{"id":77,"date":"2018-01-13T16:27:45","date_gmt":"2018-01-13T16:27:45","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=77"},"modified":"2024-01-09T21:27:27","modified_gmt":"2024-01-09T21:27:27","slug":"ida-script-to-create-a-memory-dump","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2018\/01\/13\/ida-script-to-create-a-memory-dump\/","title":{"rendered":"IDA script to create a memory dump"},"content":{"rendered":"<p align=\"left\">This is an\u00a0<a href=\"https:\/\/www.hex-rays.com\/products\/ida\/\" target=\"_blank\" rel=\"noopener\">IDA<\/a>\u00a0script that can do a memory dump. It&#8217;s useful to run it after you&#8217;ve gone past the obfuscation layer(s) and reached the decrypted code\/data\/strings.<\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>auto eax; <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>auto start; <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>auto end; <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>auto f; <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>f = fopen(&#8220;dump.bin&#8221;, &#8220;w&#8221;); <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>start = 0x400000; <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>end = 0x500000; <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>eax = start; <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>while ( eax &lt; end ) { <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>\u00a0 \u00a0 writelong(f, Dword(eax) ,0); <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>\u00a0 \u00a0 eax = eax + 4; <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>} <\/strong><\/span><\/p>\n<p align=\"left\"><span style=\"color: #00ff00;\"><strong>fclose(f);<\/strong><\/span><\/p>\n<p align=\"left\"><a href=\"https:\/\/github.com\/asaygo\/malwrforensics\/blob\/master\/scripts\/ida_dump_mem.idc\"><strong>Here<\/strong><\/a>\u00a0you can find the code on github.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is an\u00a0IDA\u00a0script that can do a memory dump. It&#8217;s useful to run it after you&#8217;ve gone past the obfuscation layer(s) and reached the decrypted code\/data\/strings. auto eax; auto start; auto end; auto f; f = fopen(&#8220;dump.bin&#8221;, &#8220;w&#8221;); start = 0x400000; end = 0x500000; eax = start; while ( eax &lt; end ) { \u00a0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[13,19,18,20,6],"class_list":["post-77","post","type-post","status-publish","format-standard","hentry","category-security","tag-forensics","tag-ida","tag-malware","tag-memory-dump","tag-tool"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"<p>This is an\u00a0IDA\u00a0script that can do a memory dump. It&#8217;s useful to run it after you&#8217;ve gone past the obfuscation layer(s) and reached the decrypted code\/data\/strings. auto eax; auto start; auto end; auto f; f = fopen(&#8220;dump.bin&#8221;, &#8220;w&#8221;); start = 0x400000; end = 0x500000; eax = start; while ( eax &lt; end ) { \u00a0 \u00a0 writelong(f, Dword(eax) ,0); \u00a0 \u00a0 eax = eax + 4; } fclose(f); Here\u00a0you can find the code on github.<\/p>\n","category_list_v2":"<a href=\"https:\/\/malwrforensics.com\/en\/category\/security\/\" rel=\"category tag\">Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/77","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=77"}],"version-history":[{"count":2,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/77\/revisions"}],"predecessor-version":[{"id":824,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/77\/revisions\/824"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=77"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=77"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=77"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}