Extracts EXEs and DLLs from windows memory dumps
| LICENSE | ||
| README.md | ||
| requirements.txt | ||
| seax.py | ||
<head>
</head>
seax
Carves EXEs and DLLs from Windows memory dumps by scanning for PE headers. Automatically renames any extracted binaries with an AssemblyInfo section.
Use cases:
- deobfuscation - let the binary deobfuscate itself and rip it from memory instead of deobfuscating it manually from disk
- extract embedded DLLs from .NET stand-alone executables for further analysis with other tools like dnSpy
- desktop application pentesting
- other fun reversing stuff
___________________________________________█ __, /░▒▓██▓███▓▓▒▒▓▓▒▒ ░▒░▒██▒░▒▒░░ ░░░░░▒▒█ ▓▄╗▄╗▄╗▄╗▄╗▄╗▄╗▄║▓║ /░▒▒ ·-=≡ =≡≡■ SEAX ≡■≡ -=■≡■■■≡■■■≡≡=- ▒⌠⌡⌠⌡⌠⌡⌠⌡⌠⌡⌠⌡⌠⌡⌠╢▒╣ /░▒▒▓███▓███▓▓▒▒▓▓▒▒ ░▒░▒██▒░▒▒░░ ░░░░░▒▒▓▓██ ▓╝═╝═╝═╝═╝═╝═╝═╝╕▒║ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▒ |/
Instructions
- Obtain a memory dump (for example, by using Task Manager > Processes > Right Click > Create dump file)
pip install -r requirements.txt- Run seax on the memory dump
- Any PEs found will be extracted to the output directory.
- If seax can find the AssemblyInfo structure, it will rename the extracted files accordingly. If not, the filenames will reflect the hex offset the file was extracted from.
- Continue analysis in other tools like Ida, dnSpy, x64dbg, or Ghidra
Usage
Example:
$ python3 seax.py -o ~/temp/seax_out mem.dmp
usage: seax.py [-h] [-o OUTPUT] [-v] filename
Carve PEs (EXEs and DLLs) from a Windows memory dump
positional arguments:
filename path to Windows memory dump file
options:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
path to output directory (default is ./seax_out/)
-v, --verbose show extra messages