LCF-AT Posted October 16, 2011 Posted October 16, 2011 @ Aguila Hhmm maybe just a PC memory problem or something.Ok your new version seems to work better now. Hint: So can you try to add a automatic path reader of each file which you choose in Scylla?So I have always to enter the target path if I wanna dump a file and this *_* you know.Just let read the target path and if the user want to dump then show the new open window of the used target.I dont wanna get the window where the Scylla tool is stored. Icons are also ok now. PS: Good luck with your tree problem so I hope that you can fix and add this feature soon to make it also readable for ImpRec too. greetz
JeRRy Posted February 8, 2012 Posted February 8, 2012 I will send the problematic file via PM. B.R JeRRy
Aguila Posted February 8, 2012 Posted February 8, 2012 Thanks for the bug report jerry. The problem is that the app directly imports APIs from ntdll. Microsoft officially don't support direct imports from NTDLL, but some apps use custom libraries to bypass the limitation.
LCF-AT Posted January 31, 2014 Posted January 31, 2014 @ Aguila Short info so I found a small problem during fix a original IAT from any file. Scylla does fix it so....... --------------------------------------------- $ ==> 00620004 7C911000 ntdll.RtlEnterCriticalSection = kernel32.EnterCriticalSection $+4 00620008 7C9110E0 ntdll.RtlLeaveCriticalSection = kernel32.LeaveCriticalSection $+8 0062000C 7C921655 ntdll.RtlInitializeCriticalSection = kernel32.RtlInitializeCriticalSection $+C 00620010 7C9213B1 ntdll.RtlDeleteCriticalSection = kernel32.DeleteCriticalSection $+10 00620014 7C9200C4 ntdll.RtlAllocateHeap = kernel32.HeapAlloc $+14 00620018 7C928833 ntdll.RtlReAllocateHeap = kernel32.HeapReAlloc $+18 0062001C 7C920537 ntdll.RtlSizeHeap = kernel32.HeapSize $+1C 00620020 7C91D92E ntdll.ZwQuerySystemInformation = kernel32.NtQuerySystemInformation $+20 00620024 00000000 $+24 00620028 7C80A055 kernel32.LoadResource 2 APIs Get fixed to kernel32.dll and not ntdll Problem = Process entry not found etc... message -------------------------------------- ntdll.RtlInitializeCriticalSection ntdll.NtQuerySystemInformation -------------------------------------- So as I said it was a original IAT from any target and ntdll.RtlInitializeCriticalSection & ntdll.ZwQuerySystemInformation does belong to the same module block in that case.All APIs of these can be fixed to FW kernel APIs but not this 2 APIs.So maybe you could add a another check of this problem be a user just fix the IAT normaly so your tool could check this and can give any warning info etc (fixing not possible if API xy stored in same module block etc or any other thing some intelli check / info / fix etc).Just check this out if you have time.Maybe you could also add a alternativ fix method 2 like in such cases and then you just fix so far as you can in normaly blocks if possible and in this case you just fix the first block via single fixing = dll & API for each entry of this one block etc you know what I mean. PS: Testet with your Scylla 0.9.1 greetz
Aguila Posted February 2, 2014 Posted February 2, 2014 @LCF-ATTry enabling "use OriginalFirstThunk" in the options. This should work without problems.
LCF-AT Posted February 2, 2014 Posted February 2, 2014 Hi Aguila coolio and thanks,its working so now. Maybe you could add any check about that in one of your next versions to show i infos about that etc or just show the APIs in any other xy color marked if possible to make it easier for the user later.Just a idea. greetz
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now