Process dumping tool

Forum for announcements and questions about tools and software.

Re: Process dumping tool

Postby jtl » Sun May 10, 2015 9:58 pm

Great :)
jtl
 
Posts: 2
Joined: Sun May 10, 2015 12:22 am
Location: BC, Canada
Reputation point: 0

Re: Process dumping tool

Postby comak » Mon May 18, 2015 5:35 pm

this looks nice, any plans to release sources?
comak
 
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Reputation point: 31

Re: Process dumping tool

Postby _glmcdona » Sun Nov 22, 2015 12:04 am

comak wrote:this looks nice, any plans to release sources?


Just published the code today under MIT license on GitHub here:
https://github.com/glmcdona/Process-Dump

I also released Process Dump v1.5 today with a few bug fixes:
http://split-code.com/files/pd_latest.zip

This version fixes a few bugs:
- Fixed bug where very large memory regions in Windows 64 bit would cause Process Dump to hang.
- Fixed bug where some modules at high addresses would not be found under 64-bit Windows.
- More debug information now outputted under Verbose mode.
_glmcdona
 
Posts: 9
Joined: Wed Apr 03, 2013 4:59 am
Reputation point: 13

Re: Process dumping tool

Postby _glmcdona » Mon Feb 13, 2017 6:33 am

Released Process Dump v2.1 today. Version 2 comes with a few big upgrades:
  • Added a new running mode "pd.exe -closemon", where it runs in a monitoring mode that hooks all process closes - dumping any process just before it closes. This is really useful for a lot of malware which closes pretty quickly after running and great for malware sandboxes. Press "CTRL-C" to tell it to stop monitoring and close.
  • Process Dump now searches for loose executable regions. Any region with execute privilege is inspected, and if it refers to two or more imports within that process then Process Dump will build a PE header with reconstructed imports and dump it for analysis. The clean hash database supports these loose codechunks, so you should only be seeing the malicious ones dumped. Codechunks are dumped with a naming convention like: notepad_exe_PID2c54_codechunk_17BD0000_x64.dll
  • Process Dump is now multi-threaded (split to a thread per process). So if you are inspecting all processes to dump all malware regions (pd.exe -system), then it runs a lot faster now.
  • Various new command-line flags to control dump output location, clean hash database path, etc.
  • Various bug fixes.

Check out the full list of changes here:
https://github.com/glmcdona/Process-Dump

And here is the latest released binary already compiled:
http://split-code.com/processdump.html
http://split-code.com/files/pd_latest.zip

And the latest version now needs Visual C++ Redistributable 2015:
https://www.microsoft.com/en-ca/downloa ... x?id=48145
_glmcdona
 
Posts: 9
Joined: Wed Apr 03, 2013 4:59 am
Reputation point: 13

Previous

Return to Tools/Software

Who is online

Users browsing this forum: Google [Bot] and 11 guests