Overview
This plugin is process memory dumper for debuggers.Very simple overview:
OllyDumpEx = OllyDump + PE Dumper - obsoleted + useful features
Features
- Various debuggers supported
- Select to dump debugee exe, loaded dll or non-listed module
- Search PE File from memory
- Multiple Dump mode. Rebuild for typical PE dump, Binary for PE Carving
- PE32+ supported (Search and Binary Dump mode only available on 32bit debugger)
- Native 64bit process supported (IDA Pro, WinDbg and x64dbg)
- ELF supported (both of 32bit and 64bit)
- Standalone version available
- Dump any address space as section even if not in original section header
- Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...)
Screenshot
Supported Debugger
- OllyDbg version 1.10 (tested 1.10)
- OllyDbg version 2.01 (tested 2.01)
- Immunity Debugger version 1.8x or higher (tested 1.85)
- IDA Pro 32bit build version 5.0 to 6.9 (tested 6.9)
- IDA Pro 64bit build version 7.0 or 8.4 (tested 8.4)
- IDA Pro 64bit build version 9.0 or higher (tested 9.0)
- IDA Free 64bit build version 9.0 or higher (tested 9.0)
- WinDbg version 6.x or higher (tested 10.0)
- x64dbg (tested 20220903 snapshot)
Download
This archive file contains plugin DLLs for each debuggers.
Latest OllyDumpEx.zip
Version: v1.86
MD5 : 58dba5cd7a70f405143d9ad42bf542d9
SHA1 : 939992ea7a663c3543136837959df6ba01e51fbe
SHA256: 3b39e7d8d0b8d1c1407ec93531f2a35fd57ee7d26d4ce71cdc1dc3d9d766f758
Latest OllyDumpEx.zip
Version: v1.86
MD5 : 58dba5cd7a70f405143d9ad42bf542d9
SHA1 : 939992ea7a663c3543136837959df6ba01e51fbe
SHA256: 3b39e7d8d0b8d1c1407ec93531f2a35fd57ee7d26d4ce71cdc1dc3d9d766f758
Recent Changes & Archives
- v1.86 / 2024-10-04- Add: Support IDA version 9.0
- Improve: Change plugin filename for IDA family
- Bugfix: Fix path handling on non-windows remote debugging (IDA)
- Bugfix: Fix multibytes filename handling (IDA,x64dbg)
- Bugfix: Fix buffer boundary problem
- Improve: Change build environment and fix compatibility problem
- Improve: Enable HIGHENTROPYVA for 64bit plugin binaries
- Del: Drop old version of IDA Freeware support (5.0/7.0-7.5)
- Bugfix: Fix race condition when reading large amount of memory (IDA)
- Bugfix: DYNAMICBASE not working (Standalone)
- Bugfix: Fix UI stall race condition issue when press Back to Menu button
- Improve: Adjust UI layout for high DPI setting
- Improve: Add DebugPriv button for runas administrator (Standalone)
- Improve: Add OpenFile button for carving from localfile (Standalone)
- Improve: Resolve mapped filename if possible (Standalone,x64dbg)
- Improve: Add ReScan marker for rescan required setting changes
- Improve: Use segment name as module name when segment not belong to module (IDA)
- Improve: Address range autofill use mapped address instead of image base address
- Add: File image source use specified file when memory and address base mode selected
- Add: Dummy image header mode for image which not have valid image header
- Improve: Support IDA Freeware with debugger version 7.0.190307
- Bugfix: Dump feature not working when non-executable file loaded (IDA)
- Bugfix: Readmemory sign extended issue (WinDbg)
- Bugfix: Fix Virtual Offset not working on PE32
- Bugfix: Fix duplicated entry in section list
- Improve: Get EIP as OEP button disabled when debugger not active
- Improve: Add EFI and windows driver type detection
- Improve: Better fix for corrupted PE IMAGE_DIRECTORY_ENTRY
- Improve: Add Cancel feature to search and dump
- Add: Search All Occurrences option and Search Result list
- Improve: Follow IDA 7.1 changes which break callui backward compatibility layer
- Improve: Dump feature available even if debuggee not running (IDA)
- Add: Support IDA Freeware version 7.0 (EXPERIMENTAL)
- Bugfix: Rebuild dumpfile corrupted when ELF PT_PHDR entry not exist
- Bugfix: Failed to load ELF header when sparse segment layout
- Improve: Corrupted ELF structure handling
- Improve: ELF Loader segment always aligned same as mmap behavior
- Add: ELF support
- Add: Standalone version
- Add: Support IDA Pro 64bit build plugin interface (7.0)
- Improve: Image Size editable in binary dump mode for overlay data
- Del: Drop old version of Immunity Debugger support (1.7x)
- Add: Fuzzy Search mode (for corrupted MZ/PE Signature)
- Add: Fix Corrupted PE Header option (Fill Hole option is merged)
- Add: Dump result dialog for copy and paste
- Improve: Search method optimization
- Improve: Corrupted PE Header handling
- Improve: Binary dump mode support some options
- Bugfix: Rebased PE handling (rebuild dump mode)
- Bugfix: Debuggee filename error on attached process (IDA)
- Bugfix: Get EIP does not work in recent version (x64dbg)
- Add: Support x64dbg plugin interface (both 32bit and 64bit)
- Improve: Enable NXCOMPAT and DYNAMICBASE for plugin binaries
- Add: Support WinDbg plugin interface (both 32bit and 64bit)
- Improve: Add plugin name and version directory to archive file
- Bugfix: Data after section headers in PE Header has been ignored
- Bugfix: Fix SizeOfHeaders inconsistency
- Add: Support IDA Pro plugin interface (both Retail and Freeware version)
- Add: Support native 64bit process dump (IDA Pro only)
- Improve: Change dialog position to center of parent window
- Improve: Add debug toggle menu to dialog system menu
- Improve: Section size handling single section belongs to multiple memory segments
- Bugfix: Zero virtual size section handling
- Improve: Update to OllyDbg 2 latest version PDK (2.01h)
- Improve: Tested with latest version of debuggers
- Bugfix: Search greater than 0x7FFFFFFF memory address failed
- Add: Search type All Memory
- Add: Binary dump mode (no rebuild PE header, for before load image)
- Add: PE32+ support (Binary dump mode only)
- Add: Memory Address/Size parameters editable (dump source address)
- Improve: Add info message for Relocation Flag and EXE/DLL type
- Improve: Large PE Header handling (larger than 0x1000)
- Improve: Check SectionAlignment and FileAlignment consistency
- Improve: Reduce search memory usage (not depend on target memory size)
- Improve: Detect PE Header across different type pages (parse and search)
- Bugfix: Improper owner window handle
- Bugfix: Section not listed when belong memory range not exists
- Bugfix: Almost features broken when memory window sort order changed
- Add: Selectable Base PE Header (Module/Memory/Address)
- Add: Search PE Header from memory
- Improve: PE Source default change Disk to Memory
- Improve: ASLR aware (except PE Source from Disk mode)
- Improve: Clear DynamicBase DllCharacteristics flag with Disable Relocation option
- Improve: PE Header parse and modify more carefully (corrupt PE handling)
- Improve: Inherit selected address from memory window
- Bugfix: Fix Virtual Offset feature cause crash (divide by zero)
- Bugfix: Parse invalid sections cause crash
- Improve: Support OllyDbg version 2 plugin new interface
- Add: Support OllyDbg version 2 plugin interface (EXPERIMENTAL)
- Improve: Rewrite Wide/Multibyte-Character support code
- Improve: Decode CopyOnWrite page attribute
- Bugfix: Detect working directory
- Add: Support Immunity Debugger version 1.8x or higher
- Improve: Data Directory rebuild option (check rewrite range)
- Improve: Always round up PE header size to 0x1000 (ImportRec not extend itself)
- Bugfix: TLS Data Directory ignored