VMPDump - A dynamic VMP dumper and import fixer, powered by VTIL.

September 25, 2020

A dynamic VMP dumper and import fixer, powered by VTIL. Works for VMProtect 3.X x64.

Before vs After


VMPDump.exe <Target PID> "<Target Module>" [-ep=<Entry Point RVA>] [-disable-reloc]


  • <Target PID>: The ID of the target process, in decimal or hex form.
  • <Target Module>: The name of the module which should be dumped and fixed. This can be an empty string ("") if the process image module is desired.
  • [-ep=<Entry Point RVA>]: An optionally-provided entry-point RVA, in hex form. VMPDump simply overwrites the Entry Point in the optional header with this value.
  • [-disable-reloc]: An optional setting to instruct VMPDump to mark that relocs have been stripped in the output image, forcing the image to load at the dumped ImageBase. This is useful if runnable dumps are desired.

VMProtect initialization and unpacking must be complete in the target process before running VMPDump. This means it must be at or past the OEP (Original Entry Point). The dumped and fixed image will appear in the process image module directory, under the name <Target Module Name>.VMPDump.<Target Module Extension>.

Read the rest of this story with a free account.

Already have an account? Sign in

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.

What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4


We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.