Page 1 of 1

WDExtract - Extract Windows Defender database from vdm files and unpack it

PostPosted:Fri Apr 19, 2019 5:37 pm
by EP_X0FF
As continuation of this thread viewtopic.php?f=13&t=5496.

Features

+ Unpack VDM containers of Windows Defender/Microsoft Security Essentials;
+ Decrypt VDM container embedded in Malicious software Removal Tool (MRT.exe);
+ Extract all PE images from unpacked/decrypted containers on the fly (-e switch):
+ dump VDLLs (Virtual DLLs);
+ dump VFS (Virtual File System) contents;
+ dump signatures auxilarity images;
+ code can be adapted to dump type specific chunks of database (not implemented);
+ Faster than any script.

https://github.com/hfiref0x/WDExtract

As-is, no warranties. Feel free to contribute.

Re: WDExtract - Extract Windows Defender database from vdm files and unpack it

PostPosted:Wed Apr 24, 2019 6:03 am
by EP_X0FF
Small update.

Added ability to extract GAPA (Generic Application Level Protocol Analyzer) modules from NIS (Network Inspection System) VDM containers.