Dumper

Dumper is small utility used to make dump of process and convert the dumps into exe or dll. It can do some other processes and threads operations, or change memory of processes It allows kernel operations like dump, raw dump and kernel memory access. See kernel mode for more information

Processes operations Refresh processes list Do a dump of the selected process. Raw dump allow you to make partial dump of modules by asking you start address and size of the dump Use the internal dumping function of WinAPIOverride to dump a hooked process Convert a dump file to exe or dll   - By removing nonraw parts (default) : remove virtual memory space not present in raw mapping   - By modifying PE : let all the virtual memory space present, and modify the raw mapping of the exe or dll file Kill selected process Suspend selected process Resume selected process Change selected process priority Inject a dll into the selected process (=LoadLibrary) Eject selected dll of the selected process (=FreeLibrary) Get process and thread information from any window/dialog Search which processes are using a dll Check module or process integrity. Allow memory operations on processes See Memory Dialog Display modules sections of the selected process Allow to do raw disassembly from memory of the selected process Go into Kernel mode Go into User mode

Threads operations Threads Threads Dialog Allow operations on each thread of an hooked process Call stack : retreive the callstack of the selected thread All call stacks : retreive the callstack of all the threads of the selected process Get the selected thread stack layout and usage information Context : Retreive the selected thread context. Kill selected thread Suspend selected thread Resume selected thread Retreives the number of time the selected thread is suspended Change selected thread priority Modules and Process integrity Integrity is checked by making a difference between module (dll, exe,...) on hard drive, and module in memory. Some changes can be normal like global and static variables. The report needs your interpretation before restoring some parts of section. This tool can be usefull as some malwares change original API first bytes (like CreateRemoteThread) to avoid to be spied and reversed. Once integrity checking is done you get a report like The restore button allow you to restore a full section or only a change, and get the original code back In the previous example we can see two break point installed. To remove them, just hit the associated restore button. Kernel Mode Kernel mode provides same dumping, raw dumping and memory access as user mode, with the same interfaces, so just refer upper for details information. You have to take care playing with kernel memory, you can get blue screen, even damage hardware if you don't know what you are doing. YOU are the only responsible. The author can't be held responsible for any damage.