Version 0.6 Beta

[Aguila]

Here is a new beta version of Scylla. Please test it.

Changelog:

- Dump memory feature

- Bugfixes

- Many core and source code improvements

Beta 3:
/>http://forum.tuts4you.com/topic/28627-version-06-beta/page__view__findpost__p__135322

Edited March 18, 2012 by Aguila

[Ufo-Pu55y]

Thx for the tool. Played with it right now and it seems I found a bug:

Win7x64 & Scylla_x64.exe -> Pick DLL -> Dump -> Ok.

Win7x64 & Scylla_x86.exe -> Pick DLL -> Dump -> "Cannot dump image."

\EDIT

XPx86 & Scylla_x86.exe -> Pick DLL -> Dump -> Ok.

XPx64 & Scylla_x64.exe -> Pick DLL -> Dump -> Ok.

XPx64 & Scylla_x86.exe -> Pick DLL -> Dump -> "Cannot dump image."

Edited March 15, 2012 by Ufo-Pu55y

[Aguila]

Are you trying to dump a windows DLL? Open the dump memory dialog and look for your DLL. If there are any "NOACCESS" pages between the sections (like in the kernel32.dll) you can't dump it. I don't know why, but it is some WOW64 stuff. Maybe somebody knows a solution.

Edited March 15, 2012 by Aguila

[Ufo-Pu55y]

Yup, right there.. libs without noaccess sections are dumpable!

[Ufo-Pu55y]

  On 3/15/2012 at 8:49 PM, Aguila said:

Maybe somebody knows a solution.

While other tools can't do it as well (ImpRec, LordPE, etc..), funny that PE Tools still can do it.

Ofc little too late to ask that guy which way he went.. I guess.

[kao]

  On 3/15/2012 at 9:09 PM, Ufo-Pu55y said:

Ofc little too late to ask that guy which way he went.. I guess.

Pseudocode:

foreach (memory_page in region_to_dump)
{
   if (page.protection == NOACCESS)
	  DumpAllZeroes()
   else
	  DumpMemoryPage(memory_page)
}

[Aguila]

I was a little bit confused because I didn't read MSDN properly, the information provided by the "dump memory" window was wrong Everything should be fine now. The "no accessable" pages are filled with zeros like kao pointed out. I added a "force dump" switch to provide this function to the "dump memory" window.

MSDN snippet I missed:

MEM_FREE:Indicates free pages not accessible to the calling process and available to be allocated. For free pages, the information in the AllocationBase, AllocationProtect, Protect, and Type members is undefined.

MEM_RESERVE: Indicates reserved pages where a range of the process's virtual address space is reserved without any physical storage being allocated. For reserved pages, the information in the Protect member is undefined.

Thanks for the bug report Ufo-Pu55y!

Edited March 16, 2012 by Aguila

[NikolayD]

Report bug from eXeL@B:

When restore the import, library names are written the wrong. Example:

ADVAPI32.dllдRegOpenKeyExW

COMCTL32.dllk

COMDLG32.dll

GDI32.dllЉGetLayout

[Aguila]

Ah damn, the api resolving function is totally broken. The "source code improvements" created a problem somehow. Don't know yet. The 0.6 beta versions should not be used to rebuild an IAT...

[LCF-AT]

@ Aguila

Short infos: SetHandleCount = LockResource like ImpRec but why?

0041FEBC >7C80CD27  kernel32.SetHandleCount <----- = LockResource by ScyllaLockResource  <--- Used by Scylla 
LockResource  <--- Not to find in kernel32.dll ??? Only in Scylla Kernel32.dll ????LockResource  <--- Shown as suspect in Scylla 0.5
LockResource  <--- Shown as valid   in Scylla 0.6 Beta2Scylla
DoubleClick on API = No Infos | Dll Empty API EmptyImpRec
DoubleClick on API = Infos | Points to Dll & API Wrong fixing of dumps!Ok I see you have post this problem already.ImportTable:Dll Name = kernel32.dll[XY]GetSystemTimeAsFileTime  <--- ??? strange signs + API Name ???See my pic

greetz

[Aguila]

Thanks NikolayD and LCF-AT for the bug report.

Here you have a fixed version. This version should work fine again. Sorry for the broken app

I am just working on a pe section dump function. This will be awesome. You can easily defeat protectors with the "big virtual size" anti dump protection (like asprotect). Big virtual sizes will be highlighted and you can correct the virtual size, so you can dump a small exe without any problems

[Aguila]

http://waleedassar.b...ing-part-2.html

  Quote

In this post i am shedding some light on something i have recently found which turns out to be an effective anti-dumping trick.

@waliedassar

Probably you found the reason why this can happen, but at least you could give some credits to Ufo-Pu55y for reporting it. Or didn't you read this thread...

[waliedassar]

First, i found this thread while checking the statistics of my blog.

The idea came to my mind while fixing a bug in OllyDbg v1.10 (the thing i always do). In OllyDbg v1.10, Windows 7,Wow64, pressing Ctrl+R (to find all references) in ntdll.dll, gives an error message. I nailed that down till i found the bug.

Besides, none of your comments blamed that behavior on the "SectionAllignment" field of PE header.

Waliedassar

[Aguila]

Here is a new beta with some bug fixes.

Dump pe section still doesn't work, because I need to do some code refactoring first. Removing crap code

[quosego]

Removing crap code is usually the biggest part of my projects as well.

Will give a test run one of these days.

[Aguila]

Here is the final v0.6

http://forum.tuts4yo...reconstruction/

http://forum.tuts4yo...ruction-source/

Version 0.6
- added dump memory regions
- added dump pe sections -> you can edit some values in the dialog
- improved dump engine with intelligent dumping
- improved pe rebuild engine -> removed yoda's code
- fixed various bugs

I hope all bugs are fixed

Edited May 1, 2012 by Aguila

[SReg]

  On 5/1/2012 at 5:37 PM, Aguila said:

I hope all bugs are fixed

Report bug from eXeL@B:

dump memory in ida 5.1 process failed

[Aguila]

Thanks for the bug report. Buffer was to small for the pe section names.

Fixed it.

http://forum.tuts4yo...reconstruction/