Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. Often malware files are packed and obfuscated before they are executed in order to avoid AV scanners, however when these files are executed they will often unpack or inject a clean version of the malware code in memory. A common task for malware researchers when analyzing malware is to dump this unpacked code back from memory to disk for scanning with AV products or for analysis with static analysis tools such as IDA.
Process Dump works for Windows 32 and 64 bit operating systems and can dump memory components from specific processes or from all processes currently running. Process Dump supports creation and use of a clean-hash database, so that dumping of all the clean files such as kernel32.dll can be skipped. It's main features include:
I'm maintaining an official compiled release on my website here: https://split-code.com/processdump.html
You can download the latest compiled release of Process Dump here:
This is designed for Visual Studio 2019 and works with the free Community edition. Just open the project file with VS2019 and compile, it should be that easy!
Process dump can be used to dump all unknown code from memory ('-system' flag), dump specific processes, or run in a monitoring mode that dumps all processes just before they terminate.
Before first usage of this tool, when on the clean workstation the clean excluding hash database can be generated by either:
Example Usage:
The command-line arguments can be grouped as follows:
General Dumping Options
Option | Description |
---|---|
-system | Dumps all modules not matching the clean hash database from all accessible processes into the working directory. |
-pid \<pid> | Dumps all modules not matching the clean hash database from the specified PID into the current working directory. Use a '0x' prefix to specify a hex PID. |
-closemon | Runs in monitor mode. When any processes are terminating, process dump will first dump the process. |
-p \<regex process name> | Dumps all modules not matching the clean hash database from the process name found to match the filter into specified PID into the current working directory. |
-a \<module base address> | Dumps a module at the specified base address from the process. |
-o \<path> | Sets the default output root folder for dumped components. |
Clean Hash Database Options
Option | Description |
---|---|
-db gen | Automatically processes a few common folders as well as all the currently running processes and adds the found module hashes to the clean hash database. It will add all files recursively in: %WINDIR% , %HOMEPATH% , C:\Program Files\ , C:\Program Files (x86)\ , as well as all modules in all running processes. These clean hashes will be added to the file clean.hashes in the application directory. During future process dumping commands, these known modules will not be dumped. It is recommended to run this command one time on a clean system prior to using the tool that way not too many modules will be dumped from memory. |
-db genquick | Same as above, but only adds the hashes from all modules in all processes to the clean hash database. This is a much faster way to build the clean hash database, but it will be less complete. |
-db add \<dir> | Adds all the files in the specified directory recursively to the clean hash database. |
-db rem \<dir> | Removes all the files in the specified directory recursively from the clean hash database. |
-nr | Disable recursion on hash database directory add or remove commands. |
-db clean | Clears the clean hash database. |
-db ignore | Ignores the clean hash database when dumping a process this time. All modules will be dumped even if a match is found. |
-cdb \<filepath> | Full filepath to the clean hash database to use for this run if you'd like to override the default of clean.hashes . |
-edb \<filepath> | Full filepath to the entrypoint hash database to use for this run. |
-esdb \<filepath> | Full filepath to the entrypoint short hash database to use for this run. |
Output Options
Option | Description |
---|---|
-v | Verbose mode where more details will be printed for debugging. |
-nh | No header is printed in the output. |
Advanced Options
Option | Description |
---|---|
-g | Forces generation of PE headers from scratch, ignoring existing headers. |
-eprec | Force the entry point to be reconstructed, even if a valid one appears to exist. |
-ni | Disable import reconstruction. |
-nc | Disable dumping of loose code regions. |
-nt | Disable multithreading. |
-nep | Disable entry point hashing. |
-t \<thread count> | Sets the number of threads to use (default 16). |
Command | Description |
---|---|
pd64.exe -db genquick |
Quickly build clean module database based on currently running processes. Process Dump in later tasks will only dump unrecognized modules. |
pd64.exe -system |
Dump all modules and hidden chunks from all processes while ignoring clean modules. |
pd64.exe -closemon |
Run in terminate monitor mode. This will dump all processes when they attempt to terminate. |
pd64.exe -pid 0x18A |
Dump modules and hidden chunks from a specific process ID. |
pd64.exe -p .\*chrome.\* |
Dump modules and hidden chunks by process name. |
pd64.exe -db gen |
Build a clean-hash database of known modules. This is used to avoid dumping known good modules in later tasks. |
pd64.exe -pid 0x1a3 -a 0xffb4000 |
Dump code from a specific address in PID. This will generate two files for analysis, with reconstructed 32bit and 64bit PE headers: notepad_exe_x64_hidden_FFB40000.exe and notepad_exe_x86_hidden_FFB40000.exe . |
Sure, here's a more streamlined version of the information:
When using Process Dump in an automated sandbox or for manual anti-malware research, the following steps can be useful. Make sure to run all commands as an Administrator in a clean environment.
Build the Clean Hash Database: Run pd64.exe -db gen
or for a faster less complete process, use pd64.exe -db genquick
. Depending on your situation, you may want to snapshot your VM after creating this clean hash database that way it doesn't need to be repeated each time.
Start the Process Dump Terminate Monitor: Keep pd64.exe -closemon
running in the background. It will dump all intermediate processes used by the malware.
Execute the Malware File: Monitor the malware installation. pd64.exe
will automatically dump any process that tries to close.
Dump the Running Malware from Memory: When ready, use pd64.exe -system
to dump all processes.
The dumped components will be found in the working directory of pd64.exe
. To change the output path, use the -o
flag.
Example filenames of dumped files