Though I promised an article dealing with adding free space to an existing section inside a PE, this little one will discuss with the dump of a process, eg. getting its memory content to save it in a file for a further analysis.
It can consist of several steps:
- Listing every threads (quite important);
- Suspending each thread so the memory will remain untouched while we dump the process;
- Reading the memory;
- Writing it into a file;
- Resuming the suspended threads as if nothing happened.
And I was meant to write a proof-of-concept for anyone that you may find here:
https://github.com/Ge0bidouille/ProcessMemoryDumper
I'm pretty sure that the source code is clear enough but feel free to drop a feedback if wanted!
Thanks go out to 0verclok for his feedbacks. :-)
Ge0
This comment has been removed by a blog administrator.
ReplyDelete