25-10-2018, 09:13 PM
Process Dump
إقتباس :Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. Often malware files are packed and obfuscated before they are executed in order to avoid AV scanners, however when these files are executed they will often unpack or inject a clean version of the malware code in memory. A common task for malware researchers when analyzing malware is to dump this unpacked code back from memory to disk for scanning with AV products or for analysis with static analysis tools such as IDA.
Process Dump works for Windows 32 and 64 bit operating systems and can dump memory components from specific processes or from all processes currently running. Process Dump supports creation and use of a clean-hash database, so that dumping of all the clean files such as kernel32.dll can be skipped. It's main features include:
- Dumps code from a specific process or all processes.
- Finds and dumps hidden modules that are not properly loaded in processes.
- Finds and dumps loose code chunks even if they aren't associated with a PE file. It builds a PE header and import table for the chunks.
- Reconstructs imports using an aggressive approach.
- Can run in close dump monitor mode ('-closemon'), where processes will be paused and dumped just before they terminate.
- Multi-threaded, so when you are dumping all running processes it will go pretty quickly.
- Can generate a clean hash database. Generate this before a machine is infected with malware so Process Dump will only dump the new malicious malware components.
https://github.com/glmcdona/Process-Dump