From Collaborative RCE Tool Library

Jump to: navigation, search

Process Dump, pd.exe

Tool name: Process Dump, pd.exe
Rating: 0.0 (0 votes)
Author: Geoff McDonald                        
Current version: v1.4
Last updated: April 18, 2015
Direct D/L link:
License type: Freeware
Description: Process Dump is a 32 and 64 bit command-line tool for dumping malware code from memory back to disk.

* Dumps 32 and 64 bit modules back to disk
* Dumps code at a specific address back to disk with reconstructing a 32 and 64 bit PE header and building an import address table
* Reconstructs imports aggressively - linking any DWORD or QWORD in the image being dumped to the corresponding import
* Supports a clean library hashing approach, allowing for dumping of only unrecognized modules

The import reconstruction approach is aggressive and even reconstructs references to imports loaded by GetProcAddress:
1. Copies OriginalFirstThunk over FirstThunk array for each imported library. (original import reconstruction approach)
2. Looks at all modules loaded in the current process, and builds a list of the addresses of all exported functions.
3. Searches the region or module that is being dumped for any DWORD (x86) or QWORD (x64) matching an exported address in the process.
4. For each match, adds an imported library with FirstThunk pointing to the DWORD or QWORD to patch up, linking it to the exported function of the corresponding library.
5. The size of the last section is increased, and the extended original import table is placed here.

Dump code from a specific address, building a PE header and import table:
pd.exe -pid 0x1a7 -a 0x3e1000

Dump all modules from all processes (only unrecognized modules will be dumped):
pd.exe -system

Dump all modules from a specific process:
pd.exe -pid 0x18A

Dump all modules by process name:
pd.exe -p .*chrome.*

Build clean-hash database. These hashes will be used to exclude modules from dumping with the above commands:
pd.exe -db gen

Comes in .zip format and supports Windows x86 and x64:

Requires Microsoft Visual C++ 2008 Redistributable:
Related URLs: No related URLs have been submitted for this tool yet

Screenshot of Process Dump, pd.exe

RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!

If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)

Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Dump Fixers  (5)
   IAT Restore Tools  (6)
   .NET MSIL Dumpers  (2)
   Process Dumpers  (12)
   OEP Finders  (6)
   Needs New Category  (3)