Process dumping tool

Forum for announcements and questions about tools and software.
jtl
Posts: 2
Joined: Sun May 10, 2015 12:22 am
Location: BC, Canada
Contact:

Re: Process dumping tool

Post by jtl » Sun May 10, 2015 9:58 pm

Great :)

comak
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Contact:

Re: Process dumping tool

Post by comak » Mon May 18, 2015 5:35 pm

this looks nice, any plans to release sources?

_glmcdona
Posts: 9
Joined: Wed Apr 03, 2013 4:59 am

Re: Process dumping tool

Post by _glmcdona » Sun Nov 22, 2015 12:04 am

comak wrote:this looks nice, any plans to release sources?
Just published the code today under MIT license on GitHub here:
https://github.com/glmcdona/Process-Dump

I also released Process Dump v1.5 today with a few bug fixes:
http://split-code.com/files/pd_latest.zip

This version fixes a few bugs:
- Fixed bug where very large memory regions in Windows 64 bit would cause Process Dump to hang.
- Fixed bug where some modules at high addresses would not be found under 64-bit Windows.
- More debug information now outputted under Verbose mode.

_glmcdona
Posts: 9
Joined: Wed Apr 03, 2013 4:59 am

Re: Process dumping tool

Post by _glmcdona » Mon Feb 13, 2017 6:33 am

Released Process Dump v2.1 today. Version 2 comes with a few big upgrades:
  • Added a new running mode "pd.exe -closemon", where it runs in a monitoring mode that hooks all process closes - dumping any process just before it closes. This is really useful for a lot of malware which closes pretty quickly after running and great for malware sandboxes. Press "CTRL-C" to tell it to stop monitoring and close.
  • Process Dump now searches for loose executable regions. Any region with execute privilege is inspected, and if it refers to two or more imports within that process then Process Dump will build a PE header with reconstructed imports and dump it for analysis. The clean hash database supports these loose codechunks, so you should only be seeing the malicious ones dumped. Codechunks are dumped with a naming convention like: notepad_exe_PID2c54_codechunk_17BD0000_x64.dll
  • Process Dump is now multi-threaded (split to a thread per process). So if you are inspecting all processes to dump all malware regions (pd.exe -system), then it runs a lot faster now.
  • Various new command-line flags to control dump output location, clean hash database path, etc.
  • Various bug fixes.
Check out the full list of changes here:
https://github.com/glmcdona/Process-Dump

And here is the latest released binary already compiled:
http://split-code.com/processdump.html
http://split-code.com/files/pd_latest.zip

And the latest version now needs Visual C++ Redistributable 2015:
https://www.microsoft.com/en-ca/downloa ... x?id=48145

Post Reply