From Collaborative RCE Tool Library

Jump to: navigation, search

Process Dumpers


Tool name: radare
Rating: 5.0 (2 votes)
Author: pancake                        
Website: http://www.radare.org
Current version: 0.9.7
Last updated: March 3, 2014
Direct D/L link: http://www.radare.org/get/radare2-0.9.7.tar.xz
License type: LGPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with 6502, 8051, arc, arm64, avr, brainfuck, whitespace, malbolge, cr16, dcpu16, ebc, gameboy, h8300, tms320, nios2, x86, x86_64, mips, arm, snes, sparc, csr, m68k, powerpc, dalvik and java.

The main program is 'r2' a commandline hexadecimal editor with support for debugging, disassembling, analyzing structures, searching data, analyzing code and support for scripting with bindings for Python, NodeJS, Perl, Ruby, Go, PHP, Vala, Java, Lua, OCaml.

Radare comes with the unix phylosophy in mind. Each module, plugin, tool performs a specific task and each command can be piped to another to extend its functionality. Also, it treats everything as a file: processes, sockets, files, debugger sessions, libraries, etc.. Everything is mapped on a virtual address space that can be configured to map multiple files on it and segment it.

If you are interested or feel attracted by the project join us in the #radare channel at irc.freenode.net.

See website for more details.
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: LordPE
Rating: 4.5 (4 votes)
Author: y0da                        
Website: N/A
Current version: 1.41 (Deluxe b)
Last updated: September 30, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...
Also listed in: Dump Fixers, Import Editors, Memory Dumpers, PE Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Explorer Suite
Rating: 4.4 (5 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: III (DC20121111)
Last updated: November 11, 2012
Direct D/L link: http://www.ntcore.com/files/ExplorerSuite.exe
License type: Free
Description: A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever
Also listed in: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Protection Identifiers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ImpREC
Rating: 4.0 (3 votes)
Author: MackT                        
Website: http://files.planet-dl.org/Cw2k/Tools/Import%20REConstructor%20v1.7f.7z
Current version: Official version 1.6 - Unofficial version with misc. fixes 1.7f
Last updated: June 1, 2011
Direct D/L link: Locally archived copy
License type: Free (^-Note: 'Direct D/L URL' is V1.7e !)
Description: The world's most famous IAT rebuilder tool.

The last official version from MackT is still 1.6. The 1.7f update is a third-party patched version of 1.6, which contains the following patches:

v1.7f FINAL (PUBLIC VERSION) fixes by cw2k
- Clean unpack of 'v1.6 FINAL (PUBLIC VERSION)'(UPX) + restoring header & imports
as close as possible to the original header
Short/stripped dos-Stub and other crap & dump grabage that make it to most AntiVirus proggies suspect
virustotal.com before: 33/42 hits now: 0/42 hits

- Reappling and documenting of patches (Scroll to the end of that file)
Improve patch #1 "RestoreLastError" -> SetLastError bugfix

- Adding Fly's GUI-modification

- doing some clean up of the plugins (unpack/removing duplicates)

--------
Also included in the archive:

CHimpREC: The Cheap Imports Reconstructor
by TiGa of ARTeam

This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal.
Made for the best compatibility with WoW64 on x64-based Windows XP or Vista.

+Features
The first universal 64-bit imports rebuilder
32-bit version included
Interface similar to ImpREC
Integrated 32/64-bit process dumper
IAT AutoSearch from ImageBase or OEP
Unshuffle thunks function
Manual imports editor

-Limitations
No plugin support yet
No AutoTrace feature
No disassembler

--------


NOTE:
V1.7a

- Fixed RestoreLastError API set to SetLastError for WinXP/Vista compatibility (MaRKuS_TH-DJM)
- user32.dll is always read from the system, prevents a crash from corrupted PE of user32.dll (MaRKuS_TH-DJM)
- Latest version of psapi.dll (6.0.6000.16386) included
- Fixed Vista64 crash bug (jstorme)
- GUI modified and improved (based upon Fly's modification)
- Updated/corrected plugins and deleted dups

v. 1.7a added the following fixes:

- Misc
- Fixed Win2K crash, AllocConsole was replaced with ActivateActCtx (jstorme)

The local download here contains the last unofficial patch, 1.7e. In addition to that, it also contains a big bunch of plugins, and also source code for many of these plugins (in all well-known programming languages, which is good for use as templates for new plugins etc).

Changes in Version 1.7b:

- Misc
- Fixed invalid API bug in user32.dll on Windows 98 (jstorme)
- Modified code to improve support for discardable/unreadable sections (jstorme)
- Fixed ImageBase problem with DLL's when "Use PE Header from Disk" is checked (jstorme)
- Added an "ImpREC Classic" looking version

Changes in 1.7c:

- Fixed bug introduced in 1.7b when DLL's have discardable sections (jstorme)

Changes in 1.7d:

- Misc
- Fixed bug introduced in 1.7b which destroys IAT Autosearch feature in some packed targets, like eXpressor 1.8 (Newbie_Cracker).
- Fixed crash introduced in 1.7b when DLL's PE header has "NO Access" flag (Newbie_Cracker).


Changes in Version v1.7e

- Misc
- Fixed a bug which avoids ImpREC to fix JMP DWORD [...] if it is located at the end of code section (Newbie_Cracker)
( Thanks to Nexus6 for report the bug and provide samples)
Also listed in: IAT Restore Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AMDUMPV6.2
Rating: 0.0 (0 votes)
Author: CondZero                        
Website: http://arteam.accessroot.com
Current version: 2.2
Last updated: September 18th, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=3
License type: Free / Open Source
Description: The archive includes full sources and two tutorials.

Note: the included pdf overview (from previous release).
Still applies to this version with the caveat that import rebuilding is. Included in this release for targets that don't use the delayed import Option!!

Info:
* New noninvasive loader engine to run & dump activemark v6.2x targets.
* Run program from its own folder, no need to copy Amdumpv62 to target folder to run.
* Amdumpv62 will dump activemark v6.2x executables and, if necessary, Rebuild imports automatically for targets with delayed imports not enabled and finally append the overlay data to the end of the dumped file.

Special note:
* The import rebuilder will append an '_' suffix to the end of the dumped File. (i.e. dumped.exe >> dumped_.exe similar to imprec). In these cases, the overlay data will be appended to the new dump name Automatically.
* Sometimes it may be necessary to view the sections in a pe editor Program (i.e. lordpe or similar) because the dumper is Dependant on finding:
(4) .text/.text/.code/.code/etc sections in the executable
For delayed import targets
(3) for non delayed import targets.
If (3/4) sections are not found, then the executable may not be an activemark v6.2x application!!
* Note: also dependent on finding (2) .bss/bss sections in The executable! These sections are used for storing needed data To run dump successfully!

Limitations:
* In order to insure the stability of your dumped.exe, it may be necessary to manually hexedit the dumped file and insert an instruction which moves hi-values to a dword hi-value variable used in the gettickcount api within the 3rd layer (2nd .text) in the executable. Please refer to the tutorial on dumping and analyzing activemark v6.2x on the [arteam] tutorial
Link: http://arteam.accessroot.com/tutorials.html?fid=211

History:
--------------------------------------------
Amdumpv62 - version 2.2 (September 2008)
1. Updated arteam import rebuilder v1.2.1 (nacho_dj) for targets that don't use the delayed imports option

Amdumpv62 - version 2.0 (march 2008)
1. New noninvasive loader engine based on Deroko's nonintrusive loader (i.e. nodebug)
2. New arteam import rebuilder v1.1 (nacho_dj) for targets. That don't use the delayed imports option
3. New log progress and results of the dump process
4. Separate threads for main gui and process
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AMDUMPV66 V1.0
Rating: 0.0 (0 votes)
Author: CondZero                        
Website: http://www.accessroot.com/arteam/site/news.php
Current version: v 1.0
Last updated: January 18, 2011
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.230
License type: Freeware
Description: Amdumpv66 v1.0 - CondZero [ARTeam]
(see history below for details)

Note: This is a complete replacement for former AMDUMPV6.2!!

Tested under winxp sp3
Should work under w2k, wxp, Vista, Win 7 32 bit

Info:
* new noninvasive loader engine to run & dump activemark v6.2x - 6.6x
Targets.
* Drag & drop capability
* run program from its own folder, no need to copy
Amdumpv66 to target folder to run.
* amdumpv66 will dump activemark v6.2x - v6.6x executables for targets
with both delayed and non delayed imports. For targets with non delayed imports,
the built-in ARTeam ARImpRec (Import Rebuilder) will automatically fix any imports in the dumped file and append a '_' suffix to the end of the dumped file (i.e. dumped.exe >> dumped_.exe).

This program expects this suffix when appending the overlay data automatically for targets that don't use delayed imports. If using a different IAT rebuilding tool, it may be necessary to rename the resultant fixed dump file as described above, or the overlay data will not be appended automatically and you will be required to do this step manually.
* sometimes it may be necessary to view the sections in a pe editor
Program (i.e. lordpe or similar) because the dumper is
Dependent on finding:
(4) .text/.text/.code/.code/etc sections in the executable for delayed import targets and,
(3) .text/.text/.code/.code/etc sections for non delayed import targets.
If (3/4) sections are not found, then the executable may not
Be an Activemark v6.2x - 6.6x application!!

Limitations:
* in order to insure the stability of your dumped.exe, it may
be necessary to manually hexedit the dumped file and insert
an instruction which moves hi-values to a dword hi-value variable
used by the GetTickCount api within the 3rd layer (2nd .text)
in the executable. Please refer to the tutorial on dumping
and analyzing activemark v6.2x on the [arteam] tutorial
Link: http://arteam.accessroot.com/tutorials.html?fid=211

Disclaimer:
Not responsible for any damages that result from using this Tool!!

History:
--------------------------------------------
Amdumpv66 - version 1.0 (November 2010)
1. Updated ARTeam import rebuilder v1.7.5 (Nacho_dj) for targets
that don't use the delayed imports option
2. More elaborate search and replace scheme used for allocated and referenced
VM DWORDS used in the target process
3. Drag & drop AM protected executable file to application
4. Log file is saved to your target folder
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CHimpREC
Rating: 0.0 (0 votes)
Author: S├ębastien Doucet (TiGa)                        
Website: http://www.iitac.org
Current version: ReCon Edition
Last updated: June 23rd, 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: CHimpREC: The Cheap Imports Reconstructor
by TiGa of ARTeam
IITAC (http://www.iitac.org)

This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal.
Made for the best compatibility with WoW64 on x64-based Windows XP or Vista.

This is the same version that was used at the conference.
The first official release will come soon.

+Features
The first universal 64-bit imports rebuilder
32-bit version included
Interface similar to ImpREC
Integrated 32/64-bit process dumper
IAT AutoSearch from ImageBase or OEP
Unshuffle thunks function
Manual imports editor

-Limitations
No plugin support yet
No AutoTrace feature
No disassembler

The Visual Studio 2005 SP1 redistributable package might be necessary too:
x86:
http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en
x64:
http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en
Also listed in: Dump Fixers, IAT Restore Tools, Import Editors, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: mdmp
Rating: 0.0 (0 votes)
Author: Vlad-Ioan Topan                        
Website: http://code.google.com/p/mdmp/
Current version: 0.2.5 beta
Last updated: May 2011
Direct D/L link: http://mdmp.googlecode.com/files/mdmp-0.2.5-beta-binaries.zip
License type: GPL V3
Description: mdmp - open-source x86 memory/process (command-line) dumper with Python bindings

libmdmp is a C library designed to dump process memory on Windows.

mdmp.exe is a command-line tool exposing most functionality in libmdmp (process/stack/heap/random-mem-address dumping).

pymdmp.pyd is a Python wrapper (only built for 2.7 as of now, trivial to adapt to any 2.x) exposing the memory-dumping functionality in Python.

Example usage:

mdmp:
mdmp.exe /n:explo /e:kernel
- will dump all modules (DLLs) whose name contains "kernel" from all the processes whose name contains "explo"

pymdmp:
import pymdmp
lst = pymdmp.dump(pymdmp.SEL_BY_NAME, pymdmp.DUMP_IMAGE_BY_NAME, 0, processName="explo", moduleName="kernel")
- will return in lst a list of tuples (<process_name>, <PID>, <dump-start-address>, <dump-data>)

Delphi bindings are planned. Feedback is welcome @ vtopan/gmail.

Requires the VC 2005 runtime.
Also listed in: Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OllyDumpEx
Rating: 0.0 (0 votes)
Author: low_priority                        
Website: http://low-priority.appspot.com/ollydumpex/
Current version: 0.90
Last updated: August 24, 2011
Direct D/L link: http://low-priority.appspot.com/ollydumpex/OllyDumpEx.zip
License type: Free
Description: This plugin is process memory dumper for OllyDbg and Immunity Debugger.
Very simple overview is
OllyDumpEx = OllyDump + PE Dumper - obsoluted + useful features
Features :
- OllyDbg version 2 plugin interface supported (EXPERIMENTAL)
- Select to dump debugee exe or loaded dll
- Dump any address space as section even if not in original section header
- Add dummy section to keep PE format consistency
- Fix RVA in DataDirectory to follow ImageBase change
- Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...)
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Dump, pd.exe
Rating: 0.0 (0 votes)
Author: Geoff McDonald                        
Website: http://www.split-code.com/
Current version: v1.4
Last updated: April 18, 2015
Direct D/L link: http://split-code.com/files/pd_latest.zip
License type: Freeware
Description: Process Dump is a 32 and 64 bit command-line tool for dumping malware code from memory back to disk.

Features:
* Dumps 32 and 64 bit modules back to disk
* Dumps code at a specific address back to disk with reconstructing a 32 and 64 bit PE header and building an import address table
* Reconstructs imports aggressively - linking any DWORD or QWORD in the image being dumped to the corresponding import
* Supports a clean library hashing approach, allowing for dumping of only unrecognized modules

The import reconstruction approach is aggressive and even reconstructs references to imports loaded by GetProcAddress:
1. Copies OriginalFirstThunk over FirstThunk array for each imported library. (original import reconstruction approach)
2. Looks at all modules loaded in the current process, and builds a list of the addresses of all exported functions.
3. Searches the region or module that is being dumped for any DWORD (x86) or QWORD (x64) matching an exported address in the process.
4. For each match, adds an imported library with FirstThunk pointing to the DWORD or QWORD to patch up, linking it to the exported function of the corresponding library.
5. The size of the last section is increased, and the extended original import table is placed here.

Dump code from a specific address, building a PE header and import table:
pd.exe -pid 0x1a7 -a 0x3e1000

Dump all modules from all processes (only unrecognized modules will be dumped):
pd.exe -system

Dump all modules from a specific process:
pd.exe -pid 0x18A

Dump all modules by process name:
pd.exe -p .*chrome.*

Build clean-hash database. These hashes will be used to exclude modules from dumping with the above commands:
pd.exe -db gen

Comes in .zip format and supports Windows x86 and x64:
- http://split-code.com/files/pd_latest.zip

Requires Microsoft Visual C++ 2008 Redistributable:
- http://www.microsoft.com/en-ca/download/details.aspx?id=29
- http://www.microsoft.com/en-ca/download/details.aspx?id=15336
Also listed in: Automated Unpackers, Dump Fixers, Malware Analysis Tools, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Scylla
Rating: 0.0 (0 votes)
Author: Aguila                        
Website: http://forum.tuts4you.com/forum/132-scylla-imports-reconstruction/
Current version: 0.9.6b
Last updated: April 1, 2014
Direct D/L link: Locally archived copy
License type: GNU GPL v3
Description: Scylla - x64/x86 Imports Reconstruction
=======================================

ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table,
but they all have some major disadvantages, so I decided to create my own tool for this job.

Scylla's key benefits are:

- x64 and x86 support
- full unicode support (probably some russian or chinese will like this :-) )
- written in C/C++
- plugin support
- works great with Windows 7

This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system.
But it may work with XP and Vista, too.

Source code is licensed under GNU GENERAL PUBLIC LICENSE v3.0


Known Bugs
----------

### Windows 7 x64

Sometimes the API kernel32.dll GetProcAddress cannot be resolved, because the IAT has an entry from apphelp.dll
Solution? I don't know

### Only Windows XP x64:

Windows XP x64 has some API bugs. 100% correct imports reconstruction is impossible.
If you still want to use XP x64, here are some hints:

* EncodePointer/DecodePointer exported by kernel32.dll have both the same VA.
Scylla, CHimpREC and other tools cannot know which API is correct. You need to fix this manually.
Your fixed dump will probably run fine on XP but crash on Vista/7.

### ImpREC plugin support:

Some ImpREC Plugins don't work with Windows Vista/7 because they don't "return 1" in the DllMain function.


Keyboard Shortcuts
------------------

- CTRL + D: [D]ump
- CTRL + F: [F]ix Dump
- CTRL + R: PE [R]ebuild
- CTRL + O: L[o]ad Tree
- CTRL + S: [S]ave Tree
- CTRL + T: Auto[t]race
- CTRL + G: [G]et Imports
- CTRL + I: [I]AT Autosearch


Changelog
---------

Version 0.9.6b

- fixed math problem with special sections
- fixed windows 8 bug
- fixed data export bug
- improved iat search
- fixed bug in api resolve engine
- new option: parse APIs always from disk -> slower, useful against pe header modifications

Version 0.9.5

- Fixed virtual device bug caused by QueryDosDeviceW bug
- improved process lister
- improved module lister
- improved dump name
- improved IAT parser

Version 0.9.4 Final

- direct import scanner (LEA, MOV, PUSH, CALL, JMP) + fixer with 2 fix methods
- create new iat in section
- fixed various bugs

Version 0.9.3

- new dll function: iat search
- new dll function: iat fix auto

Version 0.9.2

- Pick DLL -> Set DLL Entrypoint
- Advanced IAT Search Algorithm (Enable/Disable it in Options), thanks to ahmadmansoor
- Fixed bug in Options
- Added donate information, please feel free to donate some BTC to support this project

Version 0.9.1

- Fixed virtual device bug
- Fixed 2 minor bugs

Version 0.9

- updated to distorm v3.3
- added application exception handler
- fixed bug in dump engine
- improved "suspend process" feature, messagebox on exit

Version 0.8

- added OriginalFirstThunk support. Thanks to p0c
- fixed malformed dos header bug
- NtCreateThreadEx added infos from waliedassar, thanks!

Version 0.7 Beta

- fixed bug Overlapped Headers: http://forum.tuts4you.com/topic/30213-scylla-overlapped-headers/
- fixed bug SizeOfOptionalHeader: http://forum.tuts4you.com/topic/30060-bug-when-fixing-dump/
- added feature: suspend process for dumping, more information: http://waleedassar.blogspot.com/2012/09/anti-dumping-part-3.html

Version 0.7 Beta

- improved disassembler
- fixed various bugs

Version 0.6b

- internal code changes
- added option: fix iat and oep

Version 0.6a

- fixed buffer to small bug in dump memory

Version 0.6

- added dump memory regions
- added dump pe sections -> you can edit some values in the dialog
- improved dump engine with intelligent dumping
- improved pe rebuild engine -> removed yoda's code
- fixed various bugs

Version 0.5a:

- fixed memory leak
- improved IAT search

Version 0.5:

- added save/load import tree feature
- multi-select in tree view
- fixed black icons problem in tree view
- added keyboard shortcuts
- dll dump + dll dump fix now working
- added support for scattered IATs
- pre select target path in open file dialogs
- improved import resolving engine with api scoring
- api selection dialog
- minor bug fixes and improvements

Version 0.4:

- GUI code improvements
- bug fixes
- imports by ordinal

Version 0.3a:

- Improved import resolving
- fixed buffer overflow errors

Version 0.3:

- ImpREC plugin support
- minor bug fix

Version 0.2a:

- improved disassembler dialog
- improved iat search

Version 0.2:

- improved process detection
- added some options
- new options dialog
- improved source code
Also listed in: Dump Fixers, IAT Restore Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Virtual Section Dumper
Rating: 0.0 (0 votes)
Author: +NCR/CRC! [ReVeRsEr]                        
Website: http://code.google.com/p/virtualsectiondumper
Current version: v1.0 x64 & v1.1 x86
Last updated: February 21, 2012
Direct D/L link: http://code.google.com/p/virtualsectiondumper/downloads/list
License type: GPL v3
Description: VSD (Virtual Section Dumper) is intented to be a tool to visualize and dump the memory regions of a running 32 bits or a 64 bits process in many ways. For example, you can dump the entire process and fix the PE Header, dump a given range of memory or even list and dump every virtual section present in the process.
Also listed in: Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (19)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (20)
   Dump Fixers  (5)
   IAT Restore Tools  (6)
   .NET MSIL Dumpers  (2)
   Process Dumpers  (12)
   OEP Finders  (6)
   Needs New Category  (3)