memory-dumper is a tool for dumping files from process's memory. The main purpose is to find patterns inside the process's memory, which is done by plugins, and dump segments of memory to files.
Virtually memory-dumper can dump anything, it's up to you find it
any use. That said, I use it to dump Flash files (SWF). There are
many SWF encrypted files that can't be decrypted easily. The only
easy way is make them decrypt themself and them dump them directly
from memory.
New plugins for dumping any other type of data can be created easily.
You'll need meson, python3 and ninja-build. Once you have those, just run:
mkdir build
cd build
meson ..
ninja
Go to the build directory and run:
sudo ./memory-dumper -p PID
to dump the memory of a process (sudo is required because memory-dumper must read the
memory of a process that doesn't own)
or
./memory-dumper -p /path/to/file.ext
to dump the content of a file.
You just need to create a plugin! It's that easy. Just look inside
the plugin folder. Your plugin should have two main functions.
The first one is init which will be used to init the plugin
itself and pass it some useful functions; and the second one is match,
which is used to pass a memory block to the plugin so it can search
and dump it's content.
-
Currently memory-dumper works only on Linux. Maybe I'll port it to Windows at some point in the future, but I don't want to promise anything. Anyways, I'll accept a patch for this :)
-
I'm planning to write some more plugins. If you want a plugin for some specific file type, use the
New issuebutton :) -
Write some documentation about how to write a plugin.
