Generic Themida/WinLicense payload extractor. Launches protected PE as suspended process, detects section decryption, dumps unpacked binary with fixed headers, and scans process memory for IOCs. Supports EXE and DLL targets (x86/x64).
Themida Dumper (Multi-Mode)
Generic PE payload extractor with Memory Harvester (v6.1). One source, three modes: themida, vmprotect, runtime. Launches a sample as a suspended process, detects section decryption or executes freely for generic memory capture, dumps the unpacked binary with fixed PE headers, and scans all process memory for IOCs.
Modes
| Mode | Binary | When to use | |------|--------|-------------| | themida | themidadumper{x64,x86}.exe | Themida/WinLicense-packed samples (packer check gates execution) | | vmprotect | vmprotectdumper{x64,x86}.exe | VMProtect-packed samples (packer check gates execution) | | runtime | runtimedumper{x64,x86}.exe | Generic memory capture for any sample (no packer required) |
Mode is baked into the binary via -DDEFAULTMODE=MODE* at build time, or overridden at runtime with --mode=<name>.
Features
- Universal binary -- x64 build handles both 32-bit (WOW64) and 64-bit targets
- Section monitoring -- Fingerprints encrypted sections, polls every 50ms (up to 300s) for decryption
- Immediate suspend -- Suspends target the moment decryption is detected (prevents ransomware damage)
- Full PE dump -- Memory dump with PE header fixup (
*_unpacked.exe) - Individual section dumps -- Each section saved as
{name}_0x{address}.bin - IOC extraction -- Scans all committed process memory for URLs, Bitcoin wallets, onion URLs, Telegram links, email addresses, ransom indicators, file extensions, registry keys, mutex names, WMI queries, system commands, file paths
- Wide string scanning -- Extracts both ASCII and UTF-16LE strings
- Dropped file capture -- Captures ransom notes and suspicious files (README, DECRYPT, .hta, .html, .txt) from the target directory
- DLL support -- Load DLLs via
--dll-export=<Name>or--dll-export=#1(ordinal). Supports .dll, .ocx, .cpl - ServiceMain DLLs -- Auto-creates a temporary Windows service for service DLLs
- Anti-monitor bypass -- Kills 50+ known analysis tools that Themida detects
- VMware/VBox cleanup -- Optional
--kill-vmtoolsto kill virtualization guest tools and stop VM services - Memory Harvester -- Dynamic executable region tracking with rolling 500ms snapshots, fingerprint-based change detection, captures ephemeral unpacked code outside PE image
- PE-sieve integration -- Auto-detects pe-sieve at C:\Tools\, runs for advanced unpacking validation
- Behavioral triggers -- Monitors Desktop, TEMP, APPDATA for new file drops; triggers dump on ransomware activity
- Harvest report -- harvest_report.txt with full region timeline, section status, PE-sieve results
- Smart dropper mode -- Filesystem + process monitoring discovers packed payloads dropped by the sample
- Password-protected output -- Results packaged as
.datarchive (ZipCrypto, password:virus)
Supported Protectors
| Protector | Versions | |-----------|----------| | Themida | 1.x, 2.x, 3.x | | WinLicense | 1.x, 2.x, 3.x |
Architecture Support
| Build | Targets | |-------|---------| | x64 | 32-bit (WOW64) + 64-bit | | x86 | 32-bit only |
Usage
# EXE (drag & drop or command line)
themidadumperx64.exe <target.exe>
EXE with VM tools cleanup
themidadumperx64.exe <target.exe> --kill-vmtools
DLL (named export, required for DLLs)
themidadumperx64.exe sample.dll --dll-export=DllRegisterServer
DLL (ordinal export)
themidadumperx64.exe sample.dll --dll-export=#1
DLLs require --dll-export and cannot be drag-and-dropped.
Output
Results are saved to themidadump{filename}/ and packaged as a .dat archive:
themidadumpmalware.exe/
โโโ text0x401000.bin # Individual section dumps
โโโ rdata0x410000.bin
โโโ malware.exe_unpacked.exe # Full PE dump with fixed headers
โโโ extracted_strings.txt # IOC strings (ASCII + wide)
โโโ README.txt # Captured ransom notes (if any)
โโโ DECRYPT_FILES.hta
Building
Requires MinGW-w64. The same source compiles into three binary variants by setting -DDEFAULTMODE:
# Themida mode (original behavior, packer check gates execution)
x8664-w64-mingw32-gcc -O2 -s -static -DDEFAULTMODE=MODETHEMIDA -o themidadumperx64.exe themidadumper_universal.c
i686-w64-mingw32-gcc -O2 -s -static -DDEFAULTMODE=MODETHEMIDA -o themidadumperx86.exe themidadumperuniversal.c
VMProtect mode
x8664-w64-mingw32-gcc -O2 -s -static -DDEFAULTMODE=MODEVMPROTECT -o vmprotectdumperx64.exe themidadumper_universal.c
i686-w64-mingw32-gcc -O2 -s -static -DDEFAULTMODE=MODEVMPROTECT -o vmprotectdumperx86.exe themidadumperuniversal.c
Runtime mode (generic, no packer check)
x8664-w64-mingw32-gcc -O2 -s -static -DDEFAULTMODE=MODERUNTIME -o runtimedumperx64.exe themidadumper_universal.c
i686-w64-mingw32-gcc -O2 -s -static -DDEFAULTMODE=MODERUNTIME -o runtimedumperx86.exe themidadumperuniversal.c
If -DDEFAULTMODE is omitted, the binary defaults to MODETHEMIDA. Pass --mode=themida|vmprotect|runtime at runtime to override the compiled default.
How It Works
- Enables SeDebugPrivilege and kills known analysis tools
- Launches target PE as a SUSPENDED process
- Detects target architecture (WOW64 or native x64)
- Fingerprints each PE section (64 bytes)
- Resumes the process and polls sections every 50ms
- When fingerprints change (decryption detected), immediately suspends
- Dumps all sections and full PE with header fixup
- Scans all committed memory regions for IOC strings
- Captures dropped ransom notes from target directory
- Packages everything into a password-protected
.datfile - Terminates target and cleans up temp services
Notes
- Run in an isolated VM -- this tool executes malware samples
- The x64 build is recommended as it handles both architectures
- The tool kills common analysis tools before launching the target to avoid Themida's anti-analysis detection
- Output
.datfiles are ZIP archives renamed to.dat(password:virus)
License
MIT
What's New in v6.1
- Multi-mode โ
--mode=themida|vmprotect|runtimeflag; same source compiles into three binaries via-DDEFAULT_MODE. - Runtime mode โ generic memory harvester for any sample. Skips packer detection entirely, launches the target in direct mode, and lets the Memory Harvester capture executable regions on a rolling 500 ms interval. Intended for samples where static analysis hits encrypted strings, API hashing, or crypto routines that only resolve at runtime โ dump output can be fed back to IDA/Ghidra for a second pass.
- Output naming โ
themidadump/vmpdump/runtimedump*prefix selected by mode. - Harvest report title โ includes the mode name:
=== Clarity {Themida|VMProtect|Runtime} Memory Harvester v6.1 Report ===.
What's New in v6.0
| Feature | v4.0 | v6.0 | |---------|------|------| | Region tracking | None | Rolling snapshots every 500ms | | PE-sieve | None | Auto-detect + run on target PID | | Behavioral trigger | None | File drop monitoring in watched dirs | | Harvest report | None | Full timeline + region summary | | Dropper mode | Basic | Smart filesystem + process scanning | | Region dumps | None | region_*.bin for all exec regions | | CLI options | 6 | 10 (--no-harvest, --pesieve-path, etc.) |