ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÛÛÛÛÛÛ» ÛÛÛÛÛÛ» ÛÛÛÛÛÛ» ÛÛÛÛÛÛ» ÛÛÛÛÛÛ» ÛÛ» ÛÛ» ÛÛÛ» ÛÛÛ» ÛÛÛÛÛÛ» ÛÛÉÍÍÛÛ» ÛÛÉÍÍÛÛ» ÛÛÉÍÍÍÛÛ» ÛÛÉÍÍÍͼ ÛÛÉÍÍÛÛ» ÛÛº ÛÛº ÛÛÛÛ» ÛÛÛÛº ÛÛÉÍÍÛÛ» ÛÛÛÛÛÛɼ ÛÛÛÛÛÛɼ ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛÉÛÛÛÛÉÛÛº ÛÛÛÛÛÛɼ ÛÛÉÍÍͼ ÛÛÉÍÍÛÛ» ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛºÈÛÛɼÛÛº ÛÛÉÍÍͼ ÛÛº ÛÛº ÛÛº ÈÛÛÛÛÛÛɼ ÈÛÛÛÛÛÛ» ÛÛÛÛÛÛɼ ÈÛÛÛÛÛÛɼ ÛÛº Èͼ ÛÛº ÛÛº Èͼ Èͼ Èͼ ÈÍÍÍÍͼ ÈÍÍÍÍͼ ÈÍÍÍÍͼ ÈÍÍÍÍͼ Èͼ Èͼ Èͼ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ProcDump version 1.2 (C) G-RoM, Riz la+ & Stone in 1998 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If you expect to print this dox, I suggest you use TERMINAL font with a height of 9. Summary Purpose.................................................... 2 Disclaimer................................................. 2 Requirements............................................... 2 ProcDump Configuration..................................... 3 ProcDump Integrated Process monitor/dumper................. 5 ProcDump integrated PE editor.............................. 6 ProcDump PE/RAW external dump autofix...................... 6 ProcDump unpacker/decryptor................................ 7 Limitations................................................ 8 Credits.................................................... 9 Greetings.................................................. 10 Purpose : ÄÄÄÄÄÄÄÄÄ ProcDump is brand new type of tool that allows u to Dump, Unpack some Protected PE files without any need of debugger. What ProcDump can do : þ Dump any 32 bits running process/module by using the CodeShot engine. þ Phoenix engine can restore the Import table & PE header. þ Phoenix engine can reoptimize a PE file and Dump made with CodeShot. þ Shiva engine can start & unpack a given PE file (at least it tries !!). With the help of script language, u can unpack in a few secs well-known packers and learn to ProcDump how to unpack the others. þ Alter a given file PE header, kill some object physically. Disclaimer : ÄÄÄÄÄÄÄÄÄÄÄÄ We, the authors, are *NOT* responsible for any damage caused by the use of ProcDump. It was tested with success under Windows 95,98 and NT4 & 5.0. ÚÄÄÄÄÄÄÄ¿ ÚÄ´CAUTIONÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ÀÄÄÄÄÄÄÄÙ ³ ³ PROCDUMP32 is a tool help for people who want to unpack/decrypt PE files,³ ³PLEASE NOTICE THAT IT IS NOT REALLY INTENDED FOR REAL BEGINNERS. If you are³ ³a such person, I recommand that you read CAREFULLY the whole DOCUMENTATION,³ ³and to use ONLY the DUMPER & UNPACKER with default OPTIONS. ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Requirements : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This program works fine under : þ Windows 95 þ Windows 98 þ Windows NT 5.0 þ Windows NT 4.0 with restrictions. A good brain and some knowledge about the PE format and PE layer is required, if you expect to exploit ProcDump at his full power. ProcDump Configuration : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Rebuilder options : þ Recompute object size (DEFAULT ON) This option allow you to say to ProcDump to use Virtual Size for section as physical size. This is necessarry for PACKED PE, because the unpacked size of section is bigger than packed one. You can unselect this option if you are planning to work against a cryptor. þ Optimize PE structure (DEFAULT ON) This option optimize the PE structure according to the object table in the way to reduce written PE file. If you unselect this option, the PE file will take more space on disk. þ Check Header Sections (DEFAULT OFF) This option check if PE header contains a non paged area. If it found one, the problem is corrected. þ Import rebuilder method : * No rebuild Doesn't try at all to locate import section, leave the related import informations untouched. * Use import informations (DEFAULT) Read actual import informations, and use them to recreate a valid import table. * Rebuild import table. Detect import table using heuristical criterea and fixup the import ta- ble if found. * Full Import rebuild. Detect import table, generate a new import section, generate import function names & ordinals. There is a BIG chance that generated PE runs perfectly ;). Unpacker options : þ Predump method : * Use external predump You will need to supply a PE/DUMP file with a Valid import table. Import Infos will be stamped in generated PE. * Predump (DEFAULT with delay 0) ProcDump will do the predump to gain the valid import table. There are 2 methods : 1) After user input (delay 0). 2) After a given delay (delay >0 in HEX). þ EIP confirmation (DEFAULT OFF) When ProcDump reached the original CODE, It can prompt you if u think it is good or not. þ Layer confirmation (DEFAULT OFF) When u validated the EntryPoint, U can say too that there was not only one protection layer. Generally, U may leave this option unchecked. þ Ignore Faults (DEFAULT OFF) When a breakpoint/faults occurs, ProcDump32 normally handles the exception (Breakpoint most of the time because some protectors relocate their code). But sometimes, this is source of problems. Some applications indeed create volontary faults to do some special work. With this option set, ProcDump32 will simply ignore exceptions that are not made by itself. Applications that create faults volontary will run normally this way ;). PE/Raw loader options : þ Force raw mode (DEFAULT OFF) This force ProcDump to consider input file for REBUILD tool as a dump file. Use only this if ProcDump crash when u try to supply a PE file. þ Merge code section (DEFAULT OFF) REBUILDed file will have all the image in a single section. Can be usefull to analyze some PE loader. ProcDump Integrated Process monitor/dumper : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The monitor show you in two arrays, the actual Tasks running on your system. When tou select a task, the module list attached to this task is shown in 2nd array. The arrays have contextual menus. þ Full Dumper The task or module is saved to disk using this name. The dumped file is reorganized and fixed. 1) Just select a task or a module in the arrays. 2) Click right. 3) Select "Dump (Full)". 4) Select the name of the dump. þ Partial dumper The task or module is saved to disk in RAW format : NO Fixup are applied. 1) Just select a task or a module in the arrays. 2) Click right. 3) Select "Dump (Partial)". 4) Choose the range you wish to dump by editing Start & Length fields. 5) Select the name of the dump. Warning !! I do not recommend that u dump : þ ProcDump process itself (import trashed anyway). þ Kernel32.dll process (Access Violation, System Kill). þ And other system process (Access Violation). It may result in some obvious crash... U were warned. þ Kill task Allow you to suppress a task from your system. 1) Just select the task you wish to kill. 2) Hit OK if you are sure. WARNING !! Killing KERNEL32.DLL or another system component is equal to system CRASH !! þ Refresh list This option refresh task & module list. ProcDump integrated PE editor : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The PE editor allow you to edit an existing PE file and to modify : þ Entrypoint. þ Image size. þ Image base. þ PE directory RVA & Size. þ PE sections informations. þ Save a section to disk. þ Load a section from disk. You need to supply the file to edit. þ To change Entry point, Image Base, Image Size Just edit the appropriate field(s) and hit OK. Changes can be applied to PE HEADER only or can be used to Rebuild a new PE file according to PE infos (ex : if you removed a section, it will be wiped in new PE ;). þ To Edit Directory infos 1) Click on Directory button 2) Edit the fields you need. 3) hit ok þ To alter section informations 1) Click on Section button 2) select a given section 3) click right 4) Select the appropriate action (EDIT or KILL). 5) Hit ok Warning !! There is no backup made. All modifications apply as soon as you hit OK on PE header editor dialog box AND NOT on the sub dialog !! ProcDump PE/RAW external dump autofix : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This allow you to fix an external Dump or to optimize a given PE file. Changes are made according to OPTIONS [rebuilder & Loader]. You just need to browse to your target ;). ProcDump PE unpacker/decryptor : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³Preliminary step : Configure OPTIONS (see section above).³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ This module allow you to TRY to unpack/decrypt PE file. ÚÄREAD THIS FIRSTÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ ³Preliminary thing you need to know : Due to weird reason (thanx to M$), the³ ³rebuilt of a valid PE file requires that the file is not launched with³ ³control from ProcDump32 itself : As a direct concequence, ProcDump32 can't³ ³guess if your target is initialiazed and running :(. That's why we have to³ ³predump using user confirmation or after a given delay. The goal of predump³ ³is to grab an usuable Import section. So, if u wish to use an external pre-³ ³dump, that means that u fixed import table by yourself or by using an exis-³ ³ting import table, or any other thing BUT with a valid Import Table. ³ ³ ³ ³IE: You can say the external predump is the file you wish to unpack if you ³ ³ are sure that import section is the same (Generally OK for cryptors). ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Method to unpack/decrypt (AutoPredump): 1) Click the unpack Button. 2) Choose unpacker method : if you don't know the protector name, choose *unknown*.... but please notice that the processing WILL BE SLOW !! 3) Select the target. 4) Wait ProcDump request & look nifty output ;). 5) select a name for the unpacked PE file. 6) File is unpacked .... u should try & pray ;) Please note that you can cancel tracing at any moment. I do not recommend that u : þ Enable Softice/NTICE i3here. Unpacker would miss all breakpoints !!!! þ Run softICE for a few nifty protector that may detect it. I noticed that unpacking under NT is not that easy coz of some system hooks on a few functions. I didn't checked if it was due to NTICE or if that's NT itself that hooks those APIs. However, If you run both systems and that un- packing is not working under NT, try under 9x. ProcDump actual limitations : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ * What ProcDump can't do (yet ?): þ Restore a working DAtA section in Dump mode. þ Restore REAL eip in dump mode. þ Restore Packed Relocs (several converters have to be coded). þ Unpack a DLL (it's possible but... I need time ;)). þ Dump a 16 bit process (DOS or WIN 16 bit applications => Size 0 in array). -> for DOS apps, use Softice, cup386,TR or GTR. -> win16 apps.... who cares of those ? ;) To be done : ÄÄÄÄÄÄÄÄÄÄÄÄ þ Hide debugger to host (in progress) þ Stronger tracer. (in progress) þ Protectors/Packers detector for auto unpacking (project) þ Reloc Table scanner & rebuilder. (project) þ Module unpacker. (project) þ Implement an API breakpoint system. (project) These points are in development... Any help would be appreciated. Especially if u can code : þ A reloc detector/rebuilder - I wait even ideas ;). Credits : ÄÄÄÄÄÄÄÄÄ Project Coordinator : G-RoM Ideas: Tracer engine (orig): Stone Tracer enhancement : G-RoM Tracer Ring 0 : Stone Rebuilder : G-RoM Low level fighter : Stone :) Interface design : Riz La+ Coding : Shiva engine : G-RoM Shiva engine ][ : Stone (We hope to achieve it one day ;). CodeShot engine : G-RoM Phoenix engine : G-RoM Interface lame code : G-RoM (Hopefully, Riz La+ is finishing the elite one). Various : Artworks : ZeCreator & Riz La+ This lame dox : G-RoM How to Contact : G-RoM : G-RoM@innocent.com Stone : Stone@miramax.cbs.dk Riz La+ : GOD@WINDOWS.GUI.ASM32.ELITE.CODER.COM ZeCreator : GOD@GRAPHICS.DESIGNER.COM Please note that we don't mail ProcDump32 , We can "eventually" answer to unpacking problem. I precise eventually Coz I already got mails from people who didn't read the dox at all and asked stupids questions. I (G-RoM) won't explain either how I designed ProcDump32 engine. Don't ask for source code either : Even if you saw Stone in coding team, that doesn't mean all his advanced work is for PUBLIC. Moreover, MY CODE is not !! We spent too much time on it to make it public ;). Regardless of this, I can answer to technical problems u may encounter with PE format handling, unpacking/protecting. But I suggest you analyze fucking Well PE format DOX before to mail us about such thing. Unless you are ready to pay for my technical assistance, in this case any stupid question can be asked ;). [I doubt a company will contact me... but who knows]. => If (question==TOO_STUPID)³If (question=TOO_STUPID) ³cmp question, TOO_STUPID { ³then begin ³jnz reply NO_ANSWER(); ³ NO_ANSWER ; ³call NO_ANSWER MOVE_TO_RECYLE_BIN();³ MOVE_TO_RECYLE_BIN;³call MOVE_TO_RECYLE_BIN } ³ end; ³call exitprocess, 0 ³ ³reply : Greetings from G-RoM (packed version ;): ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Random : Finally released... hehe. And still ProcDump proof. Less than in the past but can't unpack it auto. May be in 1 year ? ;) Anyhow, I was happy that my debugging helped ya. Good luck under Linux. Acpizer: Continue ur work with the Win console and, start to work on Ring 0 hardware breakpoint ;). It will kick ass when it will be done. Marquis: PELockNT looks more accurate than BJFnt for sure... But there are still some big holes. Try to think about things I told You ;). Jammer : U were the precursor... Thanx for ur support ;) J0B : Your new deshrink rulez !! Major size change hehe. But More power- full too ;) Killa : Nice GUI.... Never forget that NT has weird things & reactions ;). I may ask you one day how to do tooltips... if I can't find ;). Hendrix: I would like to know like you how to do a VXD tracer ;) I hope I will one day ;). Iceman : Good luck with your PECRYPTOR.... U will need much ;). LordByte: I will think about autodetectors soon, someone else suggested this too ;). But again, Never forget ProcDump32 is not dedicated to beginners : It was in fact designed as a tool for ME !! MrNop : Okay, I rewrote the docs to explain to beginners some few things. But I still think this is useless since ProcDump is not dedicated at all for common peoples. At least, ur GUI remarks & bugs reports were cool... thanx !!! BTW: No I don't code 20h a day .. hehe. Riz La+: Interface in ASM32 rule like da hell !!! Your skill in this domain is fucking awesome... I may think about CatchNewTCB ;). Ryder : I hope it helped you quite much ;). If you find again a cryptor, tell me. Devil : Humm.. Seems that your PMODE/W skills is still intact unlike mine. I hope ProcDump32 suits ur need too ;). Bunter : Thanx for showing me this new cryptor.. Find me more ;). Thanx too for showing me that my script building explanation was not enough explicit, even if it was indirect. The Owl: Well, I like much your Dumper ! Please contact Numega so that they include it by default ;). Liu TaoTao : TRW rulez !!! Very good debugger ! Lorian : Good luck with NT kernel driver !! Icepic : Good luck to u and ur team... Kick Sony's ASS ;). BeoWulf: Welcome to the PE researcher family ;). Miramax: Your trainers rulezzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (fuck !! still this virus ;). Protector Coders : I suggest that you really think about something nice & compatible. Never forget that we are under an instable OS ;). Never forget too that If ur code run, It can be defeated/unpacked/uncrypted. So I suggest you really think of the other side too... How would you do to unpack/decrypt ;). BetaTeam: Thanx for all bugs report guys ! Without ur test, ProcDump32 would not be as efficient as it is. hiho to: #cracking, #bs2000, #ucf2000, #real Other groups I am in, Groups I were in, NuMega technologies (Softice owns !!), guys & girls I may know somewhere in the world ;).