Author Topic: [C++] RunPEDumper  (Read 2558 times)

0 Members and 2 Guests are viewing this topic.

Offline Zer0Flag

  • Serf
  • *
  • Posts: 20
  • Cookies: 5
    • View Profile
[C++] RunPEDumper
« on: September 03, 2011, 02:46:24 pm »
RunPE is a method used mostly in malware to load a binary file from resources and execute it in the memory. This is used to bypass heuristics and make it harder to analyse the file. The most RunPEs in the wild work the same way.

- Create a new Process
- Unmap loaded file form memory to create space for the new one
- Write new file into memory
- GetThreadConext
- Set new entrypoint
- SetThreadContext
- ResumeThread


The easiest way to dump this is to hook the "WriteProcessMemory" API and rederict the buffer to a new file. I used a ExceptionHooklib from OpCodeZ to do this job. Improvments could be hooking "ResumeThread" to prevent the malware thread from beeing executed. Or hook Native APIs wich could be used instead of the "normal" one.

How to use this: Choose your Injector ( in my case the one wich I included from -Alex- ) and select "Load+Inject". Than choose your Target and select the "AntiMalwareHook.dll". The dumped file appears in the same dir as the Targetfile and is called "dump.exe"

Included in Download:
-Source
-Kompiled DLL
-DLL Injector by -Alex-

OriginalSite: Homepage


~Zer0Flag
« Last Edit: January 27, 2012, 07:02:08 pm by ande »

Offline simon-benyo

  • NULL
  • Posts: 1
  • Cookies: 0
    • View Profile
Re: [C++] RunPEDumper
« Reply #1 on: January 27, 2012, 04:38:53 pm »
Thx But i will take look at the SRC and maybe i can modify it because some people are using NtWriteVirtual Memory instead of WriteProcessMemory