Overview

This plugin is process memory dumper for debuggers.
Very simple overview:
OllyDumpEx = OllyDump + PE Dumper - obsoleted + useful features

Features
  • Various debuggers supported
  • Select to dump debugee exe, loaded dll or non-listed module
  • Search PE File from memory
  • Multiple Dump mode. Rebuild for typical PE dump, Binary for PE Carving
  • PE32+ supported (Search and Binary Dump mode only available on 32bit debugger)
  • Native 64bit process supported (IDA Pro, WinDbg and x64dbg)
  • ELF supported (both of 32bit and 64bit)
  • Standalone version available
  • Dump any address space as section even if not in original section header
  • Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...)

Screenshot
OllyDumpEx_32bit OllyDumpEx_64bit OllyDumpEx_ELF

Supported Debugger

  • OllyDbg version 1.10 (tested 1.10)
  • OllyDbg version 2.01 (tested 2.01)
  • Immunity Debugger version 1.8x or higher (tested 1.85)
  • IDA Pro 32bit build version 5.0 to 6.9 (tested 6.9)
  • IDA Pro 64bit build version 7.0 or 8.4 (tested 8.4)
  • IDA Pro 64bit build version 9.0 or higher (tested 9.0)
  • IDA Free 64bit build version 9.0 or higher (tested 9.0)
  • WinDbg version 6.x or higher (tested 10.0)
  • x64dbg (tested 20220903 snapshot)

Download

This archive file contains plugin DLLs for each debuggers.
Latest OllyDumpEx.zip
Version: v1.86
MD5 : 58dba5cd7a70f405143d9ad42bf542d9
SHA1 : 939992ea7a663c3543136837959df6ba01e51fbe
SHA256: 3b39e7d8d0b8d1c1407ec93531f2a35fd57ee7d26d4ce71cdc1dc3d9d766f758

Recent Changes & Archives

- v1.86 / 2024-10-04
  • Add: Support IDA version 9.0
  • Improve: Change plugin filename for IDA family
- v1.84 / 2023-09-23
  • Bugfix: Fix path handling on non-windows remote debugging (IDA)
  • Bugfix: Fix multibytes filename handling (IDA,x64dbg)
- v1.82 / 2022-09-07
  • Bugfix: Fix buffer boundary problem
  • Improve: Change build environment and fix compatibility problem
  • Improve: Enable HIGHENTROPYVA for 64bit plugin binaries
  • Del: Drop old version of IDA Freeware support (5.0/7.0-7.5)
- v1.80 / 2020-01-06
  • Bugfix: Fix race condition when reading large amount of memory (IDA)
  • Bugfix: DYNAMICBASE not working (Standalone)
  • Bugfix: Fix UI stall race condition issue when press Back to Menu button
  • Improve: Adjust UI layout for high DPI setting
  • Improve: Add DebugPriv button for runas administrator (Standalone)
  • Improve: Add OpenFile button for carving from localfile (Standalone)
  • Improve: Resolve mapped filename if possible (Standalone,x64dbg)
  • Improve: Add ReScan marker for rescan required setting changes
  • Improve: Use segment name as module name when segment not belong to module (IDA)
  • Improve: Address range autofill use mapped address instead of image base address
  • Add: File image source use specified file when memory and address base mode selected
  • Add: Dummy image header mode for image which not have valid image header
- v1.72 / 2019-03-14
  • Improve: Support IDA Freeware with debugger version 7.0.190307
- v1.70 / 2018-08-14
  • Bugfix: Dump feature not working when non-executable file loaded (IDA)
  • Bugfix: Readmemory sign extended issue (WinDbg)
  • Bugfix: Fix Virtual Offset not working on PE32
  • Bugfix: Fix duplicated entry in section list
  • Improve: Get EIP as OEP button disabled when debugger not active
  • Improve: Add EFI and windows driver type detection
  • Improve: Better fix for corrupted PE IMAGE_DIRECTORY_ENTRY
  • Improve: Add Cancel feature to search and dump
  • Add: Search All Occurrences option and Search Result list
- v1.64 / 2018-05-10
  • Improve: Follow IDA 7.1 changes which break callui backward compatibility layer
  • Improve: Dump feature available even if debuggee not running (IDA)
  • Add: Support IDA Freeware version 7.0 (EXPERIMENTAL)
- v1.62 / 2017-11-05
  • Bugfix: Rebuild dumpfile corrupted when ELF PT_PHDR entry not exist
  • Bugfix: Failed to load ELF header when sparse segment layout
  • Improve: Corrupted ELF structure handling
  • Improve: ELF Loader segment always aligned same as mmap behavior
- v1.60 / 2017-09-19
  • Add: ELF support
  • Add: Standalone version
  • Add: Support IDA Pro 64bit build plugin interface (7.0)
  • Improve: Image Size editable in binary dump mode for overlay data
  • Del: Drop old version of Immunity Debugger support (1.7x)
- v1.50 / 2015-07-03
  • Add: Fuzzy Search mode (for corrupted MZ/PE Signature)
  • Add: Fix Corrupted PE Header option (Fill Hole option is merged)
  • Add: Dump result dialog for copy and paste
  • Improve: Search method optimization
  • Improve: Corrupted PE Header handling
  • Improve: Binary dump mode support some options
  • Bugfix: Rebased PE handling (rebuild dump mode)
  • Bugfix: Debuggee filename error on attached process (IDA)
  • Bugfix: Get EIP does not work in recent version (x64dbg)
- v1.40 / 2014-12-17
  • Add: Support x64dbg plugin interface (both 32bit and 64bit)
  • Improve: Enable NXCOMPAT and DYNAMICBASE for plugin binaries
- v1.30 / 2013-06-28
  • Add: Support WinDbg plugin interface (both 32bit and 64bit)
  • Improve: Add plugin name and version directory to archive file
  • Bugfix: Data after section headers in PE Header has been ignored
  • Bugfix: Fix SizeOfHeaders inconsistency
- v1.20 / 2013-05-27
  • Add: Support IDA Pro plugin interface (both Retail and Freeware version)
  • Add: Support native 64bit process dump (IDA Pro only)
  • Improve: Change dialog position to center of parent window
  • Improve: Add debug toggle menu to dialog system menu
  • Improve: Section size handling single section belongs to multiple memory segments
  • Bugfix: Zero virtual size section handling
- v1.12 / 2013-04-02
  • Improve: Update to OllyDbg 2 latest version PDK (2.01h)
  • Improve: Tested with latest version of debuggers
  • Bugfix: Search greater than 0x7FFFFFFF memory address failed
- v1.10 / 2013-03-24
  • Add: Search type All Memory
  • Add: Binary dump mode (no rebuild PE header, for before load image)
  • Add: PE32+ support (Binary dump mode only)
  • Add: Memory Address/Size parameters editable (dump source address)
  • Improve: Add info message for Relocation Flag and EXE/DLL type
  • Improve: Large PE Header handling (larger than 0x1000)
  • Improve: Check SectionAlignment and FileAlignment consistency
  • Improve: Reduce search memory usage (not depend on target memory size)
  • Improve: Detect PE Header across different type pages (parse and search)
  • Bugfix: Improper owner window handle
  • Bugfix: Section not listed when belong memory range not exists
  • Bugfix: Almost features broken when memory window sort order changed
- v1.00 / 2013-03-12
  • Add: Selectable Base PE Header (Module/Memory/Address)
  • Add: Search PE Header from memory
  • Improve: PE Source default change Disk to Memory
  • Improve: ASLR aware (except PE Source from Disk mode)
  • Improve: Clear DynamicBase DllCharacteristics flag with Disable Relocation option
  • Improve: PE Header parse and modify more carefully (corrupt PE handling)
  • Improve: Inherit selected address from memory window
  • Bugfix: Fix Virtual Offset feature cause crash (divide by zero)
  • Bugfix: Parse invalid sections cause crash
- v0.92 / 2012-10-09
  • Improve: Support OllyDbg version 2 plugin new interface
- v0.90 / 2011-08-24
  • Add: Support OllyDbg version 2 plugin interface (EXPERIMENTAL)
  • Improve: Rewrite Wide/Multibyte-Character support code
  • Improve: Decode CopyOnWrite page attribute
  • Bugfix: Detect working directory
- v0.80 / 2011-07-15
  • Add: Support Immunity Debugger version 1.8x or higher
  • Improve: Data Directory rebuild option (check rewrite range)
  • Improve: Always round up PE header size to 0x1000 (ImportRec not extend itself)
  • Bugfix: TLS Data Directory ignored