HiperDrop 0.0.1

hiperdrop:reverse engineering:easy:windows:c++
Looking through my directories I've found some tools that I've kept hidden in my desk, unpublished for some strange reasons. I'm thinking about finalizing the basic functionality of these, and finally putting them online. Anyways, one of such tools was HiperDrop - a simple command line process memory dumper for Windows.

Basically, it attaches to a process, read the whole memory (unlike LordPE / OllyDump, this tool is design to download the whole memory of the process), and saves it to disk.

There are two implemented ways to attach to a process (OpenProcess or the Debugger API), two ways to find the memory regions to dump (VirtualQueryEx or brute-force-like trying to read each memory page with ReadProcessMemory), and three methods to save the memory (either as a single file with or without padding between used memory regions, or as multiple files - one for each memory block).

Anyway, the tool is open source (check the License.txt file for details), written in C++, and might come in handy if you do some malware analysis or other reverse engineering stuff.

HiperDrop-0.0.1.zip (63 KB)

Content of the archive:
HiperDrop.cpp - source file
HiperDrop.exe - Windows executable, compiled with MinGW GCC
License.txt - yes yes, this is the license file
Readme.txt - some more details about the tool

The TODO list currently has a few important entries, like:
* the generated .map file must contain more information about the regions, like access rights, entropy, use, etc
* downloading the memory without using ReadProcessMemory, using a thread in the target process to download data via pipes

Also, I'm, thinking about kernel-level memory download, but there already is a tool to do kernel-mode memory dumps - TraceHook by j00ru. You can read about it here (0.0.1) and here (0.2).

More TODO entries can be found in the Readme.txt and by greping the source code :)

That's it I guess. Comments are welcomed!

Add a comment:

URL (optional):
Math captcha: 7 ∗ 8 + 6 =