Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. Often malware files are packed and obfuscated before they are executed in order to avoid AV scanners, however when these files are executed they will often unpack or inject a clean version of the malware code in memory. A common task for malware researchers when analyzing malware is to dump this unpacked code back from memory to disk for scanning with AV products or for analysis with static analysis tools such as IDA.
Process Dump works for Windows 32 and 64 bit operating systems and can dump memory components from specific processes or from all processes currently running. Process Dump supports creation and use of a clean-hash database, so that dumping of all the clean files such as kernel32.dll can be skipped. It’s main features include:
I’m maintaining an official compiled release on my website here: http://split-code.com/processdump.html
You can download the latest compiled release of Process Dump here:
This tool requires Microsoft Visual C++ Redistributable for Visual Studio 2015 to be installed to work:
Compiling Source Code
This is designed for Visual Studio 2019 and works with the free Community edition. Just open the project file with VS2019 and compile, it should be that easy!
Dump all modules and hidden code chunks from all processes on your system (ignoring known clean modules):
Run in terminate monitor mode. Until cancelled (CTRL-C), Process Dump will dump any process just before the termination:
Dump all modules and hidden code chunks from a specific process identifier:
Dump all modules and hidden code chunk by process name:
Build clean-hash database. These hashes will be used to exclude modules from dumping with the above commands:
Dump code from a specific address in PID 0x1a3:
If you are running an automated sandbox or manual anti-malware research environment, I recommend running the following process with Process Dump, run all commands as Administrator:
Notes on the naming convention of dumped modules
Example filenames of dumped files
Process Dump v2.1 Copyright ® 2017, Geoff McDonald http://www.split-code.com/
Process Dump (pd.exe) is a tool used to dump both 32 and 64 bit executable modules back to disk from memory within a process address space. This tool is able to find and dump hidden modules as well as loose executable code chunks, and it uses a clean hash database to exclude dumping of known clean files. This tool uses an aggressive import reconstruction approach that links all DWORD/QWORDs that point to an export in the process to the corresponding export function. Process dump can be used to dump all unknown code from memory (‘-system’ flag), dump specific processes, or run in a monitoring mode that dumps all processes just before they terminate.
Before first usage of this tool, when on the clean workstation the clean exclusing hash database can be generated by either:
Example Usage:
Options:
Dumps all modules not matching the clean hash databas from all accessible processes into the working directory.
Dumps all modules not matching the clean hash database from the specified pid into the current working directory. Use a ‘0x’ prefix to specify a hex PID.
Runs in monitor mode. When any processes are terminating process dump will first dump the process.
Dumps all modules not matching the clean hash database from the process name found to match the filter into specified pid into the current working directory.
Dumps a module at the specified base address from the process.
Forces generation of PE headers from scratch, ignoring existing headers.
Sets the default output root folder for dumped components.
Verbose.
No header is printed in the output.
Disable recursion on hash database directory add or remove commands.
Disable import reconstruction.
Disable dumping of loose code regions.
Disable multithreading.
Disable entry point hashing.
Force the entry point to be reconstructed, even if a valid one appears to exist.
Sets the number of threads to use (default 16).
Full filepath to the clean hash database to use for this run.
Full filepath to the entrypoint hash database to use for this run.
Full filepath to the entrypoint short hash database to use for this run.
Automatically processes a few common folders as well as all the currently running processes and adds the found module hashes to the clean hash database. It will add all files recursively in: %WINDIR% %HOMEPATH% C:\Program Files
C:\Program Files (x86)
As well as all modules in all running processes
Adds the hashes from all modules in all processes to the clean hash database. Run this on a clean system.
Adds all the files in the specified directory recursively to the clean hash database.
Removes all the files in the specified directory recursively from the clean hash database.
Clears the clean hash database.
Ignores the clean hash database when dumping a process this time. All modules will be dumped even if a match is found.
Version 2.1 (February 12th, 2017)
Version 2.0 (September 18th, 2016)
Version 1.5 (November 21st, 2015)
Version 1.4 (April 18th, 2015)
Version 1.3 (October 10th, 2013)
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…