Jump to content
Tuts 4 You

Anti-Dumping - Part 3


waliedassar

Recommended Posts

It indeed makes sense that the memory manager doesnt mapp huge zero-regions...now we i know why protectors always write some junk data to these high-mem regions. :)

Link to comment

I don't think Scylla is vulnerable to these 2 anti-dump tricks.

About the watch-threads: I don't think this is a good option, because e.g. in olly you can easily see and suspend threads.

Link to comment

I don't think this is a good option, because e.g. in olly you can easily see and suspend threads.

that`s what you say now. :teehee:

can be really annoying, and mulit-thread debugging in olly (but also in general) isnt really a lot of fun, imo.

not to mention when the protection threads are being protected by other protection threads, etc.

Link to comment

ok so I will add this to scylla:

typedef NTSTATUS (WINAPI *def_NtSuspendProcess)(HANDLE ProcessHandle);

NtSuspendProcess = (def_NtSuspendProcess)GetProcAddress(hModuleNtdll, "NtSuspendProcess");

and the problem is gone :cupidarrow: I will make this an option...

Link to comment

Actually, Scylla and VSD were the ones i used while testing these two tricks.

Scylla is a good dumper but :

For the first trick, it gets fooled by the huge size and start reading it causing the OS to suffer alot for a while. I know it is not Scylla's fault. But i guess smarter ways to dump it do really exist.

For the second trick, Just try scylla on a Multi-processor system. Don't try it inside Virtualbox (SP).

Link to comment

Regarding the "ZwSuspendProcess" function, you are right it works against the second trick.

Edited by waliedassar
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...