pedumper: A new tool for dumping PE files

Summary

I have published a new tool for dumping PE files in the target memory on Windows🎉
The tool name is pedumper. Here is a link for the tool.
https://github.com/owlinux1000/pedumper

Installation

You can easily install pedumper by pip.

pip install pedumper

How to use

pedumper is a very simple interface as follows. You have to pass an argument which is a PID of the target process.

If the tool can find a valid PE file, the file is saved on the disk. The filename is used by the memory address.

How to create pedumper?

When I create this tool, I have to learn two things.

1. ctypes

ctypes is a standard library of python. To use this library, we can execute Win32 API on Python like this.

def read_process_memory(hProcess: int, offset: int, size: ctypes.c_size_t) -> bytes:
    buf = ctypes.create_string_buffer(size)
    ctypes.windll.kernel32.ReadProcessMemory(
        ctypes.cast(hProcess, ctypes.c_void_p),
        ctypes.cast(offset, ctypes.c_void_p),
        ctypes.cast(buf, ctypes.c_wchar_p),
        size,
        None,
    )

2. Memory Basic Information of Windows

On Windows, a memory of the process is defined by MEMORY_BASIC_INFORMAION structure. Here is a definition from Microsoft Official document. I have learned some fileds of the structure through implementing pedumper.

typedef struct _MEMORY_BASIC_INFORMATION {
  PVOID  BaseAddress;
  PVOID  AllocationBase;
  DWORD  AllocationProtect;
  WORD   PartitionId;
  SIZE_T RegionSize;
  DWORD  State;
  DWORD  Protect;
  DWORD  Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;

Conclusion

I introduced pedumper created by myself. If you are interested in the tool, please use it and tell me feedback😄