[R00tKit]

hi

i will write dumper to dump process memory , only process memory and it Dlls ( not windows well known Dll ) to file.

can write dumper in kernel mode? it's better to write in user mode or kernel mode ?
user mode dumper can dump all process ( access is denied problem:) ) ?

what is best method for Differentiation process private dll and windows well known Dll ? with name or signature or path ,.....

some article and explanation please

very thanks

[EP_X0FF]

Hello.

can write dumper in kernel mode? it's better to write in user mode or kernel mode ?

Yes you can, yes it's better.

user mode dumper can dump all process ( access is denied problem:) ) ?

No, it can not dump Vista/7 protected processes or any security soft that has NtOpenProcess self-protection. I assume here simple dumper.

what is best method for Differentiation process private dll and windows well known Dll ? with name or signature or path ,.....

There is no 100% way. User mode information all can be faked.

[R00tKit]

very thanks

Yes you can

how ? what search in google ? my searchs have not result!

No, it can not dump Vista/7 protected processes or any security soft that has NtOpenProcess self-protection

if any security soft hook NtOpenProcess in kernel my driver cant dump process like user mode! because my driver use SSDT in general ! so what differ user mode and kernel mode in this problem?

[GamingMasteR]

if any security soft hook NtOpenProcess in kernel my driver cant dump process like user mode! because my driver use SSDT in general ! so what differ user mode and kernel mode in this problem?

You should not use ZwXxx/NtXxx at all if you want to avoid SSDT pach/inline hooks ...

I'll quote my post in other fourm :

To read memory from other process :

1- ExAcquireRundownProtection on target process to avoid termination while reading it's VM .
2- Attach the current thread to the context of the target process using "KeStackAttachProcess" , now you can access the target process VM from current thread .
3- Divide memory-to-read into pieces of length PAGE_SIZE and check if it's resident , use "ProbeForRead" wrapped by __try/__except .
4- RtlCopyMemory from process VM into system buffer .
5- KeUnstackDetachProcess .
6- RtlCopyMemory from system buffer to our process buffer and free system buffer .
7- ExReleaseRundownProtection .
add your own protection & assertion macros like checking for valid addresses, parameters, access violation .. etc


This should work for any NT version but note that some structures' members offsets can change from version to other like EPROCESS.RundownProtect which is used for ExAcquireRundownProtection/ExReleaseRundownProtection .

If you are running on build +6000 (Vista and later) this can be done in more easy way .

NtReadVirtualMemory/NtWriteVirtualMemory is using undocumented and unexported function called MmCopyVirtualMemory :

Code: Select all

NTSTATUS
MmCopyVirtualMemory(
        IN PEPROCESS FromProcess,
        IN PVOID FromAddress,
        IN PEPROCESS ToProcess,
        OUT PVOID ToAddress,
        IN ULONG BufferSize,
        IN KPROCESSOR_MODE PreviousMode,
        OUT PULONG NumberOfBytesCopied
        );

This function is fortunately exported on Vista and later versions

Some games protection schemes also hook KeStackAttachProcess :D

[R00tKit]

You should not use ZwXxx/NtXxx at all if you want to avoid SSDT pach/inline hooks ...

so what function i use? and how ? please


thanks yes i read it in sysinternals

[EP_X0FF]

What do you want to do?

[R00tKit]

What do you want to do?

use NtXxx function without hooked ssdt problem

i think should use NtXxx function address directly

[Alex]

Here is a j00ru's TraceHook v0.0.1 which try to dump whole process's user mode address space.

i think should use NtXxx function address directly

You can't be sure that NtXxx functions are safe, before using them as any other significant functions like KeStackAttachProcess - which is good example, you should check their code and unhook it if it's needed.

[GamingMasteR]

What do you want to do?

Good question :)
Because you may spend alot of time typing hundreds lines of code while only 10 lines may be perfect for *your situation* ...

[R00tKit]

Because you may spend alot of time typing hundreds lines of code while only 10 lines may be perfect for *your situation* ...

sorry i assume if fully explain our problem can reach better solution

fortunately any answer make some new problem and i search and learn more