View Single Post
  #1  
Old 04-21-2005, 14:27
pll823
 
Posts: n/a
10 lines code dumped themida

Here the XprotStripper core code by kernelkiller
Code:
#define BASE 0x00400000
#define SIZE 0x259000

ProcessName "Themida.exe"

LRESULT CALLBACK KeyboardProc(int nCode,WPARAM wParam,LPARAM lParam)
{
  FILE *fp;
  if((nCode==HC_ACTION)&&((lParam & 0xC0000000)!=0)){
    if(g_dwThreadID=::GetCurrentProcessId() != (g_dwProcessId=GetProcessNamePid(ProcessName))){
      return CallNextHookEx(g_hKeyHook, nCode, wParam, lParam );
    }else{
      switch(wParam){
      case VK_F10:
        MessageBox(NULL,"SUCCESS","OK",MB_OK);
        fp=fopen("c:\\Dump.exe","a+b");
        fwrite((const void *)BASE,SIZE,1,fp);
        fclose(fp);
        break;
      default:
        break;
      }
    }
  }
  return CallNextHookEx(g_hKeyHook, nCode, wParam, lParam );  
}
and other good tool for dump xpr/thmida,source code included
Attached Images
File Type: jpg inject.jpg (81.6 KB, 69 views)
Attached Files
File Type: rar Adump.rar (338.7 KB, 51 views)
File Type: rar dllinject.rar (33.7 KB, 45 views)

Last edited by pll823; 04-21-2005 at 14:36.
Reply With Quote