Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-08-2006, 10:32
Ghandi2006 Ghandi2006 is offline
VIP
 
Join Date: Jan 2006
Posts: 110
Rept. Given: 23
Rept. Rcvd 39 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 28 Times in 23 Posts
Ghandi2006 Reputation: 39
Info on creating process dumper

Can anybody direct me to some info on how to code my own process dumper?

What i need is the procedure(s) involved in dumping a process, much like LordPE does, but without using someone elses tool to do it. (I want to code my own dumper for a project i am working on.)

Also, if anybody could direct me to some info on writing my own Import Reconstructor.... Once again, it is easily achieved using ImpREC, but i want to understand the mechanics so i can include my own reconstruction in the same project.

Thanks, Ghandi2006
Reply With Quote
  #2  
Old 07-08-2006, 13:54
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
This is working a fine line between a "Discussion", which is permitted in this particular Forum, and a "Request", which is not to be posted in this Forum and which are generally deleted if not posted in the "Requests Forum." I'm letting you pass on this one, but next time you are just "asking" for something, including "information" without actually "discussing" anything, other than "what you are about to do and what you want," post it in the Requests Forum.

Regards,
__________________
JMI
Reply With Quote
  #3  
Old 07-08-2006, 19:23
Jay Jay is offline
VIP
 
Join Date: Feb 2002
Posts: 249
Rept. Given: 31
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 13 Times in 5 Posts
Jay Reputation: 3
unfsg

Quote:
Originally Posted by Ghandi2006
Can anybody direct me to some info on how to code my own process dumper?
Thanks, Ghandi2006
I found very little info when I toyed with the idea of doing the same thing. Attached fsg dumper contains (french commented) assem source, may give you some idea.
Reply With Quote
  #4  
Old 07-08-2006, 19:43
sHice
 
Posts: n/a
Code:
DumpFileToDisk proc FileBuffer:DWORD, FilePath:DWORD, NewHeaderValues:DWORD, Native:BYTE
local written: DWORD
local PE: DWORD
local hFile: DWORD
local sections: WORD

    pushad
;---fix OEP+ImageSize---------------------------------
    mov ebx, NewHeaderValues
    assume ebx:ptr NEW_IMAGE_NT_HEADER_VALUES
    mov ecx, [ebx].OEP
    mov edx, [ebx].ImageSize
    mov eax, FileBuffer
    assume eax:ptr IMAGE_DOS_HEADER
    add eax, [eax].e_lfanew ; eax ptr to PE == IMAGE_NT_HEADERS struct
    assume eax:ptr IMAGE_NT_HEADERS
    mov [eax].OptionalHeader.AddressOfEntryPoint, ecx
    .if edx != 00h ;optional
      mov [eax].OptionalHeader.SizeOfImage, edx
    .endif
;---fix OEP+ImageSize---------------------------------

;---IT+IAT--------------------------------------------
    mov ecx, [ebx].IT
    mov [eax].OptionalHeader.DataDirectory.VirtualAddress+sizeof IMAGE_DATA_DIRECTORY, ecx
    mov ecx, [ebx].ITSize
    mov [eax].OptionalHeader.DataDirectory.isize+sizeof IMAGE_DATA_DIRECTORY, ecx
    mov ecx, [ebx].IAT
    mov [eax].OptionalHeader.DataDirectory.VirtualAddress+sizeof IMAGE_DATA_DIRECTORY*12, ecx
    mov ecx, [ebx].IATSize
    mov [eax].OptionalHeader.DataDirectory.isize+sizeof IMAGE_DATA_DIRECTORY*12, ecx
;---IT+IAT--------------------------------------------

    mov PE, eax
    .if Native == TRUE
      invoke CreateFile, FilePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
      mov hFile, eax
      mov eax, PE
      mov ebx, [eax].OptionalHeader.SizeOfHeaders
      invoke WriteFile, hFile, FileBuffer, ebx, addr written, 0
      mov eax, PE
      mov bx, [eax].FileHeader.NumberOfSections
      mov sections, bx
      add PE, sizeof IMAGE_NT_HEADERS
      .while sections > 0
        mov eax, PE
        assume eax:ptr IMAGE_SECTION_HEADER
        mov ebx, [eax].VirtualAddress
        add ebx, FileBuffer
        mov ecx, [eax].SizeOfRawData
        invoke WriteFile, hFile, ebx, ecx, addr written, 0
        add PE, sizeof IMAGE_SECTION_HEADER
        dec sections
      .endw
    .else
      assume eax:ptr IMAGE_NT_HEADERS
	  mov bx, [eax].FileHeader.NumberOfSections
	  add eax, sizeof IMAGE_NT_HEADERS
	  assume eax:ptr IMAGE_SECTION_HEADER
	  .while bx > 0 
	    mov ecx, [eax].Misc.VirtualSize
	    mov [eax].SizeOfRawData, ecx
	    mov ecx, [eax].VirtualAddress
	    mov [eax].PointerToRawData, ecx
	    add eax, sizeof IMAGE_SECTION_HEADER
	    dec bx
	  .endw
	  invoke CreateFile, FilePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
	  mov hFile, eax
      mov eax, PE
      assume eax:ptr IMAGE_NT_HEADERS
      mov ebx, [eax].OptionalHeader.SizeOfImage
      invoke WriteFile, hFile, FileBuffer, ebx, addr written, 0
    .endif
    invoke CloseHandle, hFile
    popad
    assume eax:nothing
    ret
DumpFileToDisk endp
Code:
NEW_IMAGE_NT_HEADER_VALUES struct
  OEP       DWORD ?
  ImageSize DWORD ? ;optional
  IT        DWORD ?
  ITSize    DWORD ?
  IAT       DWORD ?
  IATSize   DWORD ?
NEW_IMAGE_NT_HEADER_VALUES ends
Code:
DumpFileToDisk PROTO : DWORD, : DWORD, : DWORD, : BYTE
DumpFileToDisk proc FileBuffer: DWORD, FilePath: DWORD, NewHeaderValues: DWORD, Native: BYTE

FileBuffer:
Pointer to a valid PE that is going to be dumped to disk.
FilePath:
Pointer to a null terminated buffer that contains the path whereto you want to dump the file.
NewHeaderValues:
The pointer to a NEW_IMAGE_NT_HEADER_VALUES structure 
Native:
If set to TRUE ROffset & RSize will remain the same -> size stays the same
Return Value:
NONE
the above proc dumps a PE file to disk and can fix some things in the PE header before dumping.i advise you to read iczelion's tutorials about the PE file format.after having read them you should be able to imagine how to code your own process dumper/import rebuilder.here are the tuts http://win32asm.cjb.net/

Last edited by sHice; 07-08-2006 at 19:49.
Reply With Quote
  #5  
Old 07-08-2006, 22:41
Ghandi2006 Ghandi2006 is offline
VIP
 
Join Date: Jan 2006
Posts: 110
Rept. Given: 23
Rept. Rcvd 39 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 28 Times in 23 Posts
Ghandi2006 Reputation: 39
Thumbs up Size_of_Image dump is different than OllyDumped exe

I had tried to use the SIZE_OF_IMAGE to get dump size, but when i used OllyDump to create a dump file, its size differed from my RAW dump by 1kb. Obviously OllyDump has found/added data that i was unaware of, must be necessary though....

I had managed to run the process to OEP, halt it and do a 'predump', but it seems that there is uninitialised data (packed sections) that i could not grab, only the empty section. I know it is correct OEP, because if i dump using Olly (or LordPE), ImpREC the IAT & fix the header, it runs smoothly, so im going to have an interesting time ahead.

I will read through the material provided & post my progress.

Thanks for the input Jay, but i cant d/l the source until my d/l privileges are enabled... (it will help though, any material is a lot more than i could find on the subject!) I have source for ASPackDie! & a few other unpackers, but they are mostly using decrypting routines or are in C/C++ (which i am ignorant about) so i cant port their ideas properly

sHice, thanks heaps for the ASM source It is the language im coding in, so it IS relevant for me. What specific parts of the PE tuts do you think i should concentrate on? I have a few different tutorials on the subject & i am (slowly) getting a feel for the PE format, theres just a lot of info to keep track of. Maybe if i wasn't trying to look at the header struct as a whole, concentrated more on the different sections.

I hadn't considered the header fixup that will be necessary after performing such a dump, what an oversight on my behalf!

I can see that this is getting a lot deeper than i thought it would be, but thats good! I wanted a challenge (maybe a bit ambitious for a starting project, but hey, gotta start this stuff somewhere) instead of coding a patcher, trainer or loader. I can code those easily enough, ive even applied the principle of a trainer's code injection crossed with an inline patch to create a serial-sniffer, so this should keep me busy for a bit.

Once again, thanks & im sorry to step on your toes JMI.... It WAS a half & half post, but the request thread was (is?) locked....

Ghandi2006
Reply With Quote
  #6  
Old 07-08-2006, 23:19
condzero
 
Posts: n/a
Process dumping

Here's a link to dumping another process in memory.

http://www.codeproject.com/threads/MDumpAll.asp

You can also find many other interesting topics when
searching within the above link.

I have also included some sources on manipulating the
PE, IAT, SEH, etc in a bundle which may also help you.

good luck.
Attached Files
File Type: rar PE Stuff.rar (805.0 KB, 44 views)
Reply With Quote
  #7  
Old 07-13-2006, 14:07
JuneMouse
 
Posts: n/a
Quote:
but when i used OllyDump to create a dump file, its size differed from my RAW dump by 1kb. Obviously OllyDump has found/added data that i was unaware of, must be necessary though....
ollydump adds a section at last where it holds the correct importtable after successfully resolving the iat
Reply With Quote
  #8  
Old 07-14-2006, 12:03
scherzo
 
Posts: n/a
Hi Ghandi2006! I'm working on a project too and I'm using imprec lite source code to reconstruct imports. The link below is a nice generic unpacker coded in ASM + imprec source. You can use to understand how the dump is done and how to use imprec.dll.

http://rapidshare.de/files/25793515/imprecgenericunpackersources.rar.html

scherzo
Reply With Quote
  #9  
Old 08-02-2006, 18:27
Ghandi2006 Ghandi2006 is offline
VIP
 
Join Date: Jan 2006
Posts: 110
Rept. Given: 23
Rept. Rcvd 39 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 28 Times in 23 Posts
Ghandi2006 Reputation: 39
Now i have the dumper

Hi scherzo!

I have a working dumper, but now im faced with a different obstacle...

Im using a 'full' version of the ImpREC.dll file, not the lite & it works great on MOST targets. There are still a few targets that are unrunnable after dumping. They throw an error stating "XXXXXXXXh refers to a location that was unaccessible or could not be read", leaving me to think that it is an unresolved import problem or License Manager Layer pointers that are not in their correct place. I will keep playing with it until this is fixed.

I was wondering scherzo, would you be able to offer any advice regarding the usage of ImpREC.dll or even ImpREC_Lite.dll?

On a positive note, the utility also includes a loader generator & an inline patch generator that seem to be working fine. I am adding another 2 types of inline patches to choose from as the first is not applicable to ALL targets. Im sure that between all the options i am including in this, it will be a pretty handy tool.

It has so far:
1. 3 types of dumpers:
RAW - Dumped, Process halted @ License Manager EP & IAT unfixed, Overlay Data NOT appended.
Unpatched - Dumped, IAT repaired & Overlay Data appended.
Patched - Dumped, IAT repaired, Overlay Data appended & selected patches applied.

2. Loader generator
3. Inline patch generator - One type @ present, more to come.
4. Searches for & returns:
SetKey & LoadStatePool Addresses,
License Manager Layer EP, Size & Address,
CondZero's LML 'browser' type patches,
ActiveMARK version,


TO DO:

1. Add the 2 different types of inline patch generators.
2. Add an Overlay Data handler for targets that have been dumped 'raw'.
3. Inbuilt IAT repair, standalone rather than using ImpREC. Then it will also have IAT size & RVA.
4. Possible a commandline argument scanner for the targets it finds needing one. I have only encountered 2 such targets so far, but if this feature is present in 2, i figure that there are no doubt more.....


Thanks for all your help guys & thank you Aaron (for hosting this site) & JMI (for allowing this thread to stay here to begin with).

Ghandi
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Creating boot WinPE ISO from USB drive with min. disk space+factory reset prtn. info chants General Discussion 2 02-29-2020 21:49
looking for adware info and homepage hijacker info chad1111 General Discussion 7 01-10-2005 21:02


All times are GMT +8. The time now is 21:31.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )