What is "anti-dump"?

Many new idiotic and non-idiotic protectors are announcing themselves as "anti-dumping" ones. It may include:
1) Detecting given process dumper (e.g. ProcDump) in memory and deleteing it, using, e.g. TerminateProcess
2) Possible hiding from process dumper by hooking several API functions (for example, the ones that belong to PSAPI or even native ones like NtQuery*)
3) Simple erasing or filling with garbage the PE Header in memory (not always possible, but...) - teLock does this encreasing NumberOfSection to 2xx that causes dumped process to fail during next launch.
4) ???

Who can continue and make this list wider... I would highly appretiate any examples with assembly code. May be anyone knows anything about VirtualProtect or sth like this...

Also it would be when the protector replaces code in the protected file with CALLS or JMPS into its own code. This way, if you dump the program, the protector isn't there anymore and the program will crash.

-Lunar

Hello volodya

If you already know about it please skip this post. ^daemon^ website has the example of it please check this just incase if you are interested http://daemon.anticrack.de/antidump.txt & http://daemon.anticrack.de/procdump.txt

Regards, Sope.

push fs:[30h]
pop eax
TEST EAX, EAX
JS _win9x
_iswinnt:
MOV EAX, [EAX+0Ch]
MOV EAX, [EAX+0Ch]
MOV DWORD PTR [EAX+20h], 1000h ; change proc size=1000h
JMP _over
_win9x:
PUSH 0
CALL GetModuleHandle
TEST EDX, EDX
JNS _over
CMP DWORD PTR [EDX+8], -1
JNE _over
MOV EDX, [EDX+4]
MOV DWORD PTR [EDX+50h], 1000h ; change proc size=1000h

sorry 4 my poor english

Well, I'm too lazy to write assembly code here (If You really need it I can do it at next week) but there are a lot of examples. Let's show the latest: Xtreme Protector maps the memory at the device driver level so traditional dumpers won't even touch the target. Also it erases few first bytes of OEP and makes a hell using multiple threads communication to decrypt and prevent debugging. Although automatic skipper/decrypter/unpacker/rebuilder sounds like a mistake, it's not so hard to dump executable and finish it manually (if You have free time). If someone would pay me (I'm assuming the situation only) for writing XProtector unpacker I would say: not less than 1.500$.
In their papers they claim: "it's virtually impossible to trace the program under any kind of debugger" - as usual, THAT'S A LIE.
Ooops... I'm probably missing the point Anyway, if someone is interested I recommend: "Inside Windows 2000 - 3rd Edition" (Redmond (WA) Microsoft Press) - a great book from SysInternals.

Regards.

Damnit, that's the book I'm trying to buy right now to fight this, and the bookstore is all out...

That was my theory as well in that they moved some process code into driver mem.

Anyway I can still dump most program memory using another conventional technique, but as you say if some is in driver mem I need ring0 code. Not too much trouble, just have to have a good reference, hence the book.

-Lunar

Lunar!
Wait a minute! If I'm describing any book/program/problem then You should know I'm using it or own it. I will send You this book in chm format - let's take it as a kind of thanks for writing Armadillo dumper . Contact me via PM.

Regards.

dynio, maybe you would be so kind as to upload it to the FTP? Just a thought...

Damn right.
Actually I'm encountering some problems during logging as uploader to FTP (max users limit or what?). I'll be still trying and let You all know when i finish.

Regards.

Guys, thanks for informative answers. Of course, I read the "Inside Windows 2000" book. Anyone who claims to be a good cracker shoud be a good system programmer. Or at least, to know sth about it...
Secondly. Needless to say I would also like to have the book you've mentioned! In my turn I can share the book called "Crackproof Your Software¡ªThe Best Ways to Protect
Your Software Against Crackers". It is pretty nice and contains some info. The format is "pdf".
Thirdly. I'm myself is one of the people who pretend to be the co-author of PE Tools by NEOx. It is a new generation process dumper, import rebuilder, resource rebuilder, relocation rebuilder, PE Sniffer and so on, so on... (BTW, available on wasm...) So I'm interested to make this software better, therefore I'm asking professionals

sope2001
Your link is nice - thank you. But all what it does it just hooks the API ReadProcessMemory and that's all - weak protection

dynio
Your horrible tails about Xtreme-Protector scared me
So, may be it makes sense to create the driver which will dump any given page in the memory.

So, guys. I've heard sth about the tricks (though information is not really complete ), but what your suggestions will be?

You English MIGHT be poor, but the code is pretty interesting!

Guys, has anyone of you ever met such anti-dumping routine based on the given API?

First: the book has been successfully uploaded under "E.Book.Inside.Win.2000.3rd.Edition-dyn!o" directory. Look out, because it's 19MB.
Second: Volodya: I was thinking few times about low-level dumper for PeTools but... I haven't enough time for it... (I'm assuming whole 5-7 days ) Hope I could help in the future somehow...
Third: Good idea with device-dumper . I can't see myself any other method to dump XProtected executable...
Fourth: VirtualAlloc is so often used API that I can't remember at the moment if it was used in any antidump code . From now I'll be hunting for this one .

Regards.

Thanks!

But not VirtualAlloc. VirtualProtect.

Thanks again! Waiting...

while(1)
{
if(dynio found it)
break;
}