Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Anti-Dumping - Part 3

waliedassar
waliedassar
in Reverse Engineering Articles

Featured Replies

first thing that came to mind was, bleh those things are annoying..

So good tut. ;)

It indeed makes sense that the memory manager doesnt mapp huge zero-regions...now we i know why protectors always write some junk data to these high-mem regions. :)

  • Author

Regarding the PAGE_GUARD trick, i am still thinking that the following code (not well tested, though) may be used as both anti-dumping + anti-debugging.

http://pastebin.com/c7tKLuCq

Any ideas?

Edited by waliedassar

Hahahah, watcher threads, excellent :D

I suppose you could expand on that by watching on any modification, too?

I don't think Scylla is vulnerable to these 2 anti-dump tricks.

About the watch-threads: I don't think this is a good option, because e.g. in olly you can easily see and suspend threads.

I don't think this is a good option, because e.g. in olly you can easily see and suspend threads.

that`s what you say now. :teehee:

can be really annoying, and mulit-thread debugging in olly (but also in general) isnt really a lot of fun, imo.

not to mention when the protection threads are being protected by other protection threads, etc.

ok so I will add this to scylla:

typedef NTSTATUS (WINAPI *def_NtSuspendProcess)(HANDLE ProcessHandle);

NtSuspendProcess = (def_NtSuspendProcess)GetProcAddress(hModuleNtdll, "NtSuspendProcess");

and the problem is gone :cupidarrow: I will make this an option...

  • Author

Actually, Scylla and VSD were the ones i used while testing these two tricks.

Scylla is a good dumper but :

For the first trick, it gets fooled by the huge size and start reading it causing the OS to suffer alot for a while. I know it is not Scylla's fault. But i guess smarter ways to dump it do really exist.

For the second trick, Just try scylla on a Multi-processor system. Don't try it inside Virtualbox (SP).

  • Author

Regarding the "ZwSuspendProcess" function, you are right it works against the second trick.

Edited by waliedassar

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.