0CCh Blog

用Windbg script将内存中的PE文件dump出来

最近看到有些恶意程序,从网络上下载PE文件后,直接放在内存里重定位和初始化,为了能将其dump出来,所以写了这个Windbg脚本。

.foreach( place  { !address /f:VAR,MEM_PRIVATE,MEM_COMMIT /c:"s -[1]a %1 %2 \"MZ\"" } ) 
{
ad *
.catch {
r @$t2 = place;
r @$t0 = place;
r @$t1 = @@C++(((ntdll!_IMAGE_DOS_HEADER *)@$t0)->e_lfanew);
r @$t0 = @$t0 + @$t1;
r @$t1 = $vvalid(@$t0, 4);

.if (@@C++(@$t1 && @@C++(((ntdll!_IMAGE_NT_HEADERS *)@$t0)->Signature) == 0x00004550))
{
r @$t1 = @@C++(((ntdll!_IMAGE_NT_HEADERS *)@$t0)->OptionalHeader.SizeOfImage);
.printf "%08x %08x\n", @$t2, @$t1;
aS /x start_addr @$t2
aS /x dump_size @$t1
.block {
aS target_file e:\\${start_addr}.dll
}

.block {
.printf "${target_file}"
.writemem "${target_file}" ${start_addr} L?${dump_size}
}
}
}
}