waliedassar Posted September 8, 2012 Posted September 8, 2012 Here you can find it.http://waleedassar.blogspot.com/2012/09/anti-dumping-part-3.htmlComments and ideas are very welcome. 1
quosego Posted September 8, 2012 Posted September 8, 2012 first thing that came to mind was, bleh those things are annoying.. So good tut.
deepzero Posted September 8, 2012 Posted September 8, 2012 It indeed makes sense that the memory manager doesnt mapp huge zero-regions...now we i know why protectors always write some junk data to these high-mem regions.
waliedassar Posted September 8, 2012 Author Posted September 8, 2012 (edited) Regarding the PAGE_GUARD trick, i am still thinking that the following code (not well tested, though) may be used as both anti-dumping + anti-debugging.http://pastebin.com/c7tKLuCqAny ideas? Edited September 8, 2012 by waliedassar
mudlord Posted September 9, 2012 Posted September 9, 2012 Hahahah, watcher threads, excellent I suppose you could expand on that by watching on any modification, too?
Aguila Posted September 9, 2012 Posted September 9, 2012 I don't think Scylla is vulnerable to these 2 anti-dump tricks.About the watch-threads: I don't think this is a good option, because e.g. in olly you can easily see and suspend threads.
deepzero Posted September 9, 2012 Posted September 9, 2012 I don't think this is a good option, because e.g. in olly you can easily see and suspend threads. that`s what you say now. can be really annoying, and mulit-thread debugging in olly (but also in general) isnt really a lot of fun, imo. not to mention when the protection threads are being protected by other protection threads, etc.
Aguila Posted September 9, 2012 Posted September 9, 2012 ok so I will add this to scylla: typedef NTSTATUS (WINAPI *def_NtSuspendProcess)(HANDLE ProcessHandle); NtSuspendProcess = (def_NtSuspendProcess)GetProcAddress(hModuleNtdll, "NtSuspendProcess"); and the problem is gone I will make this an option...
waliedassar Posted September 9, 2012 Author Posted September 9, 2012 Actually, Scylla and VSD were the ones i used while testing these two tricks.Scylla is a good dumper but :For the first trick, it gets fooled by the huge size and start reading it causing the OS to suffer alot for a while. I know it is not Scylla's fault. But i guess smarter ways to dump it do really exist.For the second trick, Just try scylla on a Multi-processor system. Don't try it inside Virtualbox (SP).
waliedassar Posted September 9, 2012 Author Posted September 9, 2012 (edited) Regarding the "ZwSuspendProcess" function, you are right it works against the second trick. Edited September 9, 2012 by waliedassar
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now