Jump to content
Tuts 4 You

Version 0.6 Beta


Aguila

Recommended Posts

Here is a new beta version of Scylla. Please test it.

Changelog:

- Dump memory feature

- Bugfixes

- Many core and source code improvements

Beta 3:
/>http://forum.tuts4you.com/topic/28627-version-06-beta/page__view__findpost__p__135322

post-22354-0-24910500-1331839762_thumb.p

Edited by Aguila
  • Like 2
Link to comment

Thx for the tool. Played with it right now and it seems I found a bug:

Win7x64 & Scylla_x64.exe -> Pick DLL -> Dump -> Ok.

Win7x64 & Scylla_x86.exe -> Pick DLL -> Dump -> "Cannot dump image."

\EDIT

XPx86 & Scylla_x86.exe -> Pick DLL -> Dump -> Ok.

XPx64 & Scylla_x64.exe -> Pick DLL -> Dump -> Ok.

XPx64 & Scylla_x86.exe -> Pick DLL -> Dump -> "Cannot dump image."

Edited by Ufo-Pu55y
Link to comment

Are you trying to dump a windows DLL? Open the dump memory dialog and look for your DLL. If there are any "NOACCESS" pages between the sections (like in the kernel32.dll) you can't dump it. I don't know why, but it is some WOW64 stuff. Maybe somebody knows a solution.

Edited by Aguila
Link to comment
Maybe somebody knows a solution.
While other tools can't do it as well (ImpRec, LordPE, etc..), funny that PE Tools still can do it.

Ofc little too late to ask that guy which way he went.. I guess.

Link to comment

Ofc little too late to ask that guy which way he went.. I guess.

Pseudocode:


foreach (memory_page in region_to_dump)
{
if (page.protection == NOACCESS)
DumpAllZeroes()
else
DumpMemoryPage(memory_page)
}
Link to comment

I was a little bit confused because I didn't read MSDN properly, the information provided by the "dump memory" window was wrong crazy.gif Everything should be fine now. The "no accessable" pages are filled with zeros like kao pointed out. I added a "force dump" switch to provide this function to the "dump memory" window.

MSDN snippet I missed:

MEM_FREE:Indicates free pages not accessible to the calling process and available to be allocated. For free pages, the information in the AllocationBase, AllocationProtect, Protect, and Type members is undefined.

MEM_RESERVE: Indicates reserved pages where a range of the process's virtual address space is reserved without any physical storage being allocated. For reserved pages, the information in the Protect member is undefined.

Thanks for the bug report Ufo-Pu55y!

Edited by Aguila
  • Like 1
Link to comment

Report bug from eXeL@B:

When restore the import, library names are written the wrong. Example:

ADVAPI32.dllдRegOpenKeyExW

COMCTL32.dllk

COMDLG32.dll

GDI32.dllЉGetLayout

Link to comment

Ah damn, the api resolving function is totally broken. The "source code improvements" created a problem somehow. Don't know yet. The 0.6 beta versions should not be used to rebuild an IAT...

Link to comment

@ Aguila

Short infos: SetHandleCount = LockResource like ImpRec but why?


0041FEBC >7C80CD27 kernel32.SetHandleCount <----- = LockResource by ScyllaLockResource <--- Used by Scylla
LockResource <--- Not to find in kernel32.dll ??? Only in Scylla Kernel32.dll ????LockResource <--- Shown as suspect in Scylla 0.5
LockResource <--- Shown as valid in Scylla 0.6 Beta2Scylla
DoubleClick on API = No Infos | Dll Empty API EmptyImpRec
DoubleClick on API = Infos | Points to Dll & API Wrong fixing of dumps!Ok I see you have post this problem already.ImportTable:Dll Name = kernel32.dll[XY]GetSystemTimeAsFileTime <--- ??? strange signs + API Name ???See my pic

greetz

post-27695-0-79284600-1332094993_thumb.p

Link to comment

Thanks NikolayD and LCF-AT for the bug report.

Here you have a fixed version. This version should work fine again. Sorry for the broken app cryss.gif

I am just working on a pe section dump function. This will be awesome. You can easily defeat protectors with the "big virtual size" anti dump protection (like asprotect). Big virtual sizes will be highlighted and you can correct the virtual size, so you can dump a small exe without any problems :crazy:

post-22354-0-27463900-1332099003.png

  • Like 2
Link to comment

http://waleedassar.b...ing-part-2.html

In this post i am shedding some light on something i have recently found which turns out to be an effective anti-dumping trick.

@waliedassar

Probably you found the reason why this can happen, but at least you could give some credits to Ufo-Pu55y for reporting it. Or didn't you read this thread...

Link to comment
waliedassar

First, i found this thread while checking the statistics of my blog.

The idea came to my mind while fixing a bug in OllyDbg v1.10 (the thing i always do). In OllyDbg v1.10, Windows 7,Wow64, pressing Ctrl+R (to find all references) in ntdll.dll, gives an error message. I nailed that down till i found the bug.

nytj7l.png

Besides, none of your comments blamed that behavior on the "SectionAllignment" field of PE header.

Waliedassar

Link to comment
  • 3 weeks later...

Here is a new beta with some bug fixes.

Dump pe section still doesn't work, because I need to do some code refactoring first. Removing crap code cc_detective.gif

  • Like 1
Link to comment
  • 3 weeks later...

Here is the final v0.6

http://forum.tuts4yo...reconstruction/

http://forum.tuts4yo...ruction-source/


Version 0.6
- added dump memory regions
- added dump pe sections -> you can edit some values in the dialog
- improved dump engine with intelligent dumping
- improved pe rebuild engine -> removed yoda's code
- fixed various bugs

I hope all bugs are fixed crazy.gif

Edited by Aguila
  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...