最近看到有些恶意程序,从网络上下载PE文件后,直接放在内存里重定位和初始化,为了能将其dump出来,所以写了这个Windbg脚本。

.foreach( place  { !address /f:VAR,MEM_PRIVATE,MEM_COMMIT /c:"s -[1]a %1 %2 \"MZ\"" } ) 
{
    ad *
    .catch {
        r @$t2 = place;
        r @$t0 = place;
        r @$t1 = @@C++(((ntdll!_IMAGE_DOS_HEADER *)@$t0)->e_lfanew);
        r @$t0 = @$t0 + @$t1;
        r @$t1 = $vvalid(@$t0, 4);

        .if (@@C++(@$t1 && @@C++(((ntdll!_IMAGE_NT_HEADERS *)@$t0)->Signature) == 0x00004550))
        {
            r @$t1 = @@C++(((ntdll!_IMAGE_NT_HEADERS *)@$t0)->OptionalHeader.SizeOfImage);
            .printf "%08x  %08x\n", @$t2, @$t1;
            aS /x start_addr @$t2
            aS /x dump_size @$t1
            .block {
                aS target_file e:\\${start_addr}.dll
            }
            
            .block {
                .printf "${target_file}"
                .writemem "${target_file}" ${start_addr} L?${dump_size}
            }
        }
    }
}