Overview

This plugin is process memory dumper for OllyDbg and Immunity Debugger.
Very simple overview:
OllyDumpEx = OllyDump + PE Dumper - obsoleted + useful features

Features
  • OllyDbg version 2 plugin interface supported
  • IDA Pro Retail and Freeware version plugin interface supported
  • WinDbg plugin interface supported
  • Select to dump debugee exe, loaded dll or non-listed module
  • Search MZ/PE Signature from memory
  • Multiple Dump mode. Rebuild for typical PE dump, Binary for PE Carving
  • PE32+ supported (Search and Binary Dump mode only available on 32bit debugger)
  • Native 64bit process supported (IDA Pro and WinDbg only)
  • Dump any address space as section even if not in original section header
  • Add dummy section to keep PE format consistency
  • Fix RVA in DataDirectory to follow ImageBase change
  • Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...)

Screenshot
OllyDumpEx_32bit OllyDumpEx_64bit

Supported Debugger

  • OllyDbg version 1.10 (tested 1.10)
  • OllyDbg version 2.01 (tested 2.01h)
  • Immunity Debugger version 1.7x or lower (tested 1.73)
  • Immunity Debugger version 1.8x or higher (tested 1.85)
  • IDA Pro Retail version 5.0 or higher (tested 6.4)
  • IDA Pro Freeware version 5.0 (tested 5.0)
  • WinDbg version 6.x (tested 6.2)

Download

This archive file contains plugin DLLs for each debuggers.
OllyDumpEx.zip
Version: v1.30
MD5 : 39fc836a40a50994cda18ed422c3df4b
SHA1: 8986327341cacab739573f3d93c2614ce78eda44

Recent Changes

- v1.30 / 2013-06-28
  • Add: Support WinDbg plugin interface (both 32bit and 64bit)
  • Improve: Add plugin name and version directory to archive file
  • Bugfix: Data after section headers in PE Header has been ignored
  • Bugfix: Fix SizeOfHeaders inconsistency
- v1.20 / 2013-05-27
  • Add: Support IDA Pro plugin interface (both Retail and Freeware version)
  • Add: Support native 64bit process dump (IDA Pro only)
  • Improve: Change dialog position to center of parent window
  • Improve: Add debug toggle menu to dialog system menu
  • Improve: Section size handling single section belongs to multiple memory segments
  • Bugfix: Zero virtual size section handling
- v1.12 / 2013-04-02
  • Improve: Update to OllyDbg 2 latest version PDK (2.01h)
  • Improve: Tested with latest version of debuggers
  • Bugfix: Search greater than 0x7FFFFFFF memory address failed
- v1.10 / 2013-03-24
  • Add: Search type All Memory
  • Add: Binary dump mode (no rebuild PE header, for before load image)
  • Add: PE32+ support (Binary dump mode only)
  • Add: Memory Address/Size parameters editable (dump source address)
  • Improve: Add info message for Relocation Flag and EXE/DLL type
  • Improve: Large PE Header handling (larger than 0x1000)
  • Improve: Check SectionAlignment and FileAlignment consistency
  • Improve: Reduce search memory usage (not depend on target memory size)
  • Improve: Detect PE Header across different type pages (parse and search)
  • Bugfix: Improper owner window handle
  • Bugfix: Section not listed when belong memory range not exists
  • Bugfix: Almost features broken when memory window sort order changed
- v1.00 / 2013-03-12
  • Add: Selectable Base PE Header (Module/Memory/Address)
  • Add: Search PE Header from memory
  • Improve: PE Source default change Disk to Memory
  • Improve: ASLR aware (except PE Source from Disk mode)
  • Improve: Clear DynamicBase DllCharacteristics flag with Disable Relocation option
  • Improve: PE Header parse and modify more carefully (corrupt PE handling)
  • Improve: Inherit selected address from memory window
  • Bugfix: Fix Virtual Offset feature cause crash (divide by zero)
  • Bugfix: Parse invalid sections cause crash
- v0.92 / 2012-10-09
  • Improve: Support OllyDbg version 2 plugin new interface
- v0.90 / 2011-08-24
  • Add: Support OllyDbg version 2 plugin interface (EXPERIMENTAL)
  • Improve: Rewrite Wide/Multibyte-Character support code
  • Improve: Decode CopyOnWrite page attribute
  • Bugfix: Detect working directory
- v0.80 / 2011-07-15
  • Add: Support Immunity Debugger version 1.8x or higher
  • Improve: Data Directory rebuild option (check rewrite range)
  • Improve: Always round up PE header size to 0x1000 (ImportRec not extend itself)
  • Bugfix: TLS Data Directory ignored