-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathpe-dumper.js
More file actions
59 lines (46 loc) · 2.15 KB
/
pe-dumper.js
File metadata and controls
59 lines (46 loc) · 2.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
///<reference path='C:/Users/r0th3r/OneDrive/Code/index.d.ts'/>
function size_of_image(addr=NULL) {
let nt_addr = addr.add(addr.add(0x3C).readU32());
let nt_header = nt_addr.readU32();
if (nt_header != 0x4550) return 0;
let file_addr = nt_addr.add(0x4);
let file_header = file_addr.readByteArray(0x14);
let opt_addr = file_addr.add(0x14);
let opt_header = opt_addr.readByteArray(0x60);
let range_length = function(addr) {
for (const range of Process.enumerateRanges('r--')) {
if (range.base.equals(addr)) {
return range.size;
}
};
return 0;
}
return Math.max(opt_addr.add(0x38).readU32(), range_length(addr));
}
rpc.exports.scan = function (dumpdir='') {
for (const range of Process.enumerateRanges('r--')) {
/* 'This program cannot be run in DOS mode' */
try {
let dosstub = '54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65';
let match = Memory.scanSync(range.base, range.size, dosstub);
if (match.length === 0) continue;
for (let index = 0; index < match.length; index++) {
let addr = match[index].address.sub(78);
let length = size_of_image(addr);
if (length === 0) continue;
if (!match[index].address.and(255).equals(78)) {
console.log(`embedded: [${length.toString(16)}] ${addr}`);
if (dumpdir.length > 1) {
new File(`${dumpdir}/PRV-${addr.toString(16)}.mem`, "wb").write(addr.readByteArray(length));
}
}
else if (Process.findModuleByAddress(addr) === null) {
console.log(`mapping: [${length.toString(16)}] ${addr}`);
if (dumpdir.length > 1) {
new File(`${dumpdir}/MAP-${addr.toString(16)}.mem`, "wb").write(addr.readByteArray(length));
}
}
}
} catch (error) { continue; }
}
}