#1
|
|||
|
|||
What is "anti-dump"?
Many new idiotic and non-idiotic protectors are announcing themselves as "anti-dumping" ones. It may include:
1) Detecting given process dumper (e.g. ProcDump) in memory and deleteing it, using, e.g. TerminateProcess 2) Possible hiding from process dumper by hooking several API functions (for example, the ones that belong to PSAPI or even native ones like NtQuery*) 3) Simple erasing or filling with garbage the PE Header in memory (not always possible, but...) - teLock does this encreasing NumberOfSection to 2xx that causes dumped process to fail during next launch. 4) ??? Who can continue and make this list wider... I would highly appretiate any examples with assembly code. May be anyone knows anything about VirtualProtect or sth like this... |
#2
|
|||
|
|||
Also it would be when the protector replaces code in the protected file with CALLS or JMPS into its own code. This way, if you dump the program, the protector isn't there anymore and the program will crash.
-Lunar |
#3
|
|||
|
|||
Hello volodya
If you already know about it please skip this post. ^daemon^ website has the example of it please check this just incase if you are interested http://daemon.anticrack.de/antidump.txt & http://daemon.anticrack.de/procdump.txt Regards, Sope. |
#4
|
|||
|
|||
push fs:[30h]
pop eax TEST EAX, EAX JS _win9x _iswinnt: MOV EAX, [EAX+0Ch] MOV EAX, [EAX+0Ch] MOV DWORD PTR [EAX+20h], 1000h ; change proc size=1000h JMP _over _win9x: PUSH 0 CALL GetModuleHandle TEST EDX, EDX JNS _over CMP DWORD PTR [EDX+8], -1 JNE _over MOV EDX, [EDX+4] MOV DWORD PTR [EDX+50h], 1000h ; change proc size=1000h sorry 4 my poor english |
#5
|
|||
|
|||
Well, I'm too lazy to write assembly code here (If You really need it I can do it at next week) but there are a lot of examples. Let's show the latest: Xtreme Protector maps the memory at the device driver level so traditional dumpers won't even touch the target. Also it erases few first bytes of OEP and makes a hell using multiple threads communication to decrypt and prevent debugging. Although automatic skipper/decrypter/unpacker/rebuilder sounds like a mistake, it's not so hard to dump executable and finish it manually (if You have free time). If someone would pay me (I'm assuming the situation only) for writing XProtector unpacker I would say: not less than 1.500$.
In their papers they claim: "it's virtually impossible to trace the program under any kind of debugger" - as usual, THAT'S A LIE. Ooops... I'm probably missing the point Anyway, if someone is interested I recommend: "Inside Windows 2000 - 3rd Edition" (Redmond (WA) Microsoft Press) - a great book from SysInternals. Regards. |
#6
|
|||
|
|||
Damnit, that's the book I'm trying to buy right now to fight this, and the bookstore is all out...
That was my theory as well in that they moved some process code into driver mem. Anyway I can still dump most program memory using another conventional technique, but as you say if some is in driver mem I need ring0 code. Not too much trouble, just have to have a good reference, hence the book. -Lunar |
#7
|
|||
|
|||
Lunar!
Wait a minute! If I'm describing any book/program/problem then You should know I'm using it or own it. I will send You this book in chm format - let's take it as a kind of thanks for writing Armadillo dumper . Contact me via PM. Regards. |
#8
|
|||
|
|||
dynio, maybe you would be so kind as to upload it to the FTP? Just a thought...
|
#9
|
|||
|
|||
Damn right.
Actually I'm encountering some problems during logging as uploader to FTP (max users limit or what?). I'll be still trying and let You all know when i finish. Regards. |
#10
|
|||
|
|||
Thank you all!
Guys, thanks for informative answers. Of course, I read the "Inside Windows 2000" book. Anyone who claims to be a good cracker shoud be a good system programmer. Or at least, to know sth about it...
Secondly. Needless to say I would also like to have the book you've mentioned! In my turn I can share the book called "Crackproof Your Software¡ªThe Best Ways to Protect Your Software Against Crackers". It is pretty nice and contains some info. The format is "pdf". Thirdly. I'm myself is one of the people who pretend to be the co-author of PE Tools by NEOx. It is a new generation process dumper, import rebuilder, resource rebuilder, relocation rebuilder, PE Sniffer and so on, so on... (BTW, available on wasm...) So I'm interested to make this software better, therefore I'm asking professionals sope2001 Your link is nice - thank you. But all what it does it just hooks the API ReadProcessMemory and that's all - weak protection dynio Your horrible tails about Xtreme-Protector scared me So, may be it makes sense to create the driver which will dump any given page in the memory. So, guys. I've heard sth about the tricks (though information is not really complete ), but what your suggestions will be? |
#11
|
|||
|
|||
pLayAr
You English MIGHT be poor, but the code is pretty interesting!
|
#12
|
|||
|
|||
VirtualProtect
Guys, has anyone of you ever met such anti-dumping routine based on the given API?
|
#13
|
|||
|
|||
First: the book has been successfully uploaded under "E.Book.Inside.Win.2000.3rd.Edition-dyn!o" directory. Look out, because it's 19MB.
Second: Volodya: I was thinking few times about low-level dumper for PeTools but... I haven't enough time for it... (I'm assuming whole 5-7 days ) Hope I could help in the future somehow... Third: Good idea with device-dumper . I can't see myself any other method to dump XProtected executable... Fourth: VirtualAlloc is so often used API that I can't remember at the moment if it was used in any antidump code . From now I'll be hunting for this one . Regards. |
#14
|
|||
|
|||
dynio
Thanks!
But not VirtualAlloc. VirtualProtect. Thanks again! Waiting... while(1) { if(dynio found it) break; } |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
When use "vendor defined encryption routines", how to set daemon related part? | bridgeic | General Discussion | 6 | 01-22-2015 11:35 |
Wlscgen: Are "Vendor Id" and "Developer Id" different ? | Numega Softice | General Discussion | 6 | 02-12-2007 18:12 |