Jump to content
Tuts 4 You

Dump process with wrong iat

Scotch

By Scotch
in Scylla Imports Reconstruction

Recommended Posts

Scotch

Scotch

Posted
Posted

Hi, there~

I just got a problem when using Scylla_x86.dll to dump a running process via C code.

And here's the code. 

	// read PEB address;
	PPEB peb = (PPEB)calloc(sizeof(PEB), 1);
	if (!ReadProcessMemory(hProcess, ProcessBasic->PebBaseAddress, peb, sizeof(PEB), &m_dwTemp)) {
		peb = (PPEB)calloc(m_dwTemp, 1);
		ReadProcessMemory(hProcess, ProcessBasic->PebBaseAddress, peb, sizeof(PEB), &m_dwTemp);
	}

	HMODULE	m_hModule_Remote = peb->ImageBaseAddress;
	free(ProcessBasic); ProcessBasic = 0;
	free(peb); peb = 0;

	// read pe header
	LPVOID	m_pMemory_Remote = VirtualAlloc(0, 0x1000, MEM_COMMIT, PAGE_READWRITE);
	if (!ReadProcessMemory(hProcess, m_hModule_Remote, m_pMemory_Remote, 0x1000, 0)) {
		return m_nRet;
	}
	// calc entrypoint
	auto m_pHeader_Dos = (PIMAGE_DOS_HEADER)(ULONG_PTR)m_pMemory_Remote;
	auto m_pHeader_Nt = (PIMAGE_NT_HEADERS)((ULONG_PTR)m_pMemory_Remote + m_pHeader_Dos->e_lfanew);
	DWORD_PTR	m_dwEntryPoint =(DWORD_PTR) (m_pHeader_Nt->OptionalHeader.AddressOfEntryPoint + m_pHeader_Nt->OptionalHeader.ImageBase);

	printf("\n[+].PID: 0x%0X, dumping process memory\t", dwProcessId);
	m_nRet = pfnScyllaDumpProcess(dwProcessId, 0, (DWORD_PTR)m_hModule_Remote, m_dwEntryPoint, g_szDumpFile);
	if (!m_nRet) {
		printf("[!].process dumping failed!\n");
	}
	printf("\n[+].PID: 0x%0X, searching iat strut\t", dwProcessId);
	m_nRet = pfnScyllaIatSearch(dwProcessId, &iatStart, &iatSize, (DWORD_PTR)m_hModule_Remote, 1);
	if (m_nRet != 0) {
		printf("[!].iat searching failed!\n");
	}
	printf("\n[+].PID: 0x%0X, auto-fixing\t", dwProcessId);
	m_nRet = pfnScyllaIatFixAutoW(iatStart, iatSize, dwProcessId, g_szDumpFile, fileResult);
	if (m_nRet != 0) {
		printf("[!].auto-fixing dump file failed!\n");
	}
	printf("\n[+].PID: 0x%0X, rebuilding dump file\t", dwProcessId);
	m_nRet = pfnScyllaRebuildFile(fileResult, FALSE, FALSE, FALSE);
	if (!m_nRet) {
		printf("[!].rebuilding dump file failed!\n");
	}
	printf("\r\n");

And after the dumping is done, I check its iat table by Lordpe, just got lots of "?". How can I solve this problem ?

Scylla_bad.png.1107a1960686a42f23bebd48771c91c5.png

 

Scotch

Scotch

Posted
  • Author
Posted

Solved, turns to "scylla_wrapper_dll".

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...