Summary
I have published a new tool for dumping PE files in the target memory on Windows🎉
The tool name is pedumper
. Here is a link for the tool.
https://github.com/owlinux1000/pedumper
Installation
You can easily install pedumper
by pip
.
pip install pedumper
How to use
pedumper
is a very simple interface as follows. You have to pass an argument which is a PID of the target process.
If the tool can find a valid PE file, the file is saved on the disk. The filename is used by the memory address.
How to create pedumper
?
When I create this tool, I have to learn two things.
1. ctypes
ctypes
is a standard library of python. To use this library, we can execute Win32 API on Python like this.
def read_process_memory(hProcess: int, offset: int, size: ctypes.c_size_t) -> bytes:
buf = ctypes.create_string_buffer(size)
ctypes.windll.kernel32.ReadProcessMemory(
ctypes.cast(hProcess, ctypes.c_void_p),
ctypes.cast(offset, ctypes.c_void_p),
ctypes.cast(buf, ctypes.c_wchar_p),
size,
None,
)
2. Memory Basic Information of Windows
On Windows, a memory of the process is defined by MEMORY_BASIC_INFORMAION
structure. Here is a definition from Microsoft Official document. I have learned some fileds of the structure through implementing pedumper
.
typedef struct _MEMORY_BASIC_INFORMATION {
PVOID BaseAddress;
PVOID AllocationBase;
DWORD AllocationProtect;
WORD PartitionId;
SIZE_T RegionSize;
DWORD State;
DWORD Protect;
DWORD Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
Conclusion
I introduced pedumper
created by myself. If you are interested in the tool, please use it and tell me feedback😄
Top comments (0)