Useful for vectored handler debugging and other shenanigans
-
Enumerate all VEH/VCH in running processes and view where they are located (image/memory)
-
Displays memory permissions etc when a handler is pointing towards unbacked memory or a modified KnownDll
-
Dump all VEH/VCH in a specific process, specify the amount of bytes to dump
-
Overwrite a specific VEH/VCH in a specific process with a pointer to shellcode or other random pointer, useful when dealing with VEH(s) related to anti-debug
.\VectoredUtil.exe -proc 12345 -overwrite veh 1 0x00007fffd255e1c4 .\VectoredUtil.exe -debug -proc 12333 -overwrite vch 1 C:\payload.bin -
Inject a VEH/VCH into a process if there isn't one registered
