Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Info on creating process dumper
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-08-2006, 19:43
sHice
 
Posts: n/a
Code:
DumpFileToDisk proc FileBuffer:DWORD, FilePath:DWORD, NewHeaderValues:DWORD, Native:BYTE
local written: DWORD
local PE: DWORD
local hFile: DWORD
local sections: WORD

    pushad
;---fix OEP+ImageSize---------------------------------
    mov ebx, NewHeaderValues
    assume ebx:ptr NEW_IMAGE_NT_HEADER_VALUES
    mov ecx, [ebx].OEP
    mov edx, [ebx].ImageSize
    mov eax, FileBuffer
    assume eax:ptr IMAGE_DOS_HEADER
    add eax, [eax].e_lfanew ; eax ptr to PE == IMAGE_NT_HEADERS struct
    assume eax:ptr IMAGE_NT_HEADERS
    mov [eax].OptionalHeader.AddressOfEntryPoint, ecx
    .if edx != 00h ;optional
      mov [eax].OptionalHeader.SizeOfImage, edx
    .endif
;---fix OEP+ImageSize---------------------------------

;---IT+IAT--------------------------------------------
    mov ecx, [ebx].IT
    mov [eax].OptionalHeader.DataDirectory.VirtualAddress+sizeof IMAGE_DATA_DIRECTORY, ecx
    mov ecx, [ebx].ITSize
    mov [eax].OptionalHeader.DataDirectory.isize+sizeof IMAGE_DATA_DIRECTORY, ecx
    mov ecx, [ebx].IAT
    mov [eax].OptionalHeader.DataDirectory.VirtualAddress+sizeof IMAGE_DATA_DIRECTORY*12, ecx
    mov ecx, [ebx].IATSize
    mov [eax].OptionalHeader.DataDirectory.isize+sizeof IMAGE_DATA_DIRECTORY*12, ecx
;---IT+IAT--------------------------------------------

    mov PE, eax
    .if Native == TRUE
      invoke CreateFile, FilePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
      mov hFile, eax
      mov eax, PE
      mov ebx, [eax].OptionalHeader.SizeOfHeaders
      invoke WriteFile, hFile, FileBuffer, ebx, addr written, 0
      mov eax, PE
      mov bx, [eax].FileHeader.NumberOfSections
      mov sections, bx
      add PE, sizeof IMAGE_NT_HEADERS
      .while sections > 0
        mov eax, PE
        assume eax:ptr IMAGE_SECTION_HEADER
        mov ebx, [eax].VirtualAddress
        add ebx, FileBuffer
        mov ecx, [eax].SizeOfRawData
        invoke WriteFile, hFile, ebx, ecx, addr written, 0
        add PE, sizeof IMAGE_SECTION_HEADER
        dec sections
      .endw
    .else
      assume eax:ptr IMAGE_NT_HEADERS
	  mov bx, [eax].FileHeader.NumberOfSections
	  add eax, sizeof IMAGE_NT_HEADERS
	  assume eax:ptr IMAGE_SECTION_HEADER
	  .while bx > 0 
	    mov ecx, [eax].Misc.VirtualSize
	    mov [eax].SizeOfRawData, ecx
	    mov ecx, [eax].VirtualAddress
	    mov [eax].PointerToRawData, ecx
	    add eax, sizeof IMAGE_SECTION_HEADER
	    dec bx
	  .endw
	  invoke CreateFile, FilePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
	  mov hFile, eax
      mov eax, PE
      assume eax:ptr IMAGE_NT_HEADERS
      mov ebx, [eax].OptionalHeader.SizeOfImage
      invoke WriteFile, hFile, FileBuffer, ebx, addr written, 0
    .endif
    invoke CloseHandle, hFile
    popad
    assume eax:nothing
    ret
DumpFileToDisk endp
Code:
NEW_IMAGE_NT_HEADER_VALUES struct
  OEP       DWORD ?
  ImageSize DWORD ? ;optional
  IT        DWORD ?
  ITSize    DWORD ?
  IAT       DWORD ?
  IATSize   DWORD ?
NEW_IMAGE_NT_HEADER_VALUES ends
Code:
DumpFileToDisk PROTO : DWORD, : DWORD, : DWORD, : BYTE
DumpFileToDisk proc FileBuffer: DWORD, FilePath: DWORD, NewHeaderValues: DWORD, Native: BYTE

FileBuffer:
Pointer to a valid PE that is going to be dumped to disk.
FilePath:
Pointer to a null terminated buffer that contains the path whereto you want to dump the file.
NewHeaderValues:
The pointer to a NEW_IMAGE_NT_HEADER_VALUES structure 
Native:
If set to TRUE ROffset & RSize will remain the same -> size stays the same
Return Value:
NONE
the above proc dumps a PE file to disk and can fix some things in the PE header before dumping.i advise you to read iczelion's tutorials about the PE file format.after having read them you should be able to imagine how to code your own process dumper/import rebuilder.here are the tuts http://win32asm.cjb.net/
Last edited by sHice; 07-08-2006 at 19:49.
Reply With Quote
  #2  
Old 07-08-2006, 22:41
Ghandi2006 Ghandi2006 is offline
VIP
  
Join Date: Jan 2006
Posts: 110
Rept. Given: 23
Rept. Rcvd 39 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 28 Times in 23 Posts
Ghandi2006 Reputation: 39
Thumbs up Size_of_Image dump is different than OllyDumped exe
I had tried to use the SIZE_OF_IMAGE to get dump size, but when i used OllyDump to create a dump file, its size differed from my RAW dump by 1kb. Obviously OllyDump has found/added data that i was unaware of, must be necessary though....

I had managed to run the process to OEP, halt it and do a 'predump', but it seems that there is uninitialised data (packed sections) that i could not grab, only the empty section. I know it is correct OEP, because if i dump using Olly (or LordPE), ImpREC the IAT & fix the header, it runs smoothly, so im going to have an interesting time ahead.

I will read through the material provided & post my progress.

Thanks for the input Jay, but i cant d/l the source until my d/l privileges are enabled... (it will help though, any material is a lot more than i could find on the subject!) I have source for ASPackDie! & a few other unpackers, but they are mostly using decrypting routines or are in C/C++ (which i am ignorant about) so i cant port their ideas properly

sHice, thanks heaps for the ASM source It is the language im coding in, so it IS relevant for me. What specific parts of the PE tuts do you think i should concentrate on? I have a few different tutorials on the subject & i am (slowly) getting a feel for the PE format, theres just a lot of info to keep track of. Maybe if i wasn't trying to look at the header struct as a whole, concentrated more on the different sections.

I hadn't considered the header fixup that will be necessary after performing such a dump, what an oversight on my behalf!

I can see that this is getting a lot deeper than i thought it would be, but thats good! I wanted a challenge (maybe a bit ambitious for a starting project, but hey, gotta start this stuff somewhere) instead of coding a patcher, trainer or loader. I can code those easily enough, ive even applied the principle of a trainer's code injection crossed with an inline patch to create a serial-sniffer, so this should keep me busy for a bit.

Once again, thanks & im sorry to step on your toes JMI.... It WAS a half & half post, but the request thread was (is?) locked....

Ghandi2006
Reply With Quote
  #3  
Old 07-08-2006, 23:19
condzero
 
Posts: n/a
Process dumping
Here's a link to dumping another process in memory.

http://www.codeproject.com/threads/MDumpAll.asp

You can also find many other interesting topics when
searching within the above link.

I have also included some sources on manipulating the
PE, IAT, SEH, etc in a bundle which may also help you.

good luck.
Attached Files
File Type: rar PE Stuff.rar (805.0 KB, 44 views)
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Creating boot WinPE ISO from USB drive with min. disk space+factory reset prtn. info chants General Discussion 2 02-29-2020 21:49
looking for adware info and homepage hijacker info chad1111 General Discussion 7 01-10-2005 21:02


All times are GMT +8. The time now is 13:52.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )