#1
|
|||
|
|||
Info on creating process dumper
Can anybody direct me to some info on how to code my own process dumper?
What i need is the procedure(s) involved in dumping a process, much like LordPE does, but without using someone elses tool to do it. (I want to code my own dumper for a project i am working on.) Also, if anybody could direct me to some info on writing my own Import Reconstructor.... Once again, it is easily achieved using ImpREC, but i want to understand the mechanics so i can include my own reconstruction in the same project. Thanks, Ghandi2006 |
#2
|
|||
|
|||
This is working a fine line between a "Discussion", which is permitted in this particular Forum, and a "Request", which is not to be posted in this Forum and which are generally deleted if not posted in the "Requests Forum." I'm letting you pass on this one, but next time you are just "asking" for something, including "information" without actually "discussing" anything, other than "what you are about to do and what you want," post it in the Requests Forum.
Regards,
__________________
JMI |
#3
|
|||
|
|||
unfsg
Quote:
|
#4
|
|||
|
|||
Code:
DumpFileToDisk proc FileBuffer:DWORD, FilePath:DWORD, NewHeaderValues:DWORD, Native:BYTE local written: DWORD local PE: DWORD local hFile: DWORD local sections: WORD pushad ;---fix OEP+ImageSize--------------------------------- mov ebx, NewHeaderValues assume ebx:ptr NEW_IMAGE_NT_HEADER_VALUES mov ecx, [ebx].OEP mov edx, [ebx].ImageSize mov eax, FileBuffer assume eax:ptr IMAGE_DOS_HEADER add eax, [eax].e_lfanew ; eax ptr to PE == IMAGE_NT_HEADERS struct assume eax:ptr IMAGE_NT_HEADERS mov [eax].OptionalHeader.AddressOfEntryPoint, ecx .if edx != 00h ;optional mov [eax].OptionalHeader.SizeOfImage, edx .endif ;---fix OEP+ImageSize--------------------------------- ;---IT+IAT-------------------------------------------- mov ecx, [ebx].IT mov [eax].OptionalHeader.DataDirectory.VirtualAddress+sizeof IMAGE_DATA_DIRECTORY, ecx mov ecx, [ebx].ITSize mov [eax].OptionalHeader.DataDirectory.isize+sizeof IMAGE_DATA_DIRECTORY, ecx mov ecx, [ebx].IAT mov [eax].OptionalHeader.DataDirectory.VirtualAddress+sizeof IMAGE_DATA_DIRECTORY*12, ecx mov ecx, [ebx].IATSize mov [eax].OptionalHeader.DataDirectory.isize+sizeof IMAGE_DATA_DIRECTORY*12, ecx ;---IT+IAT-------------------------------------------- mov PE, eax .if Native == TRUE invoke CreateFile, FilePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0 mov hFile, eax mov eax, PE mov ebx, [eax].OptionalHeader.SizeOfHeaders invoke WriteFile, hFile, FileBuffer, ebx, addr written, 0 mov eax, PE mov bx, [eax].FileHeader.NumberOfSections mov sections, bx add PE, sizeof IMAGE_NT_HEADERS .while sections > 0 mov eax, PE assume eax:ptr IMAGE_SECTION_HEADER mov ebx, [eax].VirtualAddress add ebx, FileBuffer mov ecx, [eax].SizeOfRawData invoke WriteFile, hFile, ebx, ecx, addr written, 0 add PE, sizeof IMAGE_SECTION_HEADER dec sections .endw .else assume eax:ptr IMAGE_NT_HEADERS mov bx, [eax].FileHeader.NumberOfSections add eax, sizeof IMAGE_NT_HEADERS assume eax:ptr IMAGE_SECTION_HEADER .while bx > 0 mov ecx, [eax].Misc.VirtualSize mov [eax].SizeOfRawData, ecx mov ecx, [eax].VirtualAddress mov [eax].PointerToRawData, ecx add eax, sizeof IMAGE_SECTION_HEADER dec bx .endw invoke CreateFile, FilePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0 mov hFile, eax mov eax, PE assume eax:ptr IMAGE_NT_HEADERS mov ebx, [eax].OptionalHeader.SizeOfImage invoke WriteFile, hFile, FileBuffer, ebx, addr written, 0 .endif invoke CloseHandle, hFile popad assume eax:nothing ret DumpFileToDisk endp Code:
NEW_IMAGE_NT_HEADER_VALUES struct OEP DWORD ? ImageSize DWORD ? ;optional IT DWORD ? ITSize DWORD ? IAT DWORD ? IATSize DWORD ? NEW_IMAGE_NT_HEADER_VALUES ends Code:
DumpFileToDisk PROTO : DWORD, : DWORD, : DWORD, : BYTE DumpFileToDisk proc FileBuffer: DWORD, FilePath: DWORD, NewHeaderValues: DWORD, Native: BYTE FileBuffer: Pointer to a valid PE that is going to be dumped to disk. FilePath: Pointer to a null terminated buffer that contains the path whereto you want to dump the file. NewHeaderValues: The pointer to a NEW_IMAGE_NT_HEADER_VALUES structure Native: If set to TRUE ROffset & RSize will remain the same -> size stays the same Return Value: NONE Last edited by sHice; 07-08-2006 at 19:49. |
#5
|
|||
|
|||
Size_of_Image dump is different than OllyDumped exe
I had tried to use the SIZE_OF_IMAGE to get dump size, but when i used OllyDump to create a dump file, its size differed from my RAW dump by 1kb. Obviously OllyDump has found/added data that i was unaware of, must be necessary though....
I had managed to run the process to OEP, halt it and do a 'predump', but it seems that there is uninitialised data (packed sections) that i could not grab, only the empty section. I know it is correct OEP, because if i dump using Olly (or LordPE), ImpREC the IAT & fix the header, it runs smoothly, so im going to have an interesting time ahead. I will read through the material provided & post my progress. Thanks for the input Jay, but i cant d/l the source until my d/l privileges are enabled... (it will help though, any material is a lot more than i could find on the subject!) I have source for ASPackDie! & a few other unpackers, but they are mostly using decrypting routines or are in C/C++ (which i am ignorant about) so i cant port their ideas properly sHice, thanks heaps for the ASM source It is the language im coding in, so it IS relevant for me. What specific parts of the PE tuts do you think i should concentrate on? I have a few different tutorials on the subject & i am (slowly) getting a feel for the PE format, theres just a lot of info to keep track of. Maybe if i wasn't trying to look at the header struct as a whole, concentrated more on the different sections. I hadn't considered the header fixup that will be necessary after performing such a dump, what an oversight on my behalf! I can see that this is getting a lot deeper than i thought it would be, but thats good! I wanted a challenge (maybe a bit ambitious for a starting project, but hey, gotta start this stuff somewhere) instead of coding a patcher, trainer or loader. I can code those easily enough, ive even applied the principle of a trainer's code injection crossed with an inline patch to create a serial-sniffer, so this should keep me busy for a bit. Once again, thanks & im sorry to step on your toes JMI.... It WAS a half & half post, but the request thread was (is?) locked.... Ghandi2006 |
#6
|
|||
|
|||
Process dumping
Here's a link to dumping another process in memory.
http://www.codeproject.com/threads/MDumpAll.asp You can also find many other interesting topics when searching within the above link. I have also included some sources on manipulating the PE, IAT, SEH, etc in a bundle which may also help you. good luck. |
#7
|
|||
|
|||
Quote:
|
#8
|
|||
|
|||
Hi Ghandi2006! I'm working on a project too and I'm using imprec lite source code to reconstruct imports. The link below is a nice generic unpacker coded in ASM + imprec source. You can use to understand how the dump is done and how to use imprec.dll.
http://rapidshare.de/files/25793515/imprecgenericunpackersources.rar.html scherzo |
#9
|
|||
|
|||
Now i have the dumper
Hi scherzo!
I have a working dumper, but now im faced with a different obstacle... Im using a 'full' version of the ImpREC.dll file, not the lite & it works great on MOST targets. There are still a few targets that are unrunnable after dumping. They throw an error stating "XXXXXXXXh refers to a location that was unaccessible or could not be read", leaving me to think that it is an unresolved import problem or License Manager Layer pointers that are not in their correct place. I will keep playing with it until this is fixed. I was wondering scherzo, would you be able to offer any advice regarding the usage of ImpREC.dll or even ImpREC_Lite.dll? On a positive note, the utility also includes a loader generator & an inline patch generator that seem to be working fine. I am adding another 2 types of inline patches to choose from as the first is not applicable to ALL targets. Im sure that between all the options i am including in this, it will be a pretty handy tool. It has so far: 1. 3 types of dumpers: RAW - Dumped, Process halted @ License Manager EP & IAT unfixed, Overlay Data NOT appended. Unpatched - Dumped, IAT repaired & Overlay Data appended. Patched - Dumped, IAT repaired, Overlay Data appended & selected patches applied. 2. Loader generator 3. Inline patch generator - One type @ present, more to come. 4. Searches for & returns: SetKey & LoadStatePool Addresses, License Manager Layer EP, Size & Address, CondZero's LML 'browser' type patches, ActiveMARK version, TO DO: 1. Add the 2 different types of inline patch generators. 2. Add an Overlay Data handler for targets that have been dumped 'raw'. 3. Inbuilt IAT repair, standalone rather than using ImpREC. Then it will also have IAT size & RVA. 4. Possible a commandline argument scanner for the targets it finds needing one. I have only encountered 2 such targets so far, but if this feature is present in 2, i figure that there are no doubt more..... Thanks for all your help guys & thank you Aaron (for hosting this site) & JMI (for allowing this thread to stay here to begin with). Ghandi |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Creating boot WinPE ISO from USB drive with min. disk space+factory reset prtn. info | chants | General Discussion | 2 | 02-29-2020 21:49 |
looking for adware info and homepage hijacker info | chad1111 | General Discussion | 7 | 01-10-2005 21:02 |