[Question] How can I dump a specific module(dll) of an running process?

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.06k stars 425 forks source link

[Question] How can I dump a specific module(dll) of an running process? #111

Closed JerryYOJ closed 1 year ago

JerryYOJ commented 1 year ago

I didnt find an argument for that.

hasherezade commented 1 year ago

Hi @JerryYOJ ! Currently it dumps only the modules that were detected as suspicious, basing on the certain criteria. Do I understand you correctly that you want to force dumping an arbitrary DLL, even if it wasn't detected? This is not supported at the moment, but I can add it in the next release.

JerryYOJ commented 1 year ago

Ok thanks. Good to know

hasherezade commented 1 year ago

@JerryYOJ - do you confirm that this is exactly the feature you was looking for? are you interested in having the force-dumping of undetected modules?

JerryYOJ commented 1 year ago

Yes exactly

hasherezade commented 1 year ago

ok, cool