when analyzing malware is to dump this unpacked code back from memory to disk for scanning with AV products or for analysis with static analysis tools such as IDA.

Process Dump works for Windows 32 and 64 bit operating systems and can dump memory components from specific processes or from all processes currently running. Process Dump supports creation and use of a clean-hash database, so that dumping of all the clean files such as kernel32.dll can be skipped. It's main features include:

I'm maintaining an official compiled release on my website here: http://split-code.com/processdump.html

Installation

You can download the latest compiled release of Process Dump here:

This tool requires Microsoft Visual C++ Redistributable for Visual Studio 2015 to be installed to work:

Compiling source code

This is designed for Visual Studio 2015 and works with the free Community edition. Just open the project file with VS2015 and compile, it should be that easy!

Example Usage

Dump all modules and hidden code chunks from all processes on your system (ignoring known clean modules):

Run in terminate monitor mode. Until cancelled (CTRL-C), Process Dump will dump any process just before the termination:

Dump all modules and hidden code chunks from a specific process identifier:

Dump all modules and hidden code chunk by process name:

Build clean-hash database. These hashes will be used to exclude modules from dumping with the above commands:

Dump code from a specific address in PID 0x1a3:

Example sandbox usage

If you are running an automated sandbox or manual anti-malware research environment, I recommend running the following process with Process Dump, run all commands as Administrator:

Notes on the naming convention of dumped modules:

Example filenames of dumped files

Help Page

Process Dump v2.1 Copyright ® 2017, Geoff McDonald http://www.split-code.com/

Process Dump (pd.exe) is a tool used to dump both 32 and 64 bit executable modules back to disk from memory within a process address space. This tool is able to find and dump hidden modules as well as loose executable code chunks, and it uses a clean hash database to exclude dumping of known clean files. This tool uses an aggressive import reconstruction approach that links all DWORD/QWORDs that point to an export in the process to the corresponding export function. Process dump can be used to dump all unknown code from memory ('-system' flag), dump specific processes, or run in a monitoring mode that dumps all processes just before they terminate.

Before first usage of this tool, when on the clean workstation the clean exclusing hash database can be generated by either:

Example Usage:

Options:

Dumps all modules not matching the clean hash databas from all accessible processes into the working directory.

Dumps all modules not matching the clean hash database from the specified pid into the current working directory. Use a '0x' prefix to specify a hex PID.

Runs in monitor mode. When any processes are terminating process dump will first dump the process.

Dumps all modules not matching the clean hash database from the process name found to match the filter into specified pid into the current working directory.

Forces generation of PE headers from scratch, ignoring existing headers.

Sets the default output root folder for dumped components.

Verbose.

No header is printed in the output.

Disable recursion on hash database directory add or remove commands.

Disable import reconstruction.

Disable dumping of loose code regions.

Disable multithreading.

Sets the number of threads to use (default 16).

Full filepath to the clean hash database to use for this run.

Automatically processes a few common folders as well as all the currently running processes and adds the found module hashes to the clean hash database. It will add all files recursively in: %WINDIR% %HOMEPATH% C:\Program Files
C:\Program Files (x86)
As well as all modules in all running processes

Adds the hashes from all modules in all processes to the clean hash database. Run this on a clean system.

Adds all the files in the specified directory recursively to the clean hash database.

Removes all the files in the specified directory recursively from the clean hash database.

Clears the clean hash database.

Ignores the clean hash database when dumping a process this time. All modules will be dumped even if a match is found.

Version history

Version 2.1 (February 12th, 2017)

Version 2.0 (September 18th, 2016)

Version 1.5 (November 21st, 2015)

Version 1.4 (April 18th, 2015)

Version 1.3 (October 10th, 2013)

Version 1.1 (April 8th, 2013)

Version 1.0 (April 2nd, 2013)