Posted March 15, 201213 yr Here is a new beta version of Scylla. Please test it. Changelog: - Dump memory feature - Bugfixes - Many core and source code improvements Beta 3:/>http://forum.tuts4you.com/topic/28627-version-06-beta/page__view__findpost__p__135322 Edited March 18, 201213 yr by Aguila
March 15, 201213 yr Thx for the tool. Played with it right now and it seems I found a bug:Win7x64 & Scylla_x64.exe -> Pick DLL -> Dump -> Ok.Win7x64 & Scylla_x86.exe -> Pick DLL -> Dump -> "Cannot dump image."\EDITXPx86 & Scylla_x86.exe -> Pick DLL -> Dump -> Ok.XPx64 & Scylla_x64.exe -> Pick DLL -> Dump -> Ok.XPx64 & Scylla_x86.exe -> Pick DLL -> Dump -> "Cannot dump image." Edited March 15, 201213 yr by Ufo-Pu55y
March 15, 201213 yr Author Are you trying to dump a windows DLL? Open the dump memory dialog and look for your DLL. If there are any "NOACCESS" pages between the sections (like in the kernel32.dll) you can't dump it. I don't know why, but it is some WOW64 stuff. Maybe somebody knows a solution. Edited March 15, 201213 yr by Aguila
March 15, 201213 yr Maybe somebody knows a solution.While other tools can't do it as well (ImpRec, LordPE, etc..), funny that PE Tools still can do it.Ofc little too late to ask that guy which way he went.. I guess.
March 15, 201213 yr Ofc little too late to ask that guy which way he went.. I guess.Pseudocode:foreach (memory_page in region_to_dump){ if (page.protection == NOACCESS) DumpAllZeroes() else DumpMemoryPage(memory_page)}
March 16, 201213 yr Author I was a little bit confused because I didn't read MSDN properly, the information provided by the "dump memory" window was wrong Everything should be fine now. The "no accessable" pages are filled with zeros like kao pointed out. I added a "force dump" switch to provide this function to the "dump memory" window. MSDN snippet I missed: MEM_FREE:Indicates free pages not accessible to the calling process and available to be allocated. For free pages, the information in the AllocationBase, AllocationProtect, Protect, and Type members is undefined. MEM_RESERVE: Indicates reserved pages where a range of the process's virtual address space is reserved without any physical storage being allocated. For reserved pages, the information in the Protect member is undefined. Thanks for the bug report Ufo-Pu55y! Edited March 16, 201213 yr by Aguila
March 18, 201213 yr Report bug from eXeL@B:When restore the import, library names are written the wrong. Example:ADVAPI32.dllдRegOpenKeyExWCOMCTL32.dllkCOMDLG32.dllGDI32.dllЉGetLayout
March 18, 201213 yr Author Ah damn, the api resolving function is totally broken. The "source code improvements" created a problem somehow. Don't know yet. The 0.6 beta versions should not be used to rebuild an IAT...
March 18, 201213 yr @ Aguila Short infos: SetHandleCount = LockResource like ImpRec but why? 0041FEBC >7C80CD27 kernel32.SetHandleCount <----- = LockResource by ScyllaLockResource <--- Used by Scylla LockResource <--- Not to find in kernel32.dll ??? Only in Scylla Kernel32.dll ????LockResource <--- Shown as suspect in Scylla 0.5LockResource <--- Shown as valid in Scylla 0.6 Beta2ScyllaDoubleClick on API = No Infos | Dll Empty API EmptyImpRecDoubleClick on API = Infos | Points to Dll & API Wrong fixing of dumps!Ok I see you have post this problem already.ImportTable:Dll Name = kernel32.dll[XY]GetSystemTimeAsFileTime <--- ??? strange signs + API Name ???See my pic greetz
March 18, 201213 yr Author Thanks NikolayD and LCF-AT for the bug report. Here you have a fixed version. This version should work fine again. Sorry for the broken app I am just working on a pe section dump function. This will be awesome. You can easily defeat protectors with the "big virtual size" anti dump protection (like asprotect). Big virtual sizes will be highlighted and you can correct the virtual size, so you can dump a small exe without any problems
March 24, 201213 yr Author http://waleedassar.b...ing-part-2.htmlIn this post i am shedding some light on something i have recently found which turns out to be an effective anti-dumping trick.@waliedassarProbably you found the reason why this can happen, but at least you could give some credits to Ufo-Pu55y for reporting it. Or didn't you read this thread...
March 24, 201213 yr First, i found this thread while checking the statistics of my blog. The idea came to my mind while fixing a bug in OllyDbg v1.10 (the thing i always do). In OllyDbg v1.10, Windows 7,Wow64, pressing Ctrl+R (to find all references) in ntdll.dll, gives an error message. I nailed that down till i found the bug. Besides, none of your comments blamed that behavior on the "SectionAllignment" field of PE header. Waliedassar
April 14, 201213 yr Author Here is a new beta with some bug fixes. Dump pe section still doesn't work, because I need to do some code refactoring first. Removing crap code
April 14, 201213 yr Removing crap code is usually the biggest part of my projects as well. Will give a test run one of these days.
May 1, 201213 yr Author Here is the final v0.6 http://forum.tuts4yo...reconstruction/ http://forum.tuts4yo...ruction-source/ Version 0.6- added dump memory regions- added dump pe sections -> you can edit some values in the dialog- improved dump engine with intelligent dumping- improved pe rebuild engine -> removed yoda's code- fixed various bugs I hope all bugs are fixed Edited May 1, 201213 yr by Aguila
May 2, 201213 yr I hope all bugs are fixed Report bug from eXeL@B: dump memory in ida 5.1 process failed
May 3, 201213 yr Author Thanks for the bug report. Buffer was to small for the pe section names.Fixed it.http://forum.tuts4yo...reconstruction/
Create an account or sign in to comment