Windows Memory Dump File Carving Downloads: seax.py This script will extract EXEs and DLLs from a windows memory dump by locating PE headers and automatically determine their filenames based on VSINFO/AssemblyInfo structures where present. It may be useful for working around .NET obfuscation, standalone .NET EXEs with embedded DLLs, or for other RE or analysis purposes - instead of trying to reverse the binary, run the binary, let it unpack itself, then grab what you need from memory. 1. Obtain a memory dump (i.e. from Task Manager) 2. Run seax or another tool to extract EXEs and DLLs from the dump - `python3 seax.py memdump.dmp` - by default, extracted files will be dumped in `./seax_out/` 3. Use dnSpy or whichever further tools you need to use on the output If this doesn't do what you need, you can do the same process manually using binwalk + ImHex