trietptm / virtualsectiondumper Goto Github PK

It would be nice to Suspend and Resume processes execution.

It would be nice to see if a binary/dll has NX, ASLR or SAFESEH.

NCR algo un poco más heavy y este me lo apunto yo también para el
SirPE, aunque como ando de liado seguro lo implementas tu antes.


Presupongo que el Dump lo estas haciendo al vuelo, sin parar el programa.

Sería interesante tener un Dump "inteliguente", que pausara todos los
hilos, hicieras el DUMP y luego restableciera la ejecución de los
hilos.

¿Por qué? Pues porque se puede dar el caso (por ejemplo en
protectores), de que el programa esté jugando con las protecciones de
las secciones (o incluso se borre o creen secciones virtuales nuevas)
mientras realizas el dump. O simplemente se van cambiando los valores
en memoria en el momento de la lectura.

Proposed by Guan de Dio.

It would be nice to set the affinity mask for a process, like PE does it.

Allow the user to enter an arbitrary address and give information about it 
(permissions: is redeable? writeable? executable?, etc).

It would be a good idea to have HotKeys in the different windows of the 
application, for example, to "Copy all" and "Copy to Clipboard".

Currenty, loaded modules enumeration is done via EnumProcessModules. This 
function iterates over the linked list 
ntdll!_LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks.

If a module was loaded with a "custom" loader or removed from the list (e.g. by 
malware) it won't be seen.

This idea was proposed by Shaddy. The idea is to detect an UPX packed program 
in memory and extract it aligned to unpack with the UPX command line. 

It would be nice to set a timeout to refresh the list-view that shows the 
processes. Then, the list-view is refreshed automatically every X seconds (like 
Process Explorer does it).

Add a dialog to allow a quick PE comparison. Data to show could be specific PE 
fields or just data.

Some functions in the source code need refactoring (currently, the code is very 
ugly!).

The main idea is to have a way to filter the content of the columns by Address, 
Size, Protect, State or Type. Proposed by Guan de Dio.

VSD must allow the user to set the process priority.

keywords: GetPriorityClass, SetPriorityClass.

As an external tool, it would be nice to have an Imported and Exported function 
editor (PE & PE+) in both VSD x86 and VSD x64.

The editor should allow to add, remove and replace an arbitrary function 
located in both, the import and export table.

It should allow to create a new import or export table or to find a place in 
the binary with enough space to create or rebuild the table.

Develop a Linux version of VSD. 

1.- Usa  New Current para que sea mono espaciada y se alinee bien las
direcciones y no tengas unas mas grandes que otras en espacio.
2.- Pon en el Caption de la ventana de dump el nombre del proceso del
cual estás listando la memoria, por ejemplo entre corchetes [ ].
     Es una ventana modal, pero no se queda el foco en el Listview de
la otra ventana y no se sabe que proceso estás listando.

proposed by Guan de Dio.