VMProtect payload extractor with IAT reconstruction, PE repair, and Memory Harvester (v5.0). Monitors section unpacking, captures OEP via thread context + CRT pattern scan, dumps the PE with repaired headers for direct execution, reconstructs imports with slot mapping, and scans process memory for IOCs.
- PE repair -- Dumped binary is directly executable (fixed headers, entry point, alignment)
- OEP capture -- Dual strategy: thread IP at suspend + CRT startup pattern scanning
- Section monitoring -- Detects VMProtect-zeroed sections (FileSize=0 on disk) that get populated at runtime
- IAT reconstruction -- Enumerates all loaded module export tables to build a resolved import list
- IAT slot mapping -- Scans PE sections to find where import pointers live (slot RVAs)
- Full PE dump -- Memory dump with PE header repair (
*_dumped.exe) - Structured metadata --
dump_metadata.jsonwith all PE structure data for post-processing - Individual section dumps -- Each section saved as
{name}_0x{address}.bin - IOC extraction -- Scans all committed process memory for URLs, Bitcoin wallets, onion URLs, Telegram links, email addresses, ransom indicators, file extensions, registry keys, mutex names, WMI queries, system commands, file paths
- Wide string scanning -- Extracts both ASCII and UTF-16LE strings
- Dropped file capture -- Captures ransom notes and suspicious files from target directory
- DLL support -- Load DLLs via
--dll-export=<Name>or--dll-export=#1(ordinal). Supports .dll, .ocx, .cpl - ServiceMain DLLs -- Auto-creates a temporary Windows service for service DLLs (
--dll-export=ServiceMain) - Anti-monitor bypass -- Kills 50+ known analysis tools that VMProtect detects
- VMware/VBox cleanup -- Optional
--kill-vmtoolsto kill virtualization guest tools and stop VM services - Drag & drop -- Drop a protected EXE onto the executable to start
- Auto output folder -- Creates
vmp_dump_{filename}/automatically - Memory Harvester -- Dynamic executable region tracking with rolling 500ms snapshots, fingerprint-based change detection, captures ephemeral unpacked code outside PE image
- PE-sieve integration -- Auto-detects pe-sieve at C:\Tools, runs for advanced unpacking validation
- Behavioral triggers -- Monitors Desktop, TEMP, APPDATA for new file drops; triggers dump on ransomware activity
- Harvest report -- harvest_report.txt with full region timeline, section status, PE-sieve results
- Password-protected output -- Results packaged as
.datarchive (ZipCrypto, password:virus)
| Feature | v2.0 | v3.0 |
|---|---|---|
| PE dump format | _dumped.bin (IDA only) |
_dumped.bin (repaired PE, rename to .exe) |
| Entry point | VMProtect stub (wrong) | Real OEP (thread IP + CRT scan) |
| FileAlignment | Original (mismatched) | Self-mapping (= SectionAlignment) |
| ASLR | Enabled (breaks fixed base) | Disabled for fixed-base execution |
| Relocations | Untouched | RELOCS_STRIPPED if no .reloc |
| IAT mapping | Text catalog only | Slot RVAs in imports + metadata |
| Metadata | None | dump_metadata.json (full PE structure) |
| Checksum | Stale | Zeroed (valid) |
| SizeOfHeaders | Original | Aligned to new FileAlignment |
| Protector | Versions |
|---|---|
| VMProtect | 1.x, 2.x, 3.x |
| Build | Targets |
|---|---|
| x64 | 64-bit targets |
| x86 | 32-bit targets |
Unlike Themida (which encrypts native code and decrypts it at runtime), VMProtect virtualizes native code into custom bytecode. The original sections (.text, .rdata, etc.) are zeroed on disk and may or may not be populated at runtime depending on protection level. This tool specifically detects and handles VMProtect's zeroed-section pattern.
# EXE (drag & drop or command line)
vmprotect_dumper_x64.exe <target.exe>
# EXE with VM tools cleanup
vmprotect_dumper_x64.exe <target.exe> --kill-vmtools
# DLL (named export, required for DLLs)
vmprotect_dumper_x64.exe sample.dll --dll-export=ExportName
# Service DLL
vmprotect_dumper_x64.exe sample.dll --dll-export=ServiceMainDLLs require
--dll-exportand cannot be drag-and-dropped.
Results are saved to vmp_dump_{filename}/ and packaged as a .dat archive:
vmp_dump_malware.exe/
├── _text_0x140001000.bin # Individual section dumps
├── _rdata_0x140010000.bin
├── _vmp0_0x140050000.bin # VMProtect VM section
├── malware.exe_dumped.bin # Repaired PE (rename to .exe to run)
├── resolved_imports.txt # Reconstructed imports with slot RVAs
├── dump_metadata.json # PE structure & IAT metadata
└── extracted_strings.txt # IOC strings (ASCII + wide)
kernel32.dll!CreateFileW = 0x00007FFB1A2C3D40 @ RVA=0x00075000
ntdll.dll!RtlAllocateHeap = 0x00007FFB1B4E5F60 @ RVA=0x00075008
ws2_32.dll!connect = 0x00007FFB19876540
Imports with @ RVA= have their IAT slot location mapped in the PE.
dump_metadata.json contains structured PE data for post-processing tools:
{
"dumper_version": "3.0",
"machine": "0x8664",
"image_base": "0x140000000",
"size_of_image": "0x1A0000",
"oep_rva": "0x00005678",
"oep_captured": true,
"oep_thread_rva": "0x00005690",
"oep_crt_rva": "0x00005678",
"sections": [...],
"data_directories": {...},
"imports_resolved": 2847,
"iat_slots_found": 156,
"iat_slots": [
{"slot_rva": "0x00075000", "module": "KERNEL32.dll", "function": "CreateFileW"}
]
}The v3.0 dumper applies these repairs to make the dump executable:
-
OEP capture -- Reads RIP/EIP from the suspended thread after VMProtect unpacking completes. Also scans unpacked code sections for MSVC CRT startup patterns (
sub rsp,28h+ call for x64, SEH setup orpush ebpfor x86). CRT pattern is preferred when found; thread IP is fallback. -
Self-mapping layout -- Sets FileAlignment = SectionAlignment so the file's section layout matches the memory layout (PointerToRawData = VirtualAddress for each section).
-
ASLR disabled -- Clears IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE so the OS loads the binary at the exact ImageBase captured from the running process.
-
Relocations stripped -- If the
.relocsection was destroyed by VMProtect, sets IMAGE_FILE_RELOCS_STRIPPED and zeroes the relocation data directory. -
IAT slot mapping -- Scans PE sections for pointer-sized values matching resolved import addresses. This identifies where in the binary the import address table entries live, enabling future IAT rebuild tools to patch the correct locations.
Requires MinGW-w64.
# 64-bit build
x86_64-w64-mingw32-gcc -O2 -s -static -o vmprotect_dumper_x64.exe vmprotect_dumper_universal.c
# 32-bit build
i686-w64-mingw32-gcc -O2 -s -static -o vmprotect_dumper_x86.exe vmprotect_dumper_universal.c- Enables SeDebugPrivilege and kills known analysis tools
- Launches target PE as a SUSPENDED process
- Reads PE headers, identifies zeroed sections (VMProtect signature)
- Resumes the process and polls sections every 50ms (up to 300s)
- When zeroed sections gain data, VMProtect has unpacked
- Suspends the process
- Captures OEP via thread context (RIP/EIP) + CRT pattern scan
- Dumps all sections and full PE with header repair
- Enumerates loaded module export tables to reconstruct imports
- Scans IAT slots -- finds import pointers in PE sections
- Scans all committed memory regions for IOC strings
- Captures dropped ransom notes from target directory
- Writes dump_metadata.json with structured PE data
- Packages everything into a password-protected
.datfile - Terminates target and cleans up temp services
- Run in an isolated VM -- this tool executes malware samples
- The dumped
.exemay not run in all cases -- VMProtect's virtualized code sections remain as bytecode, and dynamically resolved imports (custom hash lookups) won't be in the IAT - The OEP capture works best when VMProtect unpacks the original code sections; if sections remain virtualized, the thread IP may still be in VMProtect's VM dispatcher
- IAT slot mapping uses a hash-accelerated scan; it finds standard import table entries but may miss scattered or obfuscated import references
- Output
.datfiles are ZIP archives renamed to.dat(password:virus)
MIT
| Feature | v4.0 | v5.0 |
|---|---|---|
| Region tracking | None | Rolling snapshots every 500ms |
| PE-sieve | None | Auto-detect + run on target PID |
| Behavioral trigger | None | File drop monitoring in watched dirs |
| Harvest report | None | Full timeline + region summary |
| Region dumps | None | region_*.bin for all exec regions |
| CLI options | 8 | 10 (--no-harvest, --pesieve-path, etc.) |