Skip to content
Extract Windows Defender database from vdm files and unpack it
Branch: master
Clone or download
hfiref0x v 1.0.2
Ability to extract GAPA (Generic Application Level Protocol Analyzer) modules from NIS (Network Inspection System) VDM containers.
Latest commit 10935f9 Apr 23, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
Bin v 1.0.2 Apr 24, 2019
Source v 1.0.2 Apr 24, 2019
.gitattributes Initial commit Apr 19, 2019 Initial commit Apr 19, 2019 v 1.0.2 Apr 24, 2019
WDExtract.sha256 v 1.0.2 Apr 24, 2019


Extract Windows Defender database from vdm files and unpack it

  • This program distributed as-is, without any warranty;
  • No official support, if you like this tool, feel free to contribute.


  • Unpack VDM containers of Windows Defender/Microsoft Security Essentials;
  • Decrypt VDM container embedded in Malicious software Removal Tool (MRT.exe);
  • Extract all PE images from unpacked/decrypted containers on the fly (-e switch):
    • dump VDLLs (Virtual DLLs);
    • dump VFS (Virtual File System) contents;
    • dump signatures auxiliary images;
    • dump GAPA (Generic Application Level Protocol Analyzer) images used by NIS (Network Inspection System);
    • code can be adapted to dump type specific chunks of database (not implemented);
  • Faster than any script.

List of MRT extracted images, (version 5.71.15840.1)

List of WD extracted images, mpasbase.vdm (version

List of NIS signatures from NisBase.vdm (version


wdextract file [-e]

  • file - filename of VDM container (*.vdm file or MRT.exe executable);
  • -e optional parameter, extract all found PE image chunks found in VDM after unpacking/decrypting (this including VFS components and emulator VDLLs).


  • wdextract c:\wdbase\mpasbase.vdm
  • wdextract c:\wdbase\mpasbase.vdm -e
  • wdextract c:\wdbase\mrt.exe
  • wdextract c:\wdbase\mrt.exe -e

Note: base will be unpacked/decrypted to source directory as %originalname%.extracted (e.g. if original file c:\wdbase\mpasbase.vdm, unpacked will be c:\wdbase\mpasbase.vdm.extracted). Image chunks will be dumped to created "chunks" directory in the wdextract current directory (e.g. if wdextract run from c:\wdbase it will be c:\wdbase\chunks directory). Output files always overwrite existing.


  • Source code written in C;
  • Built with MSVS 2017 with Windows SDK 17763 installed;
  • Can be built with previous versions of MSVS and SDK's.

Related references and tools


No actual dumped/extracted/unpacked binary data included or will be included in this repository.

3rd party code usage

Uses ZLIB Data Compression Library (


(c) 2019 WDEXTRACT Project

You can’t perform that action at this time.