X64dbg脚本实现自动DUMP运行中解密出的PE文件
// define a variable to hold allocated mem address
var mem_addr
// define a variable to hold allocated mem size
var mem_size
// set breakpoint on VirtualAlloc
bp VirtualAlloc
// set callback on breakpoint hit
SetBreakpointCommand VirtualAlloc, "scriptcmd call cb_virtual_alloc"
// set breakpoint on VirtualProtect
bp VirtualProtect
// set callback on breakpoint hit
SetBreakpointCommand VirtualProtect, "scriptcmd call cb_virtual_protect"
// go to main label
goto main
// define VirtualAlloc callback label
cb_virtual_alloc:
// run until return (stepout)
rtr
// set mem_addr value to cax value (return value)
set mem_addr, cax
// log memory address
log "Allocated memory address: {x:mem_addr}"
// set mem_size value to VirtualAlloc's second arg value (region size)
set mem_size, arg.get(1)
// log memory size
log "Allocated memory size: {x:mem_size}"
// go to main label
goto main
// define VirtualProtect callback label
cb_virtual_protect:
// log VirtualProtect's second arg value (new protection)
log "New protection: {x:arg.get(2)}"
// compare the first 2 bytes at mem_addr address to "MZ"
cmp word(mem_addr), 5a4d
// if not equal, jump to main label
jne main
// dump data at mem_addr address to disk
savedata :memdump:, mem_addr, mem_size
// define main label
main:
// run the program
run
// end the script
ret