Misc. Development/ActiveX/COM
Jasi Native Assembly Dumper v1.4
JasiNativeDumper is a command-line tool for capturing native Windows modules as they are loaded at runtime. It works by spawning the target process and polling its loaded module list - so every LoadLibrary call made by the target, including ones made by packers, protectors, or custom loaders, is intercepted and the...
Description
JasiNativeDumper is a command-line tool for capturing native Windows modules as they are loaded at runtime. It works by spawning the target process and polling its loaded module list - so every LoadLibrary call made by the target, including ones made by packers, protectors, or custom loaders, is intercepted and the raw PE bytes are written to disk.
It also includes a static scanner that inspects any PE file for embedded executables or DLLs hiding inside resources of any type, managed DLLs loaded by a native host are also flagged and an anti-debug module that patches common debugger
detection techniques before running the target.
Useful for reverse engineering packed or protected native applications where the real payload DLL is only extracted and loaded in memory at runtime, protected binary dumped might need PE reconstruction, fixing section raw offsets, rebuilding the import table etc as dumped is raw SizeOfImage byte copy.
Usage:
JasiNativeDumper --static
JasiNativeDumper --target
JasiNativeDumper --attach
JasiNativeDumper --out
JasiNativeDumper --dontskipknown Also dump system/runtime DLLs, by default skip known
Examples:
JasiNativeDumper --static packed.exe --out C:dumps
JasiNativeDumper --target game.exe --out C:dumps
JasiNativeDumper --attach 1234 --out C:dumps
JasiNativeDumper --target app.exe --dontskipknown --out C:dumps
Notes:
-> Use Build x64 for targeting 64-bit processes, build x86 for targeting 32-bit processes.
-> Static scan works regardless of build bitness, one build can scan any PE file.
-> Anti-debug only runs in --target and --attach modes, not in --static mode.
-> Runtime dumps are captured from process memory, means packed or protected targets are dumped in their unpacked/loaded state which is more useful for analysis, binary dumped might need PE reconstruction, fixing section raw offsets, rebuilding the import table etc to be able to run.
-> Also dump .NET assemblies from resources as well as memory if found.
-> You can also run using RunCommand.bat directly!
Changelog:
- Added dump using OEP argument --oep-va
- Fix WOW64 bitness issue, now properly dumps 32bit/64bit address depending on target in modules.map file.
