Dumper is small utility used to make dump of process and convert the dumps into exe or dll.
It can do some other processes and threads operations, or change memory of processes

It allows kernel operations like dump, raw dump and kernel memory access. See kernel mode for more information

Processes operations

Refresh processes list
Do a dump of the selected process.
Raw dump allow you to make partial dump of modules by asking you start address and size of the dump

Use the internal dumping function of WinAPIOverride to dump a hooked process

Convert a dump file to exe or dll
  - By removing nonraw parts (default) : remove virtual memory space not present in raw mapping
  - By modifying PE : let all the virtual memory space present, and modify the raw mapping of the exe or dll file
Kill selected process
Suspend selected process
Resume selected process
Change selected process priority
Inject a dll into the selected process (=LoadLibrary)
Eject selected dll of the selected process (=FreeLibrary)
Get process and thread information from any window/dialog
Search which processes are using a dll
Check module or process integrity.
Allow memory operations on processes See Memory Dialog
Display modules sections of the selected process
Allow to do raw disassembly from memory of the selected process
Go into Kernel mode
Go into User mode

Threads operations


Threads Dialog
Allow operations on each thread of an hooked process
Call stack : retreive the callstack of the selected thread
All call stacks : retreive the callstack of all the threads of the selected process
Get the selected thread stack layout and usage information
Context : Retreive the selected thread context.
Kill selected thread
Suspend selected thread
Resume selected thread
Retreives the number of time the selected thread is suspended
Change selected thread priority

Modules and Process integrity

Integrity is checked by making a difference between module (dll, exe,...) on hard drive, and module in memory.
Some changes can be normal like global and static variables.
The report needs your interpretation before restoring some parts of section.
This tool can be usefull as some malwares change original API first bytes (like CreateRemoteThread) to avoid to be spied and reversed.
Once integrity checking is done you get a report like

The restore button allow you to restore a full section or only a change, and get the original code back

In the previous example we can see two break point installed.
To remove them, just hit the associated restore button.

Kernel Mode

Kernel mode provides same dumping, raw dumping and memory access as user mode, with the same interfaces, so just refer upper for details information.

You have to take care playing with kernel memory, you can get blue screen, even damage hardware if you don't know what you are doing.

YOU are the only responsible. The author can't be held responsible for any damage.