Skip to content

nelj14/vmprotect-dumper

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 

Repository files navigation

VMProtect Dumper

VMProtect payload extractor with IAT reconstruction, PE repair, and Memory Harvester (v5.0). Monitors section unpacking, captures OEP via thread context + CRT pattern scan, dumps the PE with repaired headers for direct execution, reconstructs imports with slot mapping, and scans process memory for IOCs.

Features

  • PE repair -- Dumped binary is directly executable (fixed headers, entry point, alignment)
  • OEP capture -- Dual strategy: thread IP at suspend + CRT startup pattern scanning
  • Section monitoring -- Detects VMProtect-zeroed sections (FileSize=0 on disk) that get populated at runtime
  • IAT reconstruction -- Enumerates all loaded module export tables to build a resolved import list
  • IAT slot mapping -- Scans PE sections to find where import pointers live (slot RVAs)
  • Full PE dump -- Memory dump with PE header repair (*_dumped.exe)
  • Structured metadata -- dump_metadata.json with all PE structure data for post-processing
  • Individual section dumps -- Each section saved as {name}_0x{address}.bin
  • IOC extraction -- Scans all committed process memory for URLs, Bitcoin wallets, onion URLs, Telegram links, email addresses, ransom indicators, file extensions, registry keys, mutex names, WMI queries, system commands, file paths
  • Wide string scanning -- Extracts both ASCII and UTF-16LE strings
  • Dropped file capture -- Captures ransom notes and suspicious files from target directory
  • DLL support -- Load DLLs via --dll-export=<Name> or --dll-export=#1 (ordinal). Supports .dll, .ocx, .cpl
  • ServiceMain DLLs -- Auto-creates a temporary Windows service for service DLLs (--dll-export=ServiceMain)
  • Anti-monitor bypass -- Kills 50+ known analysis tools that VMProtect detects
  • VMware/VBox cleanup -- Optional --kill-vmtools to kill virtualization guest tools and stop VM services
  • Drag & drop -- Drop a protected EXE onto the executable to start
  • Auto output folder -- Creates vmp_dump_{filename}/ automatically
  • Memory Harvester -- Dynamic executable region tracking with rolling 500ms snapshots, fingerprint-based change detection, captures ephemeral unpacked code outside PE image
  • PE-sieve integration -- Auto-detects pe-sieve at C:\Tools, runs for advanced unpacking validation
  • Behavioral triggers -- Monitors Desktop, TEMP, APPDATA for new file drops; triggers dump on ransomware activity
  • Harvest report -- harvest_report.txt with full region timeline, section status, PE-sieve results
  • Password-protected output -- Results packaged as .dat archive (ZipCrypto, password: virus)

What's New in v3.0

Feature v2.0 v3.0
PE dump format _dumped.bin (IDA only) _dumped.bin (repaired PE, rename to .exe)
Entry point VMProtect stub (wrong) Real OEP (thread IP + CRT scan)
FileAlignment Original (mismatched) Self-mapping (= SectionAlignment)
ASLR Enabled (breaks fixed base) Disabled for fixed-base execution
Relocations Untouched RELOCS_STRIPPED if no .reloc
IAT mapping Text catalog only Slot RVAs in imports + metadata
Metadata None dump_metadata.json (full PE structure)
Checksum Stale Zeroed (valid)
SizeOfHeaders Original Aligned to new FileAlignment

Supported Protectors

Protector Versions
VMProtect 1.x, 2.x, 3.x

Architecture Support

Build Targets
x64 64-bit targets
x86 32-bit targets

VMProtect vs Themida

Unlike Themida (which encrypts native code and decrypts it at runtime), VMProtect virtualizes native code into custom bytecode. The original sections (.text, .rdata, etc.) are zeroed on disk and may or may not be populated at runtime depending on protection level. This tool specifically detects and handles VMProtect's zeroed-section pattern.

Usage

# EXE (drag & drop or command line)
vmprotect_dumper_x64.exe <target.exe>

# EXE with VM tools cleanup
vmprotect_dumper_x64.exe <target.exe> --kill-vmtools

# DLL (named export, required for DLLs)
vmprotect_dumper_x64.exe sample.dll --dll-export=ExportName

# Service DLL
vmprotect_dumper_x64.exe sample.dll --dll-export=ServiceMain

DLLs require --dll-export and cannot be drag-and-dropped.

Output

Results are saved to vmp_dump_{filename}/ and packaged as a .dat archive:

vmp_dump_malware.exe/
├── _text_0x140001000.bin         # Individual section dumps
├── _rdata_0x140010000.bin
├── _vmp0_0x140050000.bin         # VMProtect VM section
├── malware.exe_dumped.bin        # Repaired PE (rename to .exe to run)
├── resolved_imports.txt          # Reconstructed imports with slot RVAs
├── dump_metadata.json            # PE structure & IAT metadata
└── extracted_strings.txt         # IOC strings (ASCII + wide)

Import Log Format

kernel32.dll!CreateFileW = 0x00007FFB1A2C3D40  @ RVA=0x00075000
ntdll.dll!RtlAllocateHeap = 0x00007FFB1B4E5F60  @ RVA=0x00075008
ws2_32.dll!connect = 0x00007FFB19876540

Imports with @ RVA= have their IAT slot location mapped in the PE.

Metadata Format

dump_metadata.json contains structured PE data for post-processing tools:

{
  "dumper_version": "3.0",
  "machine": "0x8664",
  "image_base": "0x140000000",
  "size_of_image": "0x1A0000",
  "oep_rva": "0x00005678",
  "oep_captured": true,
  "oep_thread_rva": "0x00005690",
  "oep_crt_rva": "0x00005678",
  "sections": [...],
  "data_directories": {...},
  "imports_resolved": 2847,
  "iat_slots_found": 156,
  "iat_slots": [
    {"slot_rva": "0x00075000", "module": "KERNEL32.dll", "function": "CreateFileW"}
  ]
}

PE Repair Details

The v3.0 dumper applies these repairs to make the dump executable:

  1. OEP capture -- Reads RIP/EIP from the suspended thread after VMProtect unpacking completes. Also scans unpacked code sections for MSVC CRT startup patterns (sub rsp,28h + call for x64, SEH setup or push ebp for x86). CRT pattern is preferred when found; thread IP is fallback.

  2. Self-mapping layout -- Sets FileAlignment = SectionAlignment so the file's section layout matches the memory layout (PointerToRawData = VirtualAddress for each section).

  3. ASLR disabled -- Clears IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE so the OS loads the binary at the exact ImageBase captured from the running process.

  4. Relocations stripped -- If the .reloc section was destroyed by VMProtect, sets IMAGE_FILE_RELOCS_STRIPPED and zeroes the relocation data directory.

  5. IAT slot mapping -- Scans PE sections for pointer-sized values matching resolved import addresses. This identifies where in the binary the import address table entries live, enabling future IAT rebuild tools to patch the correct locations.

Building

Requires MinGW-w64.

# 64-bit build
x86_64-w64-mingw32-gcc -O2 -s -static -o vmprotect_dumper_x64.exe vmprotect_dumper_universal.c

# 32-bit build
i686-w64-mingw32-gcc -O2 -s -static -o vmprotect_dumper_x86.exe vmprotect_dumper_universal.c

How It Works

  1. Enables SeDebugPrivilege and kills known analysis tools
  2. Launches target PE as a SUSPENDED process
  3. Reads PE headers, identifies zeroed sections (VMProtect signature)
  4. Resumes the process and polls sections every 50ms (up to 300s)
  5. When zeroed sections gain data, VMProtect has unpacked
  6. Suspends the process
  7. Captures OEP via thread context (RIP/EIP) + CRT pattern scan
  8. Dumps all sections and full PE with header repair
  9. Enumerates loaded module export tables to reconstruct imports
  10. Scans IAT slots -- finds import pointers in PE sections
  11. Scans all committed memory regions for IOC strings
  12. Captures dropped ransom notes from target directory
  13. Writes dump_metadata.json with structured PE data
  14. Packages everything into a password-protected .dat file
  15. Terminates target and cleans up temp services

Notes

  • Run in an isolated VM -- this tool executes malware samples
  • The dumped .exe may not run in all cases -- VMProtect's virtualized code sections remain as bytecode, and dynamically resolved imports (custom hash lookups) won't be in the IAT
  • The OEP capture works best when VMProtect unpacks the original code sections; if sections remain virtualized, the thread IP may still be in VMProtect's VM dispatcher
  • IAT slot mapping uses a hash-accelerated scan; it finds standard import table entries but may miss scattered or obfuscated import references
  • Output .dat files are ZIP archives renamed to .dat (password: virus)

License

MIT

What's New in v5.0

Feature v4.0 v5.0
Region tracking None Rolling snapshots every 500ms
PE-sieve None Auto-detect + run on target PID
Behavioral trigger None File drop monitoring in watched dirs
Harvest report None Full timeline + region summary
Region dumps None region_*.bin for all exec regions
CLI options 8 10 (--no-harvest, --pesieve-path, etc.)

About

VMProtect payload extractor with IAT reconstruction. Monitors section unpacking, dumps PE with fixed headers, reconstructs imports via module export enumeration, and scans heap for IOCs. Supports EXE and DLL targets (x86/x64).

Topics

Resources

License

Stars

11 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages