
 ۻ  ۻ   ۻ   ۻ ۻ  ۻ   ۻ ۻ   ۻ ۻ
 ۻ ۻ ۻ ͼ ۻ ۺ   ۺ ۻ ۺ ۻ
 ɼ ɼ ۺ   ۺ ۺ      ۺ  ۺ ۺ   ۺ ۺ ɼ
 ͼ  ۻ ۺ   ۺ ۺ      ۺ  ۺ ۺ   ۺ ۺɼۺ ͼ
 ۺ      ۺ  ۺ ɼ ۻ ɼ ɼ ۺ ͼ ۺ ۺ
 ͼ      ͼ  ͼ  ͼ   ͼ ͼ   ͼ  ͼ     ͼ ͼ

	ProcDump version 1.6 (C) G-RoM, Lorian & Stone in 1998, 1999

    If you expect to print this dox, I suggest you use TERMINAL font with a
                                  height of 9.





				   Summary


	License agreement..........................................  2

	Purpose....................................................  3

	Disclaimer.................................................  3

   	Requirements...............................................  3

	ProcDump Configuration.....................................  4

	ProcDump Integrated Process monitor/dumper.................  6

	ProcDump integrated PE editor..............................  7

	ProcDump PE/RAW external dump autofix......................  7

	ProcDump unpacker/decryptor................................  8

	ProcDump Bhrama server.....................................  9

	Limitations................................................ 10

	Credits.................................................... 11

	Greetings.................................................. 12



License agreement:


ProcDump32 is (C) G-RoM, Lorian & Stone 1998,1999.
Plugins are copyrighted by their authors.

You  are allowed  to   use   it   freely   for personnal  use. Commercial use
REQUIRES that you first contact us  to gain  a license.  Warez releasing  use
implies that YOU MUST  state clearly that you used ProcDump32  & its plugins.
This   is  too  easy  to  use  it  and claims  that you did  it  by hand.  If
you disagree   with   this... Delete ProcDump32  and  design your  own  code.
Please notice  that  abusing  of  this license   may  involves that    public
distribution will be LIMITED OR EVEN STOPPED. We don't think credits is   too
much to ask.

Contact informations :

  G-RoM		      : g-rom@innocent.com
  Lorian	      : lorian@gmx.net
  Stone    	      : stone@miramax.cbs.dk


Purpose :


  ProcDump  is  brand  new  type  of  tool  that  allows u  to Dump, Unpack
 some Protected PE files without any need of debugger.

 What ProcDump can do :

  Dump any 32 bits running process/module by using the CodeShot engine.
  Phoenix engine can restore the Import table & PE header.
  Phoenix engine can reoptimize a PE file and Dump made with CodeShot.
  Shiva engine can start & unpack a given PE file (at least it tries !!).
   With the help of script language, u can unpack in a few secs well-known
   packers and learn to ProcDump how to unpack the others.
  Alter a given file PE header, kill some object physically.
  Bhrama server can wait a client send a PID to dump : Client tell to
   ProcDump when it is good to dump ;).

Disclaimer :


  We, the authors, are *NOT* responsible for any damage caused by the use of
 ProcDump. It  was  tested  with success under Windows 95,98 and NT4 & 5.0.

  Ŀ
ĴCAUTIONĿ
                                                                  
 PROCDUMP32 is a tool help for people  who want to unpack/decrypt PE files,
PLEASE NOTICE THAT IT IS NOT REALLY INTENDED FOR REAL BEGINNERS. If you are
a such person, I recommand that you read CAREFULLY the whole DOCUMENTATION,
and to use ONLY the DUMPER & UNPACKER with default OPTIONS.                


Requirements :


 This program works fine under :

  Windows 95
  Windows 98
  Windows NT 5.0 <buggy so far>
  Windows NT 4.0 with restrictions.

 A good brain and some knowledge about the PE format and PE layer is required,
 if you expect to exploit ProcDump at his full power.

ProcDump Configuration :


 Rebuilder options :

  Recompute object size (DEFAULT ON)

   This option allow you to say to ProcDump to use Virtual Size for section
   as physical size. This is necessarry for PACKED PE, because the unpacked
   size of section is bigger than packed one. You can unselect this option
   if you are planning to work against a cryptor.

  Optimize PE structure (DEFAULT ON)

   This option optimize the PE structure according to the object table  in
   the way to  reduce written PE file. If you unselect this option, the PE
   file will take more space on disk.

  Check Header Sections (DEFAULT OFF)

   This option check if PE header contains a non paged area. If it found one,
   the problem is corrected.

  Rebuild header (DEFAULT OFF)

   This option force PE header section reconstruction. This is usefull if the
   protector clear PE header parts.

  Import rebuilder method :

   * No rebuild

     Doesn't try at all to locate import section, leave the related import
     informations untouched.

   * Use import informations (DEFAULT)

     Read actual import informations, and use them to recreate a valid import
     table.

   * Rebuild import table.

     Detect import table using heuristical criterea and fixup the import ta-
     ble if found.

   * Full Import rebuild.

     Detect import table, generate a new import section, generate import
     function names & ordinals. There is a BIG chance that generated PE runs
     perfectly ;). In order to be 100% perfect, RUN PROCDUMP32 From Target di-
     rectory in this specific mode.

 Unpacker options :

  Predump method :

   * Use external predump

     You will need to supply a PE/DUMP file with a Valid import table. Import
     Infos will be stamped in generated PE.

   * Predump (DEFAULT with delay 0)

     ProcDump will do the predump to gain the valid import table.
     There are 2 methods :

      1) After user input (delay 0).
      2) After a given delay (delay >0 in HEX).

  EIP confirmation (DEFAULT OFF)

   When ProcDump reached the original CODE, It can prompt you if u think it is
  good or not.

  Layer confirmation (DEFAULT OFF)

   When u validated the EntryPoint, U can say too that there was not only one
  protection layer. Generally, U may leave this option unchecked.

  Ignore Faults (DEFAULT OFF)

   When a breakpoint/faults occurs, ProcDump32 normally handles the exception
   (Breakpoint most of the time because some protectors relocate their code).
   But sometimes, this is source of problems. Some applications indeed create
   volontary faults to do some special work. With this option set, ProcDump32
   will  simply  ignore  exceptions that are not made by itself. Applications
   that create faults volontary will run normally this way ;).

  Trace API (DEFAULT OFF)

   Activate the trace in Ring 0 mode.

 PE/Raw loader options :

  Force raw mode (DEFAULT OFF)

   This force ProcDump to consider input file for REBUILD tool as a dump file.
   Use only this if ProcDump crash when u try to supply a PE file.

  Merge code section (DEFAULT OFF)

   REBUILDed file will have all the image in a single section. Can be usefull
   to analyze some PE loader.

ProcDump Integrated Process monitor/dumper :


 The monitor show you in two arrays, the actual Tasks running on your system.
 When tou select a task, the module list attached to this task is shown in 2nd
 array. The arrays have contextual menus.

  Full Dumper

 The task or module is saved to disk using this name. The dumped file is
 reorganized and fixed.

 1) Just select a task or a module in the arrays.
 2) Click right.
 3) Select "Dump (Full)".
 4) Select the name of the dump.

  Partial dumper

 The task or module is saved to disk in RAW format : NO Fixup are applied.

 1) Just select a task or a module in the arrays.
 2) Click right.
 3) Select "Dump (Partial)".
 4) Choose the range you wish to dump by editing Start & Length fields.
 5) Select the name of the dump.

 Warning !! I do not recommend that u dump :

   ProcDump process itself  (import trashed anyway).
   Kernel32.dll process     (Access Violation, System Kill).
   And other system process (Access Violation).

 It may result in some obvious crash... U were warned.

  Kill task

 Allow you to suppress a task from your system.

 1) Just select the task you wish to kill.
 2) Hit OK if you are sure.

 WARNING !! Killing KERNEL32.DLL or another system component is equal to
 system CRASH !!

  Process Informations

 Will show you PE informations related to selected process such as :

   Entrypoint.
   Image size.
   Image base.
   PE directory RVA & Size.
   PE sections informations.

 You can save a section to disk too.

  Refresh list

 This option refresh task & module list.

ProcDump integrated PE editor :


 The PE editor allow you to edit an existing PE file and to modify :

  Entrypoint.
  Image size.
  Image base.
  PE directory RVA & Size.
  PE sections informations.
  Save a section to disk.
  Load a section from disk.

 You need to supply the file to edit.

  To change Entry point, Image Base, Image Size

 Just edit the appropriate field(s) and hit OK.

 Changes can be applied to PE HEADER only or can be used to Rebuild a new PE
 file according to PE infos (ex : if you removed a section, it will be wiped
 in new PE ;).

  To Edit Directory infos

 1) Click on Directory button
 2) Edit the fields you need.
 3) hit ok

  To alter section informations

 1) Click  on Section button
 2) select a given section
 3) click right
 4) Select the appropriate action (EDIT or KILL).
 5) Hit ok

 Warning !! There is no backup made. All modifications apply as soon as you
 hit OK on PE header editor dialog box AND NOT on the sub dialog !!

ProcDump PE/RAW external dump autofix :


 This allow you to fix an external Dump or to optimize a given PE file.
 Changes are made according to OPTIONS [rebuilder & Loader].

 You just need to browse to your target ;).

ProcDump PE unpacker/decryptor :


 This module allow you to TRY to unpack/decrypt PE file.

READ THIS FIRSTĿ
                                                                           
Preliminary thing you need to know : Due to weird reason (thanx to M$), the
rebuilt  of  a  valid  PE file requires  that the file is not launched with
control from ProcDump32 itself : As a direct concequence, ProcDump32  can't
guess if your target is initialized and running :(. That's why  we have  to
predump using user confirmation or after a given delay. The goal of predump
is to grab an usuable Import section. So, if u wish to use an external pre-
dump, that means that u fixed import table by yourself or by using an exis-
ting import table, or any other thing BUT with a valid Import Table.       
                                                                           
IE: You can say the external predump is the file you wish to unpack if you 
    are sure that import section is the same (Generally OK for cryptors).  
                                                                           


 Method to unpack/decrypt (AutoPredump):

 1) Click the unpack Button.
 2) Choose  unpacker method : if you  don't know  the protector name, choose
    *unknown*.... but please notice that the processing WILL BE SLOW !!

   Options Ŀ
                                                                          
  IF you check the User Conf. Box, Options will be taken from your actuals
  settings and no more autoadjusted to the specific  packer/protector  you
  chose.                                                                  
  

 3) Select the target.
 4) Wait ProcDump request & look nifty output ;).
 5) select a name for the unpacked PE file.
 6) File is unpacked .... u should try & pray ;)

 Please note that you can cancel tracing at any moment.

 I do not recommend that u :

   Enable Softice/NTICE i3here. Unpacker would miss all breakpoints !!!!
   Run softICE for a few nifty protector that may detect it.

 I noticed that unpacking under NT is not that easy coz of some system hooks
 on a few functions. I didn't checked if it was due to NTICE or if that's NT
 itself that hooks those APIs. However, If you run both systems and that un-
 packing is not working under NT, try under 9x.

Bhrama Server :


 Bhrama is a server that allows clients loto instruct when to dump a given
task. The allowed possibilities are :

  Dump Service (1) :

   Bhrama will grab the Entrypoint, the PID & Dump options. Then will ask you
   for a filename to save the dump.

  Partial Dump Service (2) :

   Bhrama will grab the PID & Dump options. Then will ask you for a filename
   to save the dump.

 On the Bhrama dialog box you will see two check boxes :

  User conf. :

   ProcDump will ignore uploaded Options & will use instead the one already
   defined in Options Dialog box. Such option is usefull if you use IceDump
   (C) The Owl if u need non default option set in.

  AutoFix PE :

   If non checked, ProcDump will dump the task in RAW mode. No PE rebuilding
   will be done. This mode was intended for me to debug... but who knows ;).

 For details about plugins/clients code, check the bhrama SDK.

ProcDump actual limitations :


 * What ProcDump can't do (yet ?):

  Restore a working DAtA section in Dump mode.
  Restore REAL eip in dump mode.
  Restore Packed Relocs (several converters have to be coded).
  Unpack a DLL (it's possible but... I need time ;)).
  Dump a 16 bit process (DOS or WIN 16 bit applications => Size 0 in array).
   -> for DOS apps, use Softice, cup386,TR or GTR.
   -> win16 apps.... who cares of those ? ;)

To be done :


  Protectors/Packers detector for auto unpacking		 (project)
  Reloc Table scanner & rebuilder.                              (project)
  Module unpacker.					         (project)
  Implement an API breakpoint system.  		         (project)

 These points are in development... Any help would be appreciated.

 Especially if u can code :

  A reloc detector/rebuilder - I wait even ideas ;).

Credits :


 Project Coordinator : G-RoM

 Ideas:

  Tracer engine (orig): Stone
  Tracer enhancement  : G-RoM
  Tracer Ring 0 (W9X) : Stone
  Tracer Enhancement  : G-RoM with help of Hendr!x & The Owl !
  Tracer Ring 0 (WNT) : Lorian
  Bhrama Server	      : Stone
  Rebuilder	      : G-RoM
  Low level fighter   : Stone :)
  Interface design    : Riz la+

 Coding :

  Shiva engine        : G-RoM
  Shiva engine ][ (9x): Stone with some additions from G-RoM.
  Shiva engine ][ (NT): Lorian
  Bhrama engine	      : Stone and G-RoM.
  Bhrama Client	(asm) : Stone with clean up & addition by G-RoM.
  Bhrama Client (C)   : CyndiG.
  CodeShot engine     : G-RoM
  Phoenix engine      : G-RoM
  Interface lame code : G-RoM

 Various :

  Artworks            : ZeCreator & Riz la+
  This lame dox       : G-RoM

 How to Contact :

  G-RoM		      : G-RoM@innocent.com
  Lorian	      :	lorian@gmx.net
  Stone    	      : Stone@miramax.cbs.dk
  Riz la+  	      : GOD@WINDOWS.GUI.ASM32.ELITE.CODER.COM
  ZeCreator	      : GOD@GRAPHICS.DESIGNER.COM

 Please note that we don't mail  ProcDump32 ,  We can "eventually" answer to
 unpacking problem. I precise eventually Coz I already got mails from people
 who didn't read the dox at all and asked stupids questions. I (G-RoM) won't
 explain either how I designed ProcDump32 engine.  Don't ask for source code
 either : Even if you saw Stone  in coding team,  that  doesn't mean all his
 advanced work is for PUBLIC. Moreover, MY CODE is  not !! We spent too much
 time on it to make it public ;).

 MAJOR POINT : don't mail us to ask TUTORS, we don't have the time to write
 some. In the same idea, don't contact us to ask HOW to write scripts.

 Regardless of this, I can answer to technical problems u may encounter with
 PE format handling, unpacking/protecting. But I suggest you analyze fucking
 Well PE format DOX before to mail us about such thing. Unless you are ready
 to pay for my technical assistance, in this case any stupid question can be
 asked ;). [I doubt a company will contact me... but who knows].

 =>

 If (question==TOO_STUPID)If (question=TOO_STUPID) cmp question, TOO_STUPID
    {                     then begin               jnz reply
     NO_ANSWER();               NO_ANSWER ;        call NO_ANSWER
     MOVE_TO_RECYLE_BIN();      MOVE_TO_RECYLE_BIN;call MOVE_TO_RECYLE_BIN
    }                          end;                call exitprocess, 0
                                                   reply :

Greetings from G-RoM (packed version ;):


 Pedro   : Good works with all your release ;) Keep on finding such holes ;).

NetWalker: Thanx for the dox & for the others infos. Good luck with ur actual
	   stuff ;).

 Bunter  : That fucking TimeZone pb suxxx !! Argghh !! Please move closer to
	   Europe ;).

 The Owl : Dumper rulez !! I'll try to keep avoiding you to update it too
	   often :).

Iceman.ro: Thank you for ur support. I'll check a lot the Suspend & resume
	   thread in IceDump ;).
 Liu
 TaoTao  : TRW rulez !!! Very good debugger ! Awesome piece of code !!!!
	   Waiting with impatience for your next improvements ;).

 Lorian  : Hummmm... really sad we haven't enough time to code all ours ideas.
	   Bah... We do what we can ;).

 Stone	 : Hummm... We are so much busy we don't meet that often in IRC. Bah
	   each time we talk that's kinda interresting and innovative even ;).
	   Keep on thinking/coding this way ;).

 BeoWulf : Nice work on PE. Keep on working on it... As always major pb is the
	   Time... Damn.

 VTec	 : Thanx for all ur reports... I code so much bugs ;).

 Random  : Humm.. long time not updated this greetings. What should I write ?
	   Ah yes... Good luck with chicks ;)

 Acpizer : Continue ur work with the Win console and, start to work on Ring 0
	   hardware breakpoint ;). It will kick ass when it will be done. Can
	   u try a idle a bit less ?? ;).

 Marquis : Tssskk... no new PELock until this summer ? Oh you are lazier or
	   busier than I am ;). Anyway, good luck ;)

 Jammer  : U were the precursor... Thanx for ur support ;)

 J0B     : Deshrink rulez !! However try to fix shinker34 crap ;) Good luck !

 Killa   : Nice GUI.... Never forget that NT has weird things & reactions ;).
	   I may ask you one day how to do tooltips... if I can't find ;).

 Hendrix : Thank you very much for the help !! I appreciated a lot !!

Iceman.de: Good luck with your PECRYPTOR.... U will need much ;).

LordByte : Hummm.... Was time to update here.. Dunno what to type ;).

 MrNop   : You are in suspend mode those days and u plan to resume in Septem-
	   ber : Are you sure that's good for you ? ;) Enjoy your holidays !!

 Riz la+ : Interface in ASM32 rule like da hell !!! Your skill in this domain
	   is fucking awesome... I may think about CatchNewTCB ;).

 Ryder   : I hope it helped you quite much ;). If you find  again a  cryptor,
	   tell me.

 Devil   : Keep on cracking with a such Class ;).

 Miramax : Trainers Rulezzzzzz !!! Design too !! Hey seems my virus is kinda
	   under controllllllllllllllllllll................. (shit!!)

Protector
 Coders  : I suggest that you really think about something nice & compatible.
	   Never forget that we are under an instable OS ;). Never forget too
	   that If your code run, It can be defeated/unpacked/uncrypted. So I
	   suggest you really think of the other side too... How would you do
	   to unpack/decrypt ;).

BetaTeam : Thanx for all bugs report guys ! Without ur test, ProcDump32 would
	   not be as efficient as it is.

 hiho to : #real<censored>, #ukc
	   Other groups I am in, Groups I were in,
	   NuMega technologies (Softice owns but well... fear TRW :),
	   guys & girls I may know somewhere in the world ;).
