Extract Windows Defender database from vdm files and unpack it
Features
Usage
wdextract file [-e]
file - filename of VDM container (*.vdm file or MRT.exe executable);
-e optional parameter, extract all found PE image chunks found in VDM after unpacking/decrypting (this including VFS components and emulator VDLLs).
Example:
wdextract c:\wdbase\mpasbase.vdm
wdextract c:\wdbase\mpasbase.vdm -e
wdextract c:\wdbase\mrt.exe
wdextract c:\wdbase\mrt.exe -e
Note: base will be unpacked/decrypted to source directory as %originalname%.extracted (e.g. if original file c:\wdbase\mpasbase.vdm, unpacked will be c:\wdbase\mpasbase.vdm.extracted). Image chunks will be dumped to created βchunksβ directory in the wdextract current directory (e.g. if wdextract run from c:\wdbase it will be c:\wdbase\chunks directory). Output files always overwrite existing.
Build
Related references and tools
N.B.
No actual dumped/extracted/unpacked binary data included or will be included in this repository.
3rd party code usage
Uses ZLIB Data Compression Library (<https://github.com/madler/zlib>)
Authors
Β© 2019 WDEXTRACT Project
gist.github.com/mattifestation/3af5a472e11b7e135273e71cb5fed866
gist.githubusercontent.com/hfiref0x/38e7845304d10c284220461c86491bdf/raw/39c999e59ff2a924932fe6db811555161596b4a7/gistfile1.txt
gist.githubusercontent.com/hfiref0x/e4b97fb7135c9a6f9f0787c07da0a99d/raw/d91e77f71aa96bdb98d121b1d915dc697ce85e2a/gistfile1.txt
gist.githubusercontent.com/hfiref0x/e9b3f185032fcd2afb31afe7bc9a05bd/raw/9bd9f9cc7c408acaff7b56b810c8597756d55d14/nis_sig.txt
github.com/0xAlexei/WindowsDefenderTools
github.com/hfiref0x/MpEnum
github.com/hfiref0x/WDExtract
github.com/madler/zlib
github.com/taviso/loadlibrary
github.com/UldisRinkevichs/libmpclient