Wdextract - Extract Windows Defender Database From Vdm Files Too Unpack It


Extract Windows Defender database from vdm files in addition to unpack it
  • This programme distributed as-is, without whatsoever warranty;
  • No official support, if you lot similar this tool, experience gratuitous to contribute.

Features
  • Unpack VDM containers of Windows Defender/Microsoft Security Essentials;
  • Decrypt VDM container embedded inwards Malicious software Removal Tool (MRT.exe);
  • Extract all PE images from unpacked/decrypted containers on the wing (-e switch):
    • dump VDLLs (Virtual DLLs);
    • dump VFS (Virtual File System) contents;
    • dump signatures auxiliary images;
    • dump GAPA (Generic Application Level Protocol Analyzer) images used yesteryear NIS (Network Inspection System);
    • code tin survive adapted to dump type specific chunks of database (not implemented);
  • Faster than whatsoever script.
List of MRT extracted images, (version 5.71.15840.1) https://gist.githubusercontent.com/hfiref0x/e4b97fb7135c9a6f9f0787c07da0a99d/raw/d91e77f71aa96bdb98d121b1d915dc697ce85e2a/gistfile1.txt
List of WD extracted images, mpasbase.vdm (version 1.291.0.0) https://gist.githubusercontent.com/hfiref0x/38e7845304d10c284220461c86491bdf/raw/39c999e59ff2a924932fe6db811555161596b4a7/gistfile1.txt
List of NIS signatures from NisBase.vdm (version 119.0.0.0) https://gist.githubusercontent.com/hfiref0x/e9b3f185032fcd2afb31afe7bc9a05bd/raw/9bd9f9cc7c408acaff7b56b810c8597756d55d14/nis_sig.txt

Usage
wdextract file [-e]
  • file - filename of VDM container (*.vdm file or MRT.exe executable);
  • -e optional parameter, extract all institute PE icon chunks institute inwards VDM later on unpacking/decrypting (this including VFS components in addition to emulator VDLLs).
Example:
  • wdextract c:\wdbase\mpasbase.vdm
  • wdextract c:\wdbase\mpasbase.vdm -e
  • wdextract c:\wdbase\mrt.exe
  • wdextract c:\wdbase\mrt.exe -e
Note: base of operations volition survive unpacked/decrypted to source directory equally %originalname%.extracted (e.g. if master copy file c:\wdbase\mpasbase.vdm, unpacked volition survive c:\wdbase\mpasbase.vdm.extracted). Image chunks volition survive dumped to created "chunks" directory inwards the wdextract electrical flow directory (e.g. if wdextract run from c:\wdbase it volition survive c:\wdbase\chunks directory). Output files ever overwrite existing.

Build
  • Source code written inwards C;
  • Built amongst MSVS 2017 amongst Windows SDK 17763 installed;
  • Can survive built amongst previous versions of MSVS in addition to SDK's.

Related references in addition to tools

N.B.
No actual dumped/extracted/unpacked binary information included or volition survive included inwards this repository.

3rd political party code usage
Uses ZLIB Data Compression Library (https://github.com/madler/zlib)

Authors
(c) 2019 WDEXTRACT Project