home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Elite Hackers Toolkit
/
TheEliteHackersToolkitVolume1_1998.rar
/
HACKERS.BIN
/
appcraks
/
UCFPD1A9.ZIP
/
PROCDUMP.TXT
< prev
next >
Wrap
Text File
|
1990-01-01
|
7KB
|
200 lines
──────────────────────────────────────────────────────────────────────────────
██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ███╗ ███╗ ██████╗
██╔══██╗ ██╔══██╗ ██╔═══██╗ ██╔════╝ ██╔══██╗ ██║ ██║ ████╗ ████║ ██╔══██╗
██████╔╝ ██████╔╝ ██║ ██║ ██║ ██║ ██║ ██║ ██║ ██╔████╔██║ ██████╔╝
██╔═══╝ ██╔══██╗ ██║ ██║ ██║ ██║ ██║ ██║ ██║ ██║╚██╔╝██║ ██╔═══╝
██║ ██║ ██║ ╚██████╔╝ ╚██████╗ ██████╔╝ ╚██████╔╝ ██║ ╚═╝ ██║ ██║
╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝
──────────────────────────────────────────────────────────────────────────────
ProcDump version 1.0 alpha 9 (C) G-RoM & Stone in 1998
──────────────────────────────────────────────────────────────────────────────
Purpose :
─────────
ProcDump is brand new type of tool that allows u to Dump, Unpack
some Protected PE files without any need of debugger.
What ProcDump can do :
■ Dump any 32 bits running process.
■ Dump any 32 bits module.
■ Restore the Import table (98% of fiability in one pass/99% after reload).
■ Restore the PE header.
■ Load an external dump & restore the previous features.
■ Start & Unpack a given PE file (at least we try !!).
Disclaimer :
────────────
We, the authors, are *NOT* responsible for any damage caused by the use of
ProcDump. It was tested with success under Windows 95,98 and NT 5.0.
Requirements :
──────────────
This program works fine under :
■ Windows 95
■ Windows 98
■ Windows NT 5.0
BUT WILL NEVER WORK UNDER NT <5.0 ! I may work on a NT update... one day ;)
May be some little knowledge about PE format if u expect to use this tool
for some special code. Sometimes, you *may* need to do some fixups by the
hand. I said *sometimes* ;).
Limitations :
──────────────
* What ProcDump can't do (yet ?):
■ Restore a working DAtA section in Dump mode.
■ Restore REAL eip in dump mode.
■ Restore Packed Relocs (several converters have to be coded).
■ Unpack a DLL (it's possible but... I need time ;)).
■ Dump a 16 bit process (DOS or WIN 16 bit applications => Size 0 in array).
-> for DOS apps, use Softice, cup386 or GTR.
-> win16 apps.... who cares of those ? ;)
* Imports special case :
Some dumps will have still some mangled function name in import section :
You can fix this problem by reloading dump with LOAD EXTERNAL function. It
will apply an exhaustiv fixup that will may be destroy some import by
name & replace them by ordinals instead. This code is still in development
and I will implement a function name guesser may be soon.
How to Dump a process :
───────────────────────
That's kinda easy :
1) Just select it in the array
2) Click right
3) Select dump process.
4) Select the name of the dump.
And it is done ;)
How to Dump a module attached to a process :
────────────────────────────────────────────
As much easy as dumping a process ;) :
1) Select the process
2) Click Right
3) Click on Module List
4) Select the module
5) Click Right
6) Click on dump.
7) Select the name of the dump.
And it is done ;)
How to unpack a PE file :
─────────────────────────
a) Trace mode.
1) Launch the target EXE
2) Do a memory dump (select from array et click-right).
2) Trace the target (Trace button).
3) wait until EIP is catched.
4) select a name for the unpacked PE file.
5) Select the memory dump file u did in step 1).
6) File is unpacked .... u should try & pray ;)
I apologize on the way it works.... BUT Windows is unfair on certain
particular point and there is NO WAY to automate the step 1) through 2). If
I do it at your place the import section is fucked up and I dunno HOW to
fix this. Target Process must not be a child of the dumper/unpacker when u dump
it.
┌───────────────────────────────────────────────────┐
│TRACING A CODE IS KINDA SLOW SOMETIMES - BE PATIENT│
│ │
│BTW : if 'traced xxxxxx lines' is frozen => Crash │
└───────────────────────────────────────────────────┘
b) Fast Unpacking mode.
1) Launch target EXE.
2) Do a memory dump.
3) Click on Fast unpacking button.
4) Choose the appropriate packer/protector.
5) select a name for the unpacked PE file.
6) Select the memory dump file u did in step 1).
7) File is unpacked .... u should try & pray ;)
I apologize on the way it works.... BUT Windows is unfair on certain
particular point and there is NO WAY to automate the step 1) through 2). If
I do it at your place the import section is fucked up and I dunno HOW to
fix this. Target Process must not be a child of the dumper/unpacker when u dump
it.
Warning :
─────────
I do not recommend that u dump :
■ ProcDump process itself (import trashed anyway).
■ Kernel32.dll process (Access Violation, System Kill).
■ And other system process (Access Violation).
It may result in some obvious crash... U were warned.
Credits :
─────────
Project Coordinator : G-RoM
Tracer engine : Stone
Memory Dumper : G-RoM
PE rebuilder : G-RoM
Interface design : G-RoM
Artworks : ZeCreator
This lame dox : G-RoM
To Contact me : G-RoM@innocent.com
Stone : stone@one.se
Greetings (quick):
──────────────────
Random : I really hated ur Import table destroyer... but I finaly fixed the
little thing I forgot in import rebuilder. Pecrypt really rules !!
The most secure, the best packer, etc... Hopefully, it is not used
(yet??) by too much persons ;). Final release of version 1.02 will
kick ass !!! ;) As an example I trust in it, ProcDump is packed
with it ;).
Acpizer: Continue ur work with the Win console and, start to work on Ring 0
hardware breakpoint ;). It will kick ass when it will be done. Are
you interresting in coding the interface in ASM ? Or even better,
a visual ASM programming environment ? Check Random Greeting about
ur common work.
Marquis: Thanks for ur interrest in my lame work. The shrinker unpacker was
possible as I used to say ;).
Jammer : U were the precursor... Join our team ;) hehehe. I still need more
informations about PDB under windows... Wait for news from you at
this subject.
J0B : Thanx for the informations about shrinker. BTW: Shrinker 3.2 can't
be handled with Software breakpoints neither traced due to faults,
check version.txt file for details. So your work on it was fucking
essential ;).
Hendrix: Code me a fully featured tracer for WIN32.... When u have time ;).
Good luck with GTR95.
Iceman : How is ur TUI ? Keyboard Layout is weird ? :)
hiho to: #cracking, #bs2000, #PC98-Chat, #ucf2000,
Groups I am in, Groups I was in,
guys & girls I may know somewhere in the world ;).