NativeDumper

[CodeCracker]

NativeDumper:
Native module dumper, just select a process
do right mouse click and choose "Dump main module"
or "Modules" to enumerate modules, select target module,
do right mouse click an choose "Dump".

Advantage over other dumpers:
- Small dump file size ( with default dumping options
more exactly with "Fix Raw" option unchecked (off).

NativeDumper .zip (binary)
and
NativeDumper(Src).zip (source code Visual C++) attached.

[FoxB]

also we can use

------------------------------
Process Dump v1.4
Copyright й 2015, Geoff McDonald
http://www.split-code.com/

Process Dump (pd.exe) is a tool used to dump both 32 and 64 bit executable modules back to disk from memory within a process address space. This tool is able to find and dump hidden modules, and it uses a clean hash database to exclude dumping of known clean files. This tool uses an aggressive import reconstruction approach that links all DWORD/QWORDs that point to an export in the process to the corresponding export function.
------------------------------

[TechLord]

Quote:

Originally Posted by FoxB

also we can use

------------------------------
Process Dump v1.4
Copyright й 2015, Geoff McDonald
http://www.split-code.com/

...

Now actually v1.5 is available...

Direct download link of compiled v1.5 :

http://split-code.com/files/pd_latest.zip

[CodeCracker]

New options:
"Round raw size" - Not actually necessary, will round raw size of sections to FileAlignment
"Current EIP" to change the EntryPoint - you should stop at old entry point with Olly or other debugger,

"Sections info from" Memory or File.

Raw options:
"Original raw" - don't make any change to raws (raw address and raw size) of sections, note that this will fail for 99% of packers/protectors
Good for application virtualizators like Spoon Studio to get original untoched module from memory.
"RAW=VA" - set RAW address = Virtual Address and RAW Size = Virtual size of section, using this option you will have working dumps but a bit larger dumps.
"Calculate raw" - preferable option, will try to recalculate raw addresses and raw sizes.

[serseri_1453]

Quote:

Originally Posted by CodeCracker

New options:
"Round raw size" - Not actually necessary, will round raw size of sections to FileAlignment
"Current EIP" to change the EntryPoint - you should stop at old entry point with Olly or other debugger,

"Sections info from" Memory or File.

Raw options:
"Original raw" - don't make any change to raws (raw address and raw size) of sections, note that this will fail for 99% of packers/protectors
Good for application virtualizators like Spoon Studio to get original untoched module from memory.
"RAW=VA" - set RAW address = Virtual Address and RAW Size = Virtual size of section, using this option you will have working dumps but a bit larger dumps.
"Calculate raw" - preferable option, will try to recalculate raw addresses and raw sizes.

alternativ download link please

[Mahmoudnia]

Quote:

Originally Posted by serseri_1453

alternativ download link please

Code:

http://rgho.st/82XKmrkQK

[CodeCracker]

NativeDumper64+source code Visual Studio Community 2017 attached.

[CodeCracker]

NativeDumper_v2_x86:
What's new: - Fixed "Current EIP".

I've noticed that "Section info from" -> File doesn't works for some files on both 32 bits and 64 bits;
I will try to fix it latter.
It is true however that for packer you should select section from memory.

[CodeCracker]

Here we go again, a fix for crush of "Current EIP"in Windows XP.
Now should work fine. It will be great if someone will do some test.
Release for both 32 and 64 bits.

[CodeCracker]

NativeDumper_v3_x86:
- When "Current EIP" is pressed now detect Olly and substract -1 from eip;
it will be really great if someone will test with different versions of Olly.

[CodeCracker]

NativeDumper_v4_x86:
- When "Current EIP" now detect Olly and substract -1 from eip only if we are original entry point