|
What's VSD? VSD (Virtual Section Dumper) is intented to be a tool to visualize and dump the memory regions of a running 32 bits or a 64 bits process in many ways. For example, you can dump the entire process and fix the PE Header, dump a given range of memory or even list and dump every virtual section present in the process. How to use VSD?When running, VSD lists all the running processes in a the list-view, then, you can use any of the buttons, check-boxes or the pop-up menu to interact with the processes. Here is the list of current features: Main window options: - Refresh: refreshes the processes list.
- About: displays the about window.
- Full Dump: paste header from disk: this option is only valid when you select "Full Dump" over a process. Using this, you can read the originalPE header of a running process from the disk and paste it in memory before dumping. This is specially useful when dealing with packers because they usually change the data in the memory of a packed program, specially the PE header section, to avoid the dumping process.
- Full Dump: fix header: this option is only valid when you select "Full Dump" over a process. Using this, you can fix the Raw Offset andVirtual Offset of a process, in other words, Raw Offset == Virtual Offset.
- Exclude x64 processes: (Only in the x86 version) when running on Windows 7 (x64), VSD can show you the x64 processes although you can't do too much with them. If you don't want to see these processes you can use this options to filter them from the list.
You can use this feature ONLY when running with Administrative privileges (Vista/Seven/Server 2008 on both platforms, x86 and x64), if not,VSD will show you all the running processes. This is due to VSD can't obtain a handle via OpenProcess to interact with the processes (note: if you know what I'm talking about and you have an idea on how to improve/solve this problem, just email me). - Total number of processes: prints the total number of running processes.
- Sort process by Name, PID, ImageBase or ImageSize: you can sort the list of processes by doing click in the top of every column.
Pop-up menu options: - Select All: selects all the processes on the list.
- Copy to Clipboard: copies the selected items to the clipboard.
- Dump Full: dumps the entire process' memory to disk.
- Dump Partial: dumps a partial memory region to disk. You must enter a valid address and size.
- Dump Regions: displays the regions windows where you can interact with all the virtual sections of the process.
- Kill Process: terminates the execution of the selected process.
- Refresh: refreshes the process list.
Dump Regions window options: - Sort virtual sections by Address, Size, Protect, State or Type: by clicking on the top of every column, you can sort the data listed in the list-view.
- Dump: dumps the selected virtual section. Not all sections can be dumped, for example, a section marked as free can't be dumped.
- Refresh: refreshes the sections list.
- Close: closes the sections window.
Project InformationVSD was tested under Windows XP Professional SP3, Windows 7 Ultimate (x86 & x64), wine under Ubuntu 11.04 x64. GreetingsAs always, I have to thank a lot of people without whom this tool had not seen the light. Many, many thanks to: - marciano: for being my friend, beta tester and for reporting a lot of bugs and features.
- MCKSys Argentina: for being my other beta tester.
- Guan De Dio: for his opinions to improve each of my tools :P
- Nacho_dj: for being a friend in ARTeam and for supporting me.
- Shub-Nigurrath: for being an amazing friend, for teaching me with his tutorials and for supporting me.
- To all my friends in CLS, ARTeam, SnD, B@S, OpenRCE, exetools and Woodmann.
Latest changesVSD x86Version: 1.1 - Fixed a bug in the PastePEHeader() function when calculating the offset of the original PE Header.
Version: 1.0 - First stable release (I hope so :)
VSD x64Version: 1.0 ScreenshotsVSD x86VSD x64
Downloads: http://code.google.com/p/virtualsectiondumper/downloads/list
| 
发表于 2012-3-28 18:42
