.Hello,
I would to hear your opinion to my (? i havent found this trick anywhere, but i dont think i've just discovered it) anti procdump trick. Its based on rewriting ImageBase and SizeOfImage of proces which has to be protected against ProcDump.
Code:
push fs:[$30]
pop eax
mov eax, [eax+0Ch]
mov eax, [eax+0Ch]
mov dword ptr [eax+18h], 0 ;ImageBase = 0
mov dword ptr [eax+20h], 0 ;SizeOfImage = 0
After execution of this code is process invisible in ProcDump process list, otherwise there is a blank item with details of loaded modules (there isnt referenced exe).
My main question is, does rewriting of ImageBase influence running of program? Like there will be not possible to use some APIs or something else. If yes, is there any way how to prevent it? Is it safe?
Thanks for reply
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}