Thread: Info on creating process dumper
View Single Post
  #3  
Old 08-02-2006, 18:27
Ghandi2006 Ghandi2006 is offline
VIP
  
Join Date: Jan 2006
Posts: 110
Rept. Given: 23
Rept. Rcvd 39 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 28 Times in 23 Posts
Ghandi2006 Reputation: 39
Now i have the dumper
Hi scherzo!

I have a working dumper, but now im faced with a different obstacle...

Im using a 'full' version of the ImpREC.dll file, not the lite & it works great on MOST targets. There are still a few targets that are unrunnable after dumping. They throw an error stating "XXXXXXXXh refers to a location that was unaccessible or could not be read", leaving me to think that it is an unresolved import problem or License Manager Layer pointers that are not in their correct place. I will keep playing with it until this is fixed.

I was wondering scherzo, would you be able to offer any advice regarding the usage of ImpREC.dll or even ImpREC_Lite.dll?

On a positive note, the utility also includes a loader generator & an inline patch generator that seem to be working fine. I am adding another 2 types of inline patches to choose from as the first is not applicable to ALL targets. Im sure that between all the options i am including in this, it will be a pretty handy tool.

It has so far:
1. 3 types of dumpers:
RAW - Dumped, Process halted @ License Manager EP & IAT unfixed, Overlay Data NOT appended.
Unpatched - Dumped, IAT repaired & Overlay Data appended.
Patched - Dumped, IAT repaired, Overlay Data appended & selected patches applied.

2. Loader generator
3. Inline patch generator - One type @ present, more to come.
4. Searches for & returns:
SetKey & LoadStatePool Addresses,
License Manager Layer EP, Size & Address,
CondZero's LML 'browser' type patches,
ActiveMARK version,


TO DO:

1. Add the 2 different types of inline patch generators.
2. Add an Overlay Data handler for targets that have been dumped 'raw'.
3. Inbuilt IAT repair, standalone rather than using ImpREC. Then it will also have IAT size & RVA.
4. Possible a commandline argument scanner for the targets it finds needing one. I have only encountered 2 such targets so far, but if this feature is present in 2, i figure that there are no doubt more.....


Thanks for all your help guys & thank you Aaron (for hosting this site) & JMI (for allowing this thread to stay here to begin with).

Ghandi
Reply With Quote