Overview
This plugin is process memory dumper for OllyDbg and Immunity Debugger.
Very simple overview: OllyDumpEx = OllyDump + PE Dumper - obsoleted + useful features
Features
Various debuggers supported
Select to dump debugee exe, loaded dll or non-listed module
Search MZ/PE Signature from memory
Multiple Dump mode. Rebuild for typical PE dump, Binary for PE Carving
PE32+ supported (Search and Binary Dump mode only available on 32bit debugger)
Native 64bit process supported (IDA Pro, WinDbg and x64_dbg)
Dump any address space as section even if not in original section header
Add dummy section to keep PE format consistency
Fix RVA in DataDirectory to follow ImageBase change
Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...)
Supported Debugger
OllyDbg version 1.10 (tested 1.10)
OllyDbg version 2.01 (tested 2.01)
Immunity Debugger version 1.7x or lower (tested 1.73)
Immunity Debugger version 1.8x or higher (tested 1.85)
IDA Pro Retail version 5.0 or higher (tested 6.6)
IDA Pro Freeware version 5.0 (tested 5.0)
WinDbg version 6.x (tested 6.2)
x64_dbg version 2.x (tested 2.2alpha)
Download
This archive file contains plugin DLLs for each debuggers. OllyDumpEx.zip
Version: v1.40
MD5 : eb36d3271f6c0f98ad0ff9603011965a
SHA1: 7479afef0211e415d7a3b87e88da941223e7bf9a
Recent Changes
- v1.40 / 2014-12-17
Add: Support x64_dbg plugin interface (both 32bit and 64bit)
Improve: Enable NXCOMPAT and DYNAMICBASE for plugin binaries
- v1.30 / 2013-06-28
Add: Support WinDbg plugin interface (both 32bit and 64bit)
Improve: Add plugin name and version directory to archive file
Bugfix: Data after section headers in PE Header has been ignored
Bugfix: Fix SizeOfHeaders inconsistency
- v1.20 / 2013-05-27
Add: Support IDA Pro plugin interface (both Retail and Freeware version)
Add: Support native 64bit process dump (IDA Pro only)
Improve: Change dialog position to center of parent window
Improve: Add debug toggle menu to dialog system menu
Improve: Section size handling single section belongs to multiple memory segments
Bugfix: Zero virtual size section handling
- v1.12 / 2013-04-02
Improve: Update to OllyDbg 2 latest version PDK (2.01h)
Improve: Tested with latest version of debuggers
Bugfix: Search greater than 0x7FFFFFFF memory address failed
- v1.10 / 2013-03-24
Add: Search type All Memory
Add: Binary dump mode (no rebuild PE header, for before load image)
Add: PE32+ support (Binary dump mode only)
Add: Memory Address/Size parameters editable (dump source address)
Improve: Add info message for Relocation Flag and EXE/DLL type
Improve: Large PE Header handling (larger than 0x1000)
Improve: Check SectionAlignment and FileAlignment consistency
Improve: Reduce search memory usage (not depend on target memory size)
Improve: Detect PE Header across different type pages (parse and search)
Bugfix: Improper owner window handle
Bugfix: Section not listed when belong memory range not exists
Bugfix: Almost features broken when memory window sort order changed
- v1.00 / 2013-03-12
Add: Selectable Base PE Header (Module/Memory/Address)
Add: Search PE Header from memory
Improve: PE Source default change Disk to Memory
Improve: ASLR aware (except PE Source from Disk mode)
Improve: Clear DynamicBase DllCharacteristics flag with Disable Relocation option
Improve: PE Header parse and modify more carefully (corrupt PE handling)
Improve: Inherit selected address from memory window
Bugfix: Fix Virtual Offset feature cause crash (divide by zero)
Bugfix: Parse invalid sections cause crash
- v0.92 / 2012-10-09
Improve: Support OllyDbg version 2 plugin new interface
- v0.90 / 2011-08-24
Add: Support OllyDbg version 2 plugin interface (EXPERIMENTAL)
Improve: Rewrite Wide/Multibyte-Character support code
Improve: Decode CopyOnWrite page attribute
Bugfix: Detect working directory
- v0.80 / 2011-07-15
Add: Support Immunity Debugger version 1.8x or higher
Improve: Data Directory rebuild option (check rewrite range)
Improve: Always round up PE header size to 0x1000 (ImportRec not extend itself)
Bugfix: TLS Data Directory ignored
发表于 2014-12-19 14:18
