View Full Version : Plugin: Memory Dump
aeon
July 8th, 2007, 10:11
Hi
I often need copy just a number of bytes from debugged process to a file , there are few plugins but all of them works on principle of entering start and end addresses manually. I've been searching for something simple which would allowed me easily copy a number of bytes from dump window but could not find anything, so I decided to write it myself.
Simply select desired bytes in dump window , open right click menu and
pick 'Memory Dump' to save them.
that's all
I know it's lame, it's my first plugin.....I hope somebody find it useful
http://rapidshare.com/files/41739240/MemoryDump.zip.html
BeatriX
July 8th, 2007, 11:34
Yes, it is a good tool. Thanks
Usually, we must dump the entire section and cut it with an hex editor. Now, it is very simple. Just a question, what are the others plugins which allow us to dump bytes ?
I just know "Data Ripper" to dump datas usable in a source code. "Export table" is doing the same thing with less options.
aeon
July 8th, 2007, 12:17
Quote:
| [Originally Posted by BeatriX;67011]Usually, we must dump the entire section and cut it with an hex editor. Now, it is very simple. |
I was tired of this
Quote:
I just know "Data Ripper" to dump datas usable in a source code. "Export table" is doing the same thing with less options.
|
yep, but those you mention are different, I know of 2 which do binary dump
one is Memory Backup and second is IsDebuggerPresent, it contains a dumper
BeatriX
July 9th, 2007, 06:09
just a small comment. I don't think it is a good idea to pack your plugin aeon. Not very handy if we want to debug or disassemble it. Are you afraid with the size of your dll ? And more, if I want to debug Olly with Olly itself, by default, we get the famous message about BaseOfCode.
aeon
July 9th, 2007, 13:04
well, I do not like having my plugin debugged or disassembled, just because my coding is terrible , I've seen packed plugins although it was only UPX , yep, size is another reason I do not like 22KB, 11KB is much better
LLXX
July 14th, 2007, 07:37
Quote:
| [Originally Posted by BeatriX;67019]just a small comment. I don't think it is a good idea to pack your plugin aeon. Not very handy if we want to debug or disassemble it. Are you afraid with the size of your dll ? And more, if I want to debug Olly with Olly itself, by default, we get the famous message about BaseOfCode. |
Packed? So what? No problem! Nothing a little reversing can't fix
If you don't want your code disassembled, this is the wrong forum for you. Consider that many of the users here are quite skilled reversers and for them unpacking is trivial.
...but really, OllyDbg already has this functionality. Select bytes, Rightclick -> Binary -> Binary Copy. Then paste in whatever editor of choice.
blabberer
July 14th, 2007, 09:22
Quote:
| [Originally Posted by LLXX;67159]...but really, OllyDbg already has this functionality. Select bytes, Rightclick -> Binary -> Binary Copy. Then paste in whatever editor of choice. |
well that copies ascii representation of binary
not as .bin
though you can copy bin
with right click-> createbackup-> save backup to file
this plugin copies specific selection while save backup will save the entire page so it has some added functionality that may be of use to some
aeon
July 14th, 2007, 17:22
Quote:
| If you don't want your code disassembled, this is the wrong forum for you. Consider that many of the users here are quite skilled reversers and for them unpacking is trivial. |
I still do not want my code disassembled but that's not important , I know somebody does it and that's fine, that's point of this forum, to learn.
Probably none of the serious programmers want their applications to be disassembled and still is a high chance somebody will do it.
Binary Copy copies hex representation of selected bytes, not bytes themselves
aeon
September 16th, 2007, 11:16
I have made small update :
- copy to clipboard: this comes handy when user wants to access string from dump fast and use it immediately somewhere else (does not work very well with control characters)
- version for immunity debugger
http://www.zippyshare.com/v/55465328/MemoryDump.zip.html
aeon
October 10th, 2007, 04:09
I've added exporting tables for c, asm and delphi
http://www1.zippyshare.com/v/11314507/file.html
aeon
December 10th, 2007, 10:46
I did last update
Description:
Code:
In the dump window right click and select 'Memory Dump' in the popup menu
pick your choice.
Possible choices are:
- File
Copies selected bytes from dump into a file.
- Clipboard
Copies selected bytes from dump into a clipboard (text only).
- Delphi/Pascal Table
Generates table of selected bytes which can be easily used in Delphi/Pascal
- C/C++ Table
Generates table of selected bytes which can be easily used in C/C++
- ASM Table
Generates table of selected bytes which can be easily used in Assembler
(MASM Tested)
- Visual Basic Table
Generates table of selected bytes which can be easily used in Visual Basic
- Range Dump
Dumps Range of defined bytes by:
- Lenght : Tick End Address/Lenght
- End Address : Untick End Address/Lenght
Xor Dump With: Self-explanatory
Button with [<] symbol enters address of last byte clicked(not selected) in the dump,
it's more convenient than entering addresses manually.
- Xor Selection
Xors Selection and shows dumped data in Olly's window. This window cannot be used
for another byte manipulation with plugin because dump is created in your Win's
temporary folder and not in memory.
http://www.zippyshare.com/v/4380600/file.html
JMI
December 10th, 2007, 11:39
Thanks again for keeping us updated!
Regards,
TQN
December 12th, 2007, 10:18
Simple but very good plugin, aeon. Can you post or PM me the source code ?
Thank you very much !
Nacho_dj
December 12th, 2007, 11:33
Quote:
[Originally Posted by aeon;70853]
Code:
- Delphi/Pascal Table
Generates table of selected bytes which can be easily used in Delphi/Pascal
|
I wish this had been developed before, I have managed very big block of bytes to be converted to Delphi tables.
Well, from now this will get easier and more confortable.
Many thanks for your good work
Nacho_dj
aeon
December 12th, 2007, 11:54
Quote:
[Originally Posted by TQN;70894]Simple but very good plugin, aeon. Can you post or PM me the source code ?
Thank you very much ! |
huh, you are the guy who made SDK for delphi
did not I metion that my coding is ..... ehm......terrible? If there is something wrong(bug) or you're interested in something particular, just tell me
Quote:
[Originally Posted by Nacho_dj;70896]I wish this had been developed before, I have managed very big block of bytes to be converted to Delphi tables.
Well, from now this will get easier and more confortable.
Many thanks for your good work
Nacho_dj |
actually there is such plugin
thank you guys , you're welcome
TQN
December 12th, 2007, 18:52
Hi aeon !
I am modifying the plugin.pas to support plugin for OllyDbg and ImmDbg. With this plugin.pas, we can build only once DLL and it will be used in OllyDbg and ImmDbg as well, not need to build two dll for each OllyDbg and ImmDbg.
I need some plugin source code to test, and I see your plugin is very interest.
dELTA
December 13th, 2007, 07:48
Sounds great TQN, please let us know when the update is complete, and where we can find it.
Aeon, now you have an opportunity to contribute to the actual Olly Delphi SDK, so hurry up sending your source code over to TQN now.
JMI
December 13th, 2007, 10:49
And don't worry too much about whether or not your "code" is "pretty. If it "works," TQN will "figure it out."
Regards,
aeon
August 8th, 2009, 05:40
after two years of inactivity I decided for small update
Code:
Plugin is intended to save/load bytes from momory dump window of the process in
various forms. In the dump window right click and select 'Memory Dump' in the popup menu
pick your choice.
Possible choices are:
- Load Dump
Allows to fill process' memory with data from a file. (Be sure what you are
doing, overwriting the process memory may cause you a lot of trouble.)
- Save Dump
Copies selected bytes from dump into a file.
- Clipboard(Text)
Copies selected bytes from dump into a clipboard (text only).
- Delphi/Pascal Table
Generates table of selected bytes which can be easily used in Delphi/Pascal
- C/C++ Table
Generates table of selected bytes which can be easily used in C/C++
- ASM Table
Generates table of selected bytes which can be easily used in Assembler
(MASM Tested)
- Visual Basic Table
Generates table of selected bytes which can be easily used in Visual Basic
- Range Dump (ALT+R)
Dumps Range of defined bytes by:
- Lenght : Tick End Address/Lenght
- End Address : Untick End Address/Lenght
Xor Dump With: Self-explanatory
Button with [<] symbol enters address of last byte clicked(not selected) in the dump,
it's more convenient than entering addresses manually.
- Xor Selection
Xors Selection and shows dumped data in Olly's window. This window cannot be used
for another byte manipulation with plugin because dump is created in your Win's
temporary folder and not in memory.
- Quick Dump (ALT+Q)
Allows quickly select and dump data, mark the start(SHIFT+1) and the end(SHIFT+2) of
the block in dump window, then just press (ALT+Q).
http://rapidshare.com/files/265054369/MemoryDumpv0.9a.zip.html
winndy
August 9th, 2009, 20:44
Quote:
[Originally Posted by aeon;82309]
http://rapidshare.com/files/265054369/MemoryDumpv0.9a.zip.html |
This file is neither allocated to a Premium Account, or a Collector's Account, and can therefore only be downloaded 10 times.
This limit is reached.
Kayaker
August 10th, 2009, 02:49
Hi aeon
Why don't you just update the already existing entry for your plugin that's been here all along?
http://www.woodmann.com/collaborative/tools/MemoryDump
aeon
August 10th, 2009, 07:00
ok, updated
ulpius
October 10th, 2009, 15:12
2009 version:
Auto-Protect blocked security risk
d83fafa4ad118a1ea9e5456e24ff7863 *MemoryDump.dll
Spyware.ActualSpy
Severity: High
I checked the 2007 version:
5ab1135913ea32c418a0bad254e597b9 *MemDump.dll
Adware.AllSum
Where is the source code?
aeon
October 12th, 2009, 10:48
There is no spyware/malware/adware in my plugin(unless you got somehow modified version from somewhere else).
AFAIK there has not been any similar complaint from any other user. Auto-Protect (of which existence I was not aware to this day) probably consider upack as threat or they have FP.
You don't have to belive me so don't use it.
Powered by vBulletin® Version 4.2.2 Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.