Virtual Section Dumper v1.0 x86
 Nahuel C. Riva (NCR) <nahuelriva gmail com> |
Friday, February 17 2012 17:56.08 CST |
Hi All!,
I just want to share my latest tool: VSD x86.
You can get it here: http://code.google.com/p/virtualsectiondumper/
"""
VSD (Virtual Section Dumper) is intented to be a tool to visualize and dump the memory regions of a running 32 bits process in many ways. For example, you can dump the entire process and fix it PE Header, dump a given range of memory or even list and dump every virtual section present in the process.
"""
BR,
NCR
Comments
 waleedassar |
Posted: Saturday, February 18 2012 06:08.19 CST |
| If we manipulate the values of ImageBase in Process Environment Block (PEB) and PEB_LDR_DATA, the process won't be listed. | |
 NCR |
Posted: Saturday, February 18 2012 12:14.29 CST |
| What do you propose to deal with that situation?. Any idea?. | |
|
waleedassar |
Posted: Saturday, February 18 2012 19:02.50 CST |
|
You can call the "ZwQueryInformationProcess" function with the ProcessInformationClass set to ProcessImageFileName to retrieve the full name of the main executable and then read the ImageBase value from Disk (CreateFileA/ReadFile). N.B. Also, if you use the "CreateFileA" function to read from the file, we can still defeat it by calling the "CreateFileA" function with the "dwShareMode" set to Zero. |
|
|
NCR |
Posted: Tuesday, February 21 2012 19:16.03 CST |
| I just added the x64 version to the web and released a bugfix version v1.1 x86. | |
|
waleedassar |
Posted: Friday, March 2 2012 17:40.53 CST |
|
Opening this tool while the file below is running will cause it to go into an infinite loop. Actually, many other tools are affected. http://ollytlscatch.googlecode.com/files/loop.exe |
|