Skip to content
/ memdump Public
forked from scizzydo/memdump

Windows x64 PE process memory dumper to disk

License

MIT license
0 stars 16 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

IgorYunusov/memdump

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
nmd
nmd
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
ExportDir.cpp
ExportDir.cpp
 
 
ExportDir.h
ExportDir.h
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
RemoteBuffer.hpp
RemoteBuffer.hpp
 
 
RemoteProcess.cpp
RemoteProcess.cpp
 
 
RemoteProcess.h
RemoteProcess.h
 
 
SelfInject.cpp
SelfInject.cpp
 
 
SelfInject.h
SelfInject.h
 
 
SmartHandle.hpp
SmartHandle.hpp
 
 
concolic.cpp
concolic.cpp
 
 
concolic.hpp
concolic.hpp
 
 
hooker.cpp
hooker.cpp
 
 
hooker.h
hooker.h
 
 
imports.cpp
imports.cpp
 
 
imports.h
imports.h
 
 
injected_main.cpp
injected_main.cpp
 
 
logging.cpp
logging.cpp
 
 
logging.hpp
logging.hpp
 
 
main.cpp
main.cpp
 
 
memdump.sln
memdump.sln
 
 
memdump.vcxproj
memdump.vcxproj
 
 
memdump.vcxproj.filters
memdump.vcxproj.filters
 
 
misc.cpp
misc.cpp
 
 
misc.h
misc.h
 
 
module_functions.cpp
module_functions.cpp
 
 
module_functions.h
module_functions.h
 
 
ntdllhooks.cpp
ntdllhooks.cpp
 
 
ntdllhooks.h
ntdllhooks.h
 
 
shared_data.hpp
shared_data.hpp
 
 
tstream.h
tstream.h
 
 

Repository files navigation

memdump

memdump is a tool for taking a Windows x64 PE file and launching it, and writing back to disk. The purpose being some files on disk differ from the final result when loaded in memory.

The idea behind this tool is based off of namreeb's dumpwow. Although that tool already exists, it had a few problems with it (I appologize for not just doing a PR to it, but wanted to learn more also).

Key features that differ:

  • No third party libraries needed in any bit, outside just normal Windows libraries
  • Fast dumping to disk
  • No need for DLL and exe. Just 1 file to handle it all
  • Addresses issues to TLS callbacks when loading binary into IDA
  • Addresses issues with binary analysis not seeing all data due to headers not being fully updated
  • Addresses issues with binaires that require SizeOfHeaders to be updated as the new section will extend past the original
  • Provides minor tweaks that weren't provided from hadesmem pelib section

Credits:

About

Windows x64 PE process memory dumper to disk

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C++ 51.3%
  • C 48.7%