Virtual Section Dumper - A Memory Dumping Tool


Virtual Section Dumper (VSD) is a simple and powerful tool to visualize and dump the memory regions of a running 32 bits or a 64 bits process in many ways. For example, you can dump the entire process and fix the PE Header, dump a given range of memory or even list and dump every virtual section present in the process.

Now let me show you how to use Virtual Section Dumper...

How To Use Virtual Section Dumper

First, download Virtual Section Dumper onto your computer (download links are at the end of this article). Then run it (with administrator privileges). You will see a window as shown below.


Or this (if you run the 64-bit version):

Virtual Section Dumper Screenshot

Now you can use any of the buttons, check-boxes, or the pop-up menu to interact with the processes.

Here is the list of options and their uses:

Main window options:
  • Refresh: refreshes the processes list.
  • About: displays the about window.
  • Full Dump: paste header from disk: this option is only valid when you select "Full Dump" over a process. Using this, you can read the original PE header of a running process from the disk and paste it in memory before dumping. This is useful when dealing with packers because they usually change the data in the memory of a packed program, especially the PE header section, to avoid the dumping process.
  • Full Dump: fix header: this option is only valid when you select "Full Dump" over a process. Using this, you can fix the Raw Offset and Virtual Offset of a process, in other words, Raw Offset == Virtual Offset.
  • Exclude x64 processes: (Only in the x86 version) when running on Windows 7 (x64), VSD can show you the x64 processes although you can't do too much with them. If you don't want to see these processes you can use this options to filter them from the list. You can use this feature ONLY when running with Administrative privileges (Vista/Seven/Server 2008 on both platforms, x86 and x64), if not, VSD will show you all the running processes. This is due to VSD can't obtain a handle via OpenProcess to interact with the processes (note: if you know what I'm talking about and you have an idea on how to improve/solve this problem, just email me).
  • Total number of processes: prints the total number of running processes.
  • Sort process by Name, PID, ImageBase or ImageSize: you can sort the list of processes by doing click in the top of every column.

Pop-up menu options:
  • Select All: selects all the processes on the list.
  • Copy to Clipboard: copies the selected items to the clipboard.
  • Dump:
    • Full: dumps the entire process' memory to disk.
    • Partial: dumps a partial memory region to disk. You must enter a valid address and size.
    • Regions: displays the regions windows where you can interact with all the virtual sections of the process.
  • View:
    • Modules: displays all the loaded modules in the process.
    • Handles: displays all the opened handles by the process.
    • Threads: displays all threads in the process.
  • Patch: displays a new dialog with the patch process options.
  • Kill Process: terminates the execution of the selected process.

Patch window options:
  • No. Bytes to patch: indicates the number of bytes to patch.
  • Address to Patch: indicates the address in the process memory region to patch.
  • New Bytes: The bytes to write to the process memory.
  • Bytes: displays the original bytes in the process memory.
  • Search: when 'No. Bytes to patch' and 'Address to Patch' are set, the user can use this button to look for the original bytes in the process. The original bytes are displayed in the 'Bytes' edit-box.
  • Patch: starts the process of patching the process memory.
  • Close: closes the 'Patch' window.

View Modules window options:
  • Dump (Full/Partial): Dumps full/partial memory of the selected module to disk.

View Threads window options:
  • Resume: resumes the thread's execution.
  • Suspend: suspends the thread's execution.
  • Terminate: terminates the thread's execution.

Dump Regions window options:
  • Sort virtual sections by Address, Size, Protect, State or Type: by clicking on the top of every column, you can sort the data listed in the list-view.
  • Dump: dumps the selected virtual section. Not all sections can be dumped, for example, a section marked as free can't be dumped.
That's all. I hope you liked this article. If you did, please share...

See ya...


No comments

Powered by Blogger.