Aguila Posted March 15, 2012 Share Posted March 15, 2012 (edited) Here is a new beta version of Scylla. Please test it. Changelog: - Dump memory feature - Bugfixes - Many core and source code improvements Beta 3:/>http://forum.tuts4you.com/topic/28627-version-06-beta/page__view__findpost__p__135322 Edited March 18, 2012 by Aguila 2 Link to comment
Ufo-Pu55y Posted March 15, 2012 Share Posted March 15, 2012 (edited) Thx for the tool. Played with it right now and it seems I found a bug:Win7x64 & Scylla_x64.exe -> Pick DLL -> Dump -> Ok.Win7x64 & Scylla_x86.exe -> Pick DLL -> Dump -> "Cannot dump image."\EDITXPx86 & Scylla_x86.exe -> Pick DLL -> Dump -> Ok.XPx64 & Scylla_x64.exe -> Pick DLL -> Dump -> Ok.XPx64 & Scylla_x86.exe -> Pick DLL -> Dump -> "Cannot dump image." Edited March 15, 2012 by Ufo-Pu55y Link to comment
Aguila Posted March 15, 2012 Author Share Posted March 15, 2012 (edited) Are you trying to dump a windows DLL? Open the dump memory dialog and look for your DLL. If there are any "NOACCESS" pages between the sections (like in the kernel32.dll) you can't dump it. I don't know why, but it is some WOW64 stuff. Maybe somebody knows a solution. Edited March 15, 2012 by Aguila Link to comment
Ufo-Pu55y Posted March 15, 2012 Share Posted March 15, 2012 Yup, right there.. libs without noaccess sections are dumpable! Link to comment
Ufo-Pu55y Posted March 15, 2012 Share Posted March 15, 2012 Maybe somebody knows a solution.While other tools can't do it as well (ImpRec, LordPE, etc..), funny that PE Tools still can do it.Ofc little too late to ask that guy which way he went.. I guess. Link to comment
kao Posted March 15, 2012 Share Posted March 15, 2012 Ofc little too late to ask that guy which way he went.. I guess.Pseudocode:foreach (memory_page in region_to_dump){ if (page.protection == NOACCESS) DumpAllZeroes() else DumpMemoryPage(memory_page)} Link to comment
Aguila Posted March 16, 2012 Author Share Posted March 16, 2012 (edited) I was a little bit confused because I didn't read MSDN properly, the information provided by the "dump memory" window was wrong Everything should be fine now. The "no accessable" pages are filled with zeros like kao pointed out. I added a "force dump" switch to provide this function to the "dump memory" window. MSDN snippet I missed: MEM_FREE:Indicates free pages not accessible to the calling process and available to be allocated. For free pages, the information in the AllocationBase, AllocationProtect, Protect, and Type members is undefined. MEM_RESERVE: Indicates reserved pages where a range of the process's virtual address space is reserved without any physical storage being allocated. For reserved pages, the information in the Protect member is undefined. Thanks for the bug report Ufo-Pu55y! Edited March 16, 2012 by Aguila 1 Link to comment
NikolayD Posted March 18, 2012 Share Posted March 18, 2012 Report bug from eXeL@B:When restore the import, library names are written the wrong. Example:ADVAPI32.dllдRegOpenKeyExWCOMCTL32.dllkCOMDLG32.dllGDI32.dllЉGetLayout Link to comment
Aguila Posted March 18, 2012 Author Share Posted March 18, 2012 Ah damn, the api resolving function is totally broken. The "source code improvements" created a problem somehow. Don't know yet. The 0.6 beta versions should not be used to rebuild an IAT... Link to comment
LCF-AT Posted March 18, 2012 Share Posted March 18, 2012 @ Aguila Short infos: SetHandleCount = LockResource like ImpRec but why? 0041FEBC >7C80CD27 kernel32.SetHandleCount <----- = LockResource by ScyllaLockResource <--- Used by Scylla LockResource <--- Not to find in kernel32.dll ??? Only in Scylla Kernel32.dll ????LockResource <--- Shown as suspect in Scylla 0.5LockResource <--- Shown as valid in Scylla 0.6 Beta2ScyllaDoubleClick on API = No Infos | Dll Empty API EmptyImpRecDoubleClick on API = Infos | Points to Dll & API Wrong fixing of dumps!Ok I see you have post this problem already.ImportTable:Dll Name = kernel32.dll[XY]GetSystemTimeAsFileTime <--- ??? strange signs + API Name ???See my pic greetz Link to comment
Aguila Posted March 18, 2012 Author Share Posted March 18, 2012 Thanks NikolayD and LCF-AT for the bug report. Here you have a fixed version. This version should work fine again. Sorry for the broken app I am just working on a pe section dump function. This will be awesome. You can easily defeat protectors with the "big virtual size" anti dump protection (like asprotect). Big virtual sizes will be highlighted and you can correct the virtual size, so you can dump a small exe without any problems 2 Link to comment
Aguila Posted March 24, 2012 Author Share Posted March 24, 2012 http://waleedassar.b...ing-part-2.htmlIn this post i am shedding some light on something i have recently found which turns out to be an effective anti-dumping trick.@waliedassarProbably you found the reason why this can happen, but at least you could give some credits to Ufo-Pu55y for reporting it. Or didn't you read this thread... Link to comment
waliedassar Posted March 24, 2012 Share Posted March 24, 2012 First, i found this thread while checking the statistics of my blog. The idea came to my mind while fixing a bug in OllyDbg v1.10 (the thing i always do). In OllyDbg v1.10, Windows 7,Wow64, pressing Ctrl+R (to find all references) in ntdll.dll, gives an error message. I nailed that down till i found the bug. Besides, none of your comments blamed that behavior on the "SectionAllignment" field of PE header. Waliedassar Link to comment
Aguila Posted April 14, 2012 Author Share Posted April 14, 2012 Here is a new beta with some bug fixes. Dump pe section still doesn't work, because I need to do some code refactoring first. Removing crap code 1 Link to comment
quosego Posted April 14, 2012 Share Posted April 14, 2012 Removing crap code is usually the biggest part of my projects as well. Will give a test run one of these days. Link to comment
Aguila Posted May 1, 2012 Author Share Posted May 1, 2012 (edited) Here is the final v0.6 http://forum.tuts4yo...reconstruction/ http://forum.tuts4yo...ruction-source/ Version 0.6- added dump memory regions- added dump pe sections -> you can edit some values in the dialog- improved dump engine with intelligent dumping- improved pe rebuild engine -> removed yoda's code- fixed various bugs I hope all bugs are fixed Edited May 1, 2012 by Aguila 2 Link to comment
SReg Posted May 2, 2012 Share Posted May 2, 2012 I hope all bugs are fixed Report bug from eXeL@B: dump memory in ida 5.1 process failed Link to comment
Aguila Posted May 3, 2012 Author Share Posted May 3, 2012 Thanks for the bug report. Buffer was to small for the pe section names.Fixed it.http://forum.tuts4yo...reconstruction/ Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now