Popular Posts

Blog Archive

Search This Blog

WDExtract - Extract Windows Defender Database From Vdm Files And Unpack It

Share it:

WDExtract - Extract Windows Defender Database From Vdm Files And Unpack It

Extract Windows Defender database from vdm files and unpack it

  • This program distributed as-is, without any warranty;
  • No official support, if you like this tool, feel free to contribute.


  • Unpack VDM containers of Windows Defender/Microsoft Security Essentials;
  • Decrypt VDM container embedded in Malicious software Removal Tool (MRT.exe);
  • Extract all PE images from unpacked/decrypted containers on the fly (-e switch):
  • dump VDLLs (Virtual DLLs);
  • dump VFS (Virtual File System) contents;
  • dump signatures auxiliary images;
  • dump GAPA (Generic Application Level Protocol Analyzer) images used by NIS (Network Inspection System);
  • code can be adapted to dump type specific chunks of database (not implemented);
  • Faster than any script.
List of MRT extracted images, (version 5.71.15840.1)

⏩ALSO READ: Ethical Hacking


  • wdextract file [-e]
  • file - filename of VDM container (*.vdm file or MRT.exe executable);
  • -e optional parameter, extract all found PE image chunks found in VDM after unpacking/decrypting (this including VFS components and emulator VDLLs).


  • wdextract c:\wdbase\mpasbase.vdm
  • wdextract c:\wdbase\mpasbase.vdm -e
  • wdextract c:\wdbase\mrt.exe
  • wdextract c:\wdbase\mrt.exe -e
Note: base will be unpacked/decrypted to source directory as %originalname%.extracted (e.g. if original file c:\wdbase\mpasbase.vdm, unpacked will be c:\wdbase\mpasbase.vdm.extracted). Image chunks will be dumped to created "chunks" directory in the wdextract current directory (e.g. if wdextract run from c:\wdbase it will be c:\wdbase\chunks directory). Output files always overwrite existing.


  • Source code written in C;
  • Built with MSVS 2017 with Windows SDK 17763 installed;
  • Can be built with previous versions of MSVS and SDK's.

Related references and tools

No actual dumped/extracted/unpacked binary data included or will be included in this repository.

3rd party code usage
Uses ZLIB Data Compression Library (https://github.com/madler/zlib)

(c) 2019 WDEXTRACT Project



Share it: