Rab. Nov 20th, 2019

Proses Dump v1.5 dirilis; Jendela alat untuk membuang malware file PE dari memori

2 min read

Proses Dump v1.5 dirilis; Jendela alat untuk membuang malware file PE dari memori.

Jendela reverse-engineering alat baris perintah untuk membuang komponen memori malware kembali ke disk untuk analisis. Ini adalah tugas bersama bagi para peneliti malware yang perlu membuang dibongkar atau disuntikkan kode kembali ke disk untuk analisis dengan alat analisis statis seperti IDA.

Jendela alat untuk membuang malware file PE dari memori kembali ke disk untuk analisis

Proses Dump bekerja untuk 32 dan 64 sistem operasi, menggunakan pendekatan rekonstruksi impor agresif, dan memungkinkan untuk pembuangan daerah tanpa PE header – di header ini kasus PE dan tabel impor secara otomatis akan dihasilkan. Proses Dump mendukung penciptaan dan penggunaan database bersih-hash, sehingga dumping file bersih seperti kernel32.dll dapat dilewati

Contoh Penggunaan:

Dump all modules from all processes (ignoring known clean modules):

pd64.exe -system

Dump all modules from a specific process identifier:

pd64.exe -pid 0x18A

Dump all modules by process name:

pd64.exe -p .chrome.

Build clean-hash database. These hashes will be used to exclude modules from dumping with the above commands:

pd64.exe -db gen

Dump code from a specific address in PID 0x1a3:

pd64.exe -pid 0x1a3 -a 0xffb4000 Generates two files (32 and 64 bit) that can be loaded for analysis in IDA with generated PE headers and generated import table: notepad_exe_x64_hidden_FFB40000.exe notepad_exe_x86_hidden_FFB40000.exe

Download executable file for Windows 32&64 bit : pd_latest(100.32 KB)
or you can build itself using Visual Studio here
Source : https://github.com/glmcdona

Facebook Comments

10 thoughts on “Proses Dump v1.5 dirilis; Jendela alat untuk membuang malware file PE dari memori

  1. 12036 454056hi and thanks for the actual blog post ive lately been searching regarding this specific advice on-line for sum hours these days as a result thanks 996771

  2. 388612 887561Someone essentially assist to make severely posts I may well state. That is the extremely very first time I frequented your internet site page and so far? I surprised with the analysis you created to create this particular submit incredible. Magnificent task! 298374

  3. 927018 356012This really is the fitting weblog for anybody who desires to uncover out about this topic. You notice a lot its practically onerous to argue with you (not that I truly would wantHaHa). You undoubtedly put a brand new spin on a topic thats been written about for years. Nice stuff, simply great! 893030

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan. Ruas yang wajib ditandai *

Copyright © All rights reserved. | News by AF MD5.