Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
bin
src
HiDump.rb
README.md

README.md

HiDump: Injected Code Extraction Tool

Usage

Usage: HiDump.rb [options]
    -t, --target [TARGET]            Target executable to run
    -v, --verbose                    Enable verbose messages
    -d, --working-directory [DIR]    Working directory for Monitor (default: curr dir)
    -x, --no-remote-thread           Do not allow CreateRemoteThread(..)
        --syelogd                    Start Syelogd for Monitor debugging
    -h

Example Run

HiDump>ruby HiDump.rb -t omg.exe -d C:\tmp
[+] Starting Target with CREATE_SUSPENDED flag (omg.exe)
[+] Process created with pid: 2016
[+] Injecting monitor dll
[+] Preparing monitor dll with config
[+] Waiting
[+] Resuming execution of target
[+] Waiting for target to finish execution
[+] Finished

Monitor Logs

SYELOGD: Ready for clients.  Press Ctrl-C to stop.
20130613063225528 2548 50.50: HiMonitor: Config loaded successfully
20130613063225528 2548 50.50: HiMonitor: Config: CreateRemoteThread: Allowed
20130613063225528 2548 50.50: HiMonitor: Config: WorkingDir: C:\tmp
20130613063225529 2548 50.50: HiMonitor: Hooks Initialized
20130613063225529 2548 50.50: HiMonitor: Detour Attached To: 2548
20130613063228325 2548 50.50: HiMonitor: HookHandler: OpenProcess(pid=0)
20130613063228325 2548 50.50: HiMonitor: HookHandler: OpenProcess(pid=4)
20130613063228329 2548 50.50: HiMonitor: HookHandler: OpenProcess(pid=260)
[...]
20130613063228329 2548 50.50: HiMonitor: HookHandler: VirtualAllocEx(HANDLE=0x000000d0 dwSize=222)
20130613063228329 2548 50.50: HiMonitor: Store: New allocation created at 0x02060000 (pCtx=0x0061bef8 mCtx=0x00620b68)
20130613063228329 2548 50.50: HiMonitor: HookHandler: WriteProcessMemory(HANDLE=0x000000d0 Target=0x02060000 Source=0x0040a000 Size=221
20130613063228329 2548 50.50: HiMonitor: Store: Storing 221 bytes at 0x0061ed58
20130613063228329 2548 50.50: HiMonitor: HookHandler: CreateRemoteThread(HANDLE=0x000000d0 ThreadProc=0x02060000
20130613063228329 2548 50.50: HiMonitor: ** Attempted execution of injected code. Target: C:\Windows\Explorer.EXE ThreadId: 3828 StartAddr: 0x02060000
20130613063228330 2548 50.50: HiMonitor: Dumper: Dumping to file: C:\tmp\CRT_000000d0_02060000_0.mem
[...]
20130613063652622 1268 50.50: HiMonitor: Detour closing
20130613063652626 ---- --.60: Client closed pipe.
You can’t perform that action at this time.