Thread: Info on creating process dumper
View Single Post
  #5  
Old 07-08-2006, 22:41
Ghandi2006 Ghandi2006 is offline
VIP
  
Join Date: Jan 2006
Posts: 110
Rept. Given: 23
Rept. Rcvd 39 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 28 Times in 23 Posts
Ghandi2006 Reputation: 39
Thumbs up Size_of_Image dump is different than OllyDumped exe
I had tried to use the SIZE_OF_IMAGE to get dump size, but when i used OllyDump to create a dump file, its size differed from my RAW dump by 1kb. Obviously OllyDump has found/added data that i was unaware of, must be necessary though....

I had managed to run the process to OEP, halt it and do a 'predump', but it seems that there is uninitialised data (packed sections) that i could not grab, only the empty section. I know it is correct OEP, because if i dump using Olly (or LordPE), ImpREC the IAT & fix the header, it runs smoothly, so im going to have an interesting time ahead.

I will read through the material provided & post my progress.

Thanks for the input Jay, but i cant d/l the source until my d/l privileges are enabled... (it will help though, any material is a lot more than i could find on the subject!) I have source for ASPackDie! & a few other unpackers, but they are mostly using decrypting routines or are in C/C++ (which i am ignorant about) so i cant port their ideas properly

sHice, thanks heaps for the ASM source It is the language im coding in, so it IS relevant for me. What specific parts of the PE tuts do you think i should concentrate on? I have a few different tutorials on the subject & i am (slowly) getting a feel for the PE format, theres just a lot of info to keep track of. Maybe if i wasn't trying to look at the header struct as a whole, concentrated more on the different sections.

I hadn't considered the header fixup that will be necessary after performing such a dump, what an oversight on my behalf!

I can see that this is getting a lot deeper than i thought it would be, but thats good! I wanted a challenge (maybe a bit ambitious for a starting project, but hey, gotta start this stuff somewhere) instead of coding a patcher, trainer or loader. I can code those easily enough, ive even applied the principle of a trainer's code injection crossed with an inline patch to create a serial-sniffer, so this should keep me busy for a bit.

Once again, thanks & im sorry to step on your toes JMI.... It WAS a half & half post, but the request thread was (is?) locked....

Ghandi2006
Reply With Quote