├── README.md ├── bins ├── dumpPE32.exe └── dumpPE64.exe └── inject.cpp /README.md: -------------------------------------------------------------------------------- 1 | # DumpPE 2 | Dump the mapped PE files
3 | 4 | # How to use 5 | `dumpPE.exe [pid] [hex_adress] [out_pe]`
6 | # Download 7 | [64-bit binary](https://github.com/d35ha/DumpPE/raw/master/bins/dumpPE64.exe)
8 | [32-bit binary](https://github.com/d35ha/DumpPE/raw/master/bins/dumpPE32.exe)
9 | -------------------------------------------------------------------------------- /bins/dumpPE32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d35ha/DumpPE/ee990f731a963bf61c52299c988ebbd9f96bc461/bins/dumpPE32.exe -------------------------------------------------------------------------------- /bins/dumpPE64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d35ha/DumpPE/ee990f731a963bf61c52299c988ebbd9f96bc461/bins/dumpPE64.exe -------------------------------------------------------------------------------- /inject.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | /* 5 | TESTS: 6 | Windows 10 x64 7 | */ 8 | 9 | /* 10 | BUILD: 11 | g++ dumpPE.cpp -o dumpPE.exe 12 | g++ dumpPE.cpp -o dumpPE.exe -m32 13 | */ 14 | 15 | /* 16 | TODO: 17 | 1) Check for the process archeticture 18 | */ 19 | 20 | int main(int argc, char **argv) { 21 | 22 | if (argc > 3) 23 | { 24 | DWORD dwPid = atoi(argv[1]); 25 | 26 | LPVOID lpAddress = NULL; 27 | #if defined(_M_X64) || defined(__amd64__) 28 | sscanf(argv[2], "%llx", &lpAddress); 29 | #else 30 | sscanf(argv[2], "%lx", &lpAddress); 31 | #endif 32 | 33 | LPCSTR szOutPe = argv[3]; 34 | 35 | HANDLE hProcess = NULL; 36 | if (!(hProcess = OpenProcess( 37 | PROCESS_VM_READ, 38 | FALSE, 39 | dwPid 40 | ))) 41 | { 42 | printf("Error at OpenProcess, code = %d\n", GetLastError()); 43 | return 0; 44 | }; 45 | 46 | SIZE_T stReadBytes; 47 | CHAR bDosHeader[sizeof(IMAGE_DOS_HEADER)] = { 0 }; 48 | if (!ReadProcessMemory( 49 | hProcess, 50 | lpAddress, 51 | bDosHeader, 52 | sizeof(bDosHeader), 53 | &stReadBytes 54 | ) || (stReadBytes != sizeof(bDosHeader))) 55 | { 56 | printf("Error at ReadProcessMemory, code = %d\n", GetLastError()); 57 | return FALSE; 58 | }; 59 | PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)bDosHeader; 60 | 61 | CHAR bNtHeader[sizeof(IMAGE_NT_HEADERS)] = { 0 }; 62 | if (!ReadProcessMemory( 63 | hProcess, 64 | #if defined(_M_X64) || defined(__amd64__) 65 | (LPVOID)((ULONGLONG)lpAddress + lpDosHeader->e_lfanew), 66 | #else 67 | (LPVOID)((ULONG)lpAddress + lpDosHeader->e_lfanew), 68 | #endif 69 | bNtHeader, 70 | sizeof(bNtHeader), 71 | &stReadBytes 72 | ) || (stReadBytes != sizeof(bNtHeader))) 73 | { 74 | printf("Error at ReadProcessMemory, code = %d, %x\n", GetLastError(), lpDosHeader->e_lfanew); 75 | return FALSE; 76 | }; 77 | PIMAGE_NT_HEADERS lpNtHeader = (PIMAGE_NT_HEADERS)bNtHeader; 78 | 79 | LPVOID lpMappedImage = NULL; 80 | if (!(lpMappedImage = VirtualAlloc( 81 | NULL, 82 | lpNtHeader->OptionalHeader.SizeOfImage, 83 | (MEM_COMMIT | MEM_RESERVE), 84 | PAGE_READWRITE 85 | ))) 86 | { 87 | printf("Error at VirtualAlloc, code = %d\n", GetLastError()); 88 | return FALSE; 89 | }; 90 | 91 | if (!ReadProcessMemory( 92 | hProcess, 93 | lpAddress, 94 | lpMappedImage, 95 | lpNtHeader->OptionalHeader.SizeOfImage, 96 | &stReadBytes 97 | ) || (stReadBytes != lpNtHeader->OptionalHeader.SizeOfImage)) 98 | { 99 | printf("Error at ReadProcessMemory, code = %d\n", GetLastError()); 100 | return FALSE; 101 | }; 102 | 103 | if (!DeleteFileA(szOutPe)) 104 | { 105 | if (ERROR_FILE_NOT_FOUND != GetLastError()) { 106 | printf("Error at DeleteFileA, code = %d\n", GetLastError()); 107 | return 0; 108 | } 109 | } 110 | 111 | HANDLE hFile; 112 | if (!(hFile = CreateFileA( 113 | szOutPe, 114 | FILE_APPEND_DATA, 115 | 0, 116 | NULL, 117 | CREATE_ALWAYS, 118 | FILE_ATTRIBUTE_NORMAL, 119 | NULL 120 | )) || INVALID_HANDLE_VALUE == hFile) 121 | { 122 | printf("Error at CreateFileA, code = %d\n", GetLastError()); 123 | return FALSE; 124 | }; 125 | 126 | DWORD dwWrittenBytes; 127 | if (!WriteFile( 128 | hFile, 129 | lpMappedImage, 130 | lpNtHeader->OptionalHeader.SizeOfHeaders, 131 | &dwWrittenBytes, 132 | NULL 133 | ) || (lpNtHeader->OptionalHeader.SizeOfHeaders != dwWrittenBytes)) 134 | { 135 | printf("Error at WriteFile, code = %d\n", GetLastError()); 136 | return 0; 137 | }; 138 | 139 | IMAGE_SECTION_HEADER* lpSectionHeaderArray = (IMAGE_SECTION_HEADER*)((ULONG_PTR)lpMappedImage + lpDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS)); 140 | 141 | for (DWORD dwSecIndex = 0; dwSecIndex < lpNtHeader->FileHeader.NumberOfSections; dwSecIndex++) 142 | { 143 | if (!WriteFile( 144 | hFile, 145 | #if defined(_M_X64) || defined(__amd64__) 146 | (LPVOID)((ULONGLONG)lpMappedImage + lpSectionHeaderArray[dwSecIndex].VirtualAddress), 147 | #else 148 | (LPVOID)((ULONG)lpMappedImage + lpSectionHeaderArray[dwSecIndex].VirtualAddress), 149 | #endif 150 | lpSectionHeaderArray[dwSecIndex].SizeOfRawData, 151 | &dwWrittenBytes, 152 | NULL 153 | ) || (lpSectionHeaderArray[dwSecIndex].SizeOfRawData != dwWrittenBytes)) 154 | { 155 | printf("Error at WriteFile, code = %d\n", GetLastError()); 156 | return 0; 157 | }; 158 | }; 159 | 160 | CloseHandle(hFile); 161 | 162 | puts("Done !!!"); 163 | 164 | } 165 | else 166 | { 167 | printf("%s [pid] [hex_adress] [out_pe]\n", argv[0]); 168 | return 0; 169 | } 170 | } 171 | --------------------------------------------------------------------------------