Here the XprotStripper core code by kernelkiller
Code:
#define BASE 0x00400000
#define SIZE 0x259000
ProcessName "Themida.exe"
LRESULT CALLBACK KeyboardProc(int nCode,WPARAM wParam,LPARAM lParam)
{
FILE *fp;
if((nCode==HC_ACTION)&&((lParam & 0xC0000000)!=0)){
if(g_dwThreadID=::GetCurrentProcessId() != (g_dwProcessId=GetProcessNamePid(ProcessName))){
return CallNextHookEx(g_hKeyHook, nCode, wParam, lParam );
}else{
switch(wParam){
case VK_F10:
MessageBox(NULL,"SUCCESS","OK",MB_OK);
fp=fopen("c:\\Dump.exe","a+b");
fwrite((const void *)BASE,SIZE,1,fp);
fclose(fp);
break;
default:
break;
}
}
}
return CallNextHookEx(g_hKeyHook, nCode, wParam, lParam );
}
and other good tool for dump xpr/thmida,source code included