Feature: If a process allocates a dynamic memory using VirtualAlloc, HeapAlloc, new, etc. and continues execution from that address, most of times, the memory address will be different for each different execution, it means that if we comment, rename variables or set breakpoints, nothing of this will be left in the next execution because the shellcode or code section will take a different memory address.
dumpDyn.py is IDAPython plugin(script) which saves comments, names, breakpoints, functions from one execution to another.
If VirtualAlloc/VirtualAllocEx is used to allocate a dynamic memory (which is the case with most malware), you can use icons on the toolbar to save and restore your work:
In any other case(HeapAlloc, malloc, new, etc), you need to specify memory location and size:
发表于 2019-2-2 20:01
