.I have written a driver for XP SP2 that dumps the memory of an unpacking process at a particular system call. For dumping memory, I invoke ZwReadVirtualMemory system call. But, zeros are read at memory location where the unpacked code resides in memory, when in fact code in that section itself is being executed. Amazingly, when the process is run inside ollydebugger, it does dump the code section of the unpacking code. Can anyone explain this behavior and a possible solution to this problem?
Thanks...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}