MW-Blog

I got tired of malwares moving all around process memory and modifying system dlls and so on. So, I decided to do a dumper that’ll dump the whole process memory on disk.

The dumper will dump the _whole_ process memory, including stack and all. So, basically it’ll write every single allocated memory page onto disk into a single image. It’s a wee bit messy to dig out the relevant data, but atleast it’s on disk waiting for later analysis :) If you want the dumper shoot me a mail at toni(_at_)teamfurry.com

[Update 21.6.2007]

The dumper has now been modified to save each allocated memory region into it’s own file. This makes it much easier to process the file with IDA.

Penetration Testing
Fitsec Ltd - The Evil Eye Penetration Testing Service
http://www.fitsec.com/en

This entry was posted on Monday, June 18th, 2007 at 10:27 pm and is filed under Tools. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.