Showing posts with label GetSystemInfo. Show all posts
Showing posts with label GetSystemInfo. Show all posts

Friday, March 23, 2012

Anti-Dumping - Part 2

In this post i am shedding some light on something i have recently found which turns out to be an effective anti-dumping trick. It should work against most memory dumpers out there but it is tested only on OllyDump, LordPE, and VSD. So, let's go.

If we have an executable with the "SectionAlignment" field set to a value greater than 0x1000 e.g. 0x10000 and the "FileAlignment" field set to a value less than the "SectionAlignment", the OS commits only 0x1000 bytes for the PE header (of course, if compatible with the "SizeOfHeaders" field) and the rest, 0xF000, will be reserved (MEM_RESERVE). The same applies to the next sections. Given this fact, any attempt to call the "ReadProcessMemory" function with the "nSize" parameter set to the size of image will definitely fail, something that most dumpers do.

We construct the executable like this.



And this is how it looks like in memory.
In the image above, you can see a reserved memory block after each section. Any attempt to read from this block will fail.

Now let's see how memory dumpers handle this executable.


In this post i am assuming that the granularity of page protection and commitment on your system is 0x1000. You can find this value on your system by calling the "GetSystemInfo" function.

 Here you can find a demo to play with.

Material in this post has been tested on Windows 7, Wow64 and XP SP3.

Update:
LordPe has the IntelliDump mode to handle such case. Thanks deroko for pointing this out.

You can follow me on Twitter @waleedassar