Results 1 to 7 of 7

Thread: ARTeam: IDA plugin to analyze dumped memory regions inside IDA

  1. #1
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Obscure Kadath

    ARTeam: IDA plugin to analyze dumped memory regions inside IDA

    Hi all,
    this is another interesting release from deroko/ARTeam.

    A set made of two programs (an IDA plugin and a dumper) useful to analyze dumped memory regions inside IDA. Useful for malware or VMs to analysis of dynamically allocated memory code sections (full sources included)

    dump_all/load_all set of tools by deroko ARTeam

    dump_all.exe is program which will dump all regions of a certain executable into
    specified folder. All dumps are stored as r00000000.dmp where
    00000000 is virtual address of a paticilar memory region.
    Advice is to create always new folder for these dumped regions, as
    load_all will load all of these regions to IDA database. Just to keep
    everything organized, and to avoid loading of wrong files, which could
    occur under some cicumstances.

    load_all.plw is and IDA plugin which will actually load all of these memory regions
    into IDA database. Example plugin is compiled with IDA 5.2 SDK, but you
    may compile it for other versions too.
    Plugin will prompt you for file, so you are free to select any of these
    .dmp, and plugin will load all of them into database. This could be useful
    when analyzing malware or some protection with many buffers, for better
    analyze of a VM, or import protection. This will avoid need to dump regions
    manually. or CRCETL

    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't

  2. #2
    Thanks Shub for sharing them here.


  3. #3
    nice stuff from deroko.. i wonder if he ever sleeps :P

  4. #4
    Hi Deroko / Shub-nigurrath,

    Excellent plugin it has already helped me understanding IAT of Themida rebuilding process. Frankly, I had some confusion/doubts while understanding rebuilding process of IAT for Themida + which address to patch used your plugin to analyse it. Its helped me a lot! It rocks!

    Thanks for shareing your knowledge & excellent tools.

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    @NeOXOeN: around 5 hours/day... kinda busy with exams

    @zenloren: you are welcome

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Ring -1
    Blog Entries
    Nice tool indeed, and thanks for adding it to CRCETL as usual.

    And I was actually asking myself the exact same question about deroko when seeing this too.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  7. #7
    only to pass this exam, and I'll have more free time for rce again

Similar Threads

  1. [Q] embed exe as resource inside a win32 exe and launching from memory
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: December 15th, 2013, 18:01
  2. How to analyze the full dump memory file of a process
    By akovid in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: August 13th, 2013, 10:31
  3. Need tips to analyze hacked memory pointers
    By ner0 in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: July 29th, 2012, 11:23
  4. IDA plugin: Extract (UnRot13) and analyze
    By ZaiRoN in forum Blogs Forum
    Replies: 2
    Last Post: October 27th, 2007, 08:20
  5. ARTeam: AsProtect VM analyze
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: July 25th, 2007, 12:27


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts