pedumper: A new tool for dumping PE files

Summary

I have published a new tool for dumping PE files in the target memory on Windows🎉
The tool name is pedumper. Here is a link for the tool.
https://github.com/owlinux1000/pedumper

Installation

You can easily install pedumper by pip.

pip install pedumper 

How to use

pedumper is a very simple interface as follows. You have to pass an argument which is a PID of the target process.

If the tool can find a valid PE file, the file is saved on the disk. The filename is used by the memory address.

How to create pedumper?

When I create this tool, I have to learn two things.

1. ctypes

ctypes is a standard library of python. To use this library, we can execute Win32 API on Python like this.

def read_process_memory(hProcess: int, offset: int, size: ctypes.c_size_t) -> bytes: buf = ctypes.create_string_buffer(size) ctypes.windll.kernel32.ReadProcessMemory( ctypes.cast(hProcess, ctypes.c_void_p), ctypes.cast(offset, ctypes.c_void_p), ctypes.cast(buf, ctypes.c_wchar_p), size, None, ) 

2. Memory Basic Information of Windows

On Windows, a memory of the process is defined by MEMORY_BASIC_INFORMAION structure. Here is a definition from Microsoft Official document. I have learned some fileds of the structure through implementing pedumper.

typedef struct _MEMORY_BASIC_INFORMATION { PVOID BaseAddress; PVOID AllocationBase; DWORD AllocationProtect; WORD PartitionId; SIZE_T RegionSize; DWORD State; DWORD Protect; DWORD Type; } MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION; 

Conclusion

I introduced pedumper created by myself. If you are interested in the tool, please use it and tell me feedback😄