Vector35
Support dumping executable files from memory after unpacking
A common task in malware analysis is to unpack and dump the executable file for further analysis. It would be nice if this operation can be automated within the BN debugger. However, this is a non-trivial work since it requires in depth knowledge of the excusable format and has many pitfalls. Tools like x64dbg rely on an external tool (https://github.com/NtQuery/Scylla) to handle stuff like import reconstruction. Ideally we can somehow incorporate the tool as a debugger plugin.
Related to #420
You can use Ninja_Dumper for this. Run the program and perform a memory dump of the process. After that, you can load the dump into Binary Ninja using the plugin. With the dump loaded in Binary Ninja, use the option to load the main module into the BV. After this, you can change the file type from raw to PE to start loading the executable.
https://github.com/Invodex/Ninja_Dumper
After this, you will be able to analyze information such as stack traces, runtime registers, a list of memory areas allocated by the process, and modules. If necessary, you can extract or load any information into the BV analysis or onto the disk. If you extract any information to the disk, the plugin will perform the unmapping of the module from virtual memory to the disk.