Как сделать дамп dll
Обновлено: 07.07.2024
Итак Господа, начнём.
Предложение Сэра Solenij и да сподвигло меня накатать этот небольшой мануал для самых маленьких , в смысле начинающих русификаторщиков.
Что бы они знали чем отличается Дамп от Домкрата.
Предисловие:
Не буду здесь писать о многочисленных видах переводов на основе файлов ресурсов с расширениями типа *INI, *LNG, *DAT и других.
Итак:
Начну с того что объясню что существует два основных вида русификаторов.
Это собственно перевод исполняемого файла с расширением *EXE
и файла ресурса с расширением *RU.
Ну как переводится *EXE я полагаю всем известно
- распаковка (если упакован) ну и собственно
- перевод кому чем нравится.
Основная масса программ написана на языках программирования - "Microsoft Visual C++" и "Borland Delphi".
Ресурсы программ написанных на Microsoft Visual C++ состоят из "Меню" и "Диалоги".
Ресурсы программ написанных на Delphi состоят из: "Формы" и "Строки" по этому признаку можно их определить любым редактором ресурсов без анализаторов типа PEID и т.п.
Так вот напомню что файлы *RU (Дампы) поддерживаются только программами написанными на Delphi.
При запуске программа загружает данные файла *RU в память и мы видим русский интерфейс.
Кто использовал Multilizer, мог заметить что там есть выбор какой делать файл локализации "Файлы локализации (*EXE)" или "Файлы ресурса (*RU)"
Собственно файл *RU является файлом идентичным *EXE только не содержит кода программы, а только ресурсы.
Но здесь мы рассмотрим перевод файла с расширением *RU сделанного на основе Дампа.
Это даёт возможность не распаковывать упакованную программу.
На этом собственно вводный экскурс заканчивается и дальше начинается самая сласть.
Изготовление Дампа:
Для изготовления Дампа нам потребуется программа PETools 1.5. Взять можно здесь
Пример с созданием Дампа программы "DVD Creator":
Шаг первый:
Запускаем упакованную программу и тут же сворачиваем её в панель бастрого запуска чтобы не мешалась.
Шаг второй:
Запускаем PETools и находим в её верхнем окне процесс нашей программы. Щёлкаем по её значку и он перемещается в нижнее окно.
Шаг третий:
Щёлкаем правой кнопкой мыши на процессе нашей программы в нижнем окне и выбираем "Dump Full. "
В появившемся диалоговом окне, выбираем папку куда хотим сохранить наш "Дамп" и жмём "Сохранить".
Всё наш "Дамп" готов!
A dump file is a snapshot that shows the process that was executing and modules that were loaded for an app at a point in time. A dump with heap information also includes a snapshot of the app's memory at that point.
Opening a dump file with a heap in Visual Studio is something like stopping at a breakpoint in a debug session. Although you can't continue execution, you can examine the stacks, threads, and variable values of the app at the time of the dump.
Dumps are mostly used to debug issues from machines that developers don't have access to. You can use a dump file from a customer's machine when you can't reproduce a crash or unresponsive program on your own machine. Testers also create dumps to save crash or unresponsive program data to use for more testing.
The Visual Studio debugger can save dump files for managed or native code. It can debug dump files created by Visual Studio or by other apps that save files in the minidump format.
Requirements and limitations
- To debug dump files from 64-bit machines, Visual Studio must be running on a 64-bit machine.
- Visual Studio can debug dump files of managed apps from Linux OS.
Visual Studio can debug dump files of native apps from ARM devices. It can also debug dumps of managed apps from ARM devices, but only in the native debugger.
To debug kernel-mode dump files or use the SOS.dll debugging extension in Visual Studio, download the debugging tools for Windows in the Windows Driver Kit (WDK).
Visual Studio can't debug dump files saved in the older, full user-mode dump format. A full user-mode dump is not the same as a dump with heap.
Debugging dump files of optimized code can be confusing. For example, compiler inlining of functions can result in unexpected call stacks, and other optimizations might change the lifetime of variables.
Dump files with or without heaps
Dump files may or may not have heap information.
Dump files with heaps contain a snapshot of the app's memory, including the values of variables, at the time of the dump. Visual Studio also saves the binaries of loaded native modules in a dump file with a heap, which can make debugging much easier. Visual Studio can load symbols from a dump file with a heap, even if it can't find an app binary.
Dump files without heaps are much smaller than dumps with heaps, but the debugger must load the app binaries to find symbol information. The loaded binaries must exactly match the ones running during dump creation. Dump files without heaps save the values of stack variables only.
Create a dump file
While you are debugging a process in Visual Studio, you can save a dump when the debugger has stopped at an exception or breakpoint.
With Just-In-Time Debugging enabled, you can attach the Visual Studio debugger to a crashed process outside of Visual Studio, and then save a dump file from the debugger. See Attach to running processes.
To save a dump file:
While stopped at an error or breakpoint during debugging, select Debug > Save Dump As.
In the Save Dump As dialog box, under Save as type, select Minidump or Minidump with Heap (the default).
Browse to a path and select a name for the dump file, and then select Save.
You can create dump files with any program that supports the Windows minidump format. For example, the Procdump command-line utility from Windows Sysinternals can create process crash dump files based on triggers or on demand. See Requirements and limitations for information about using other tools to create dump files.
Open a dump file
In Visual Studio, select File > Open > File.
In the Open File dialog box, locate and select the dump file. It will usually have a .dmp extension. Select OK.
The Minidump File Summary window shows summary and module information for the dump file, and actions you can take.
Under Actions:
- To set symbol loading locations, select Set symbol paths.
- To start debugging, select Debug with Managed Only, Debug with Native Only, Debug with Mixed, or Debug with Managed Memory.
Find .exe, .pdb, and source files
To use full debugging features on a dump file, Visual Studio needs:
- The .exe file the dump was created for, and other binaries (DLLs, etc.) that the dump process used.
- Symbol (.pdb) files for the .exe and other binaries.
- The .exe and .pdb files that exactly match the version and build of the files at dump creation.
- Source files for the relevant modules. You can use the disassembly of the modules if you can't find the source files.
If the dump has heap data, Visual Studio can cope with missing binaries for some modules, but it must have binaries for enough modules to generate valid call stacks.
Search paths for .exe files
Visual Studio automatically searches these locations for .exe files that aren't included in the dump file:
- The folder that contains the dump file.
- The module path the dump file specifies, which is the module path on the machine that collected the dump.
- The symbol paths specified in Tools (or Debug) > Options > Debugging > Symbols. You can also open the Symbols page from the Actions pane of the Dump File Summary window. On this page, you can add more locations to search.
Use the No Binary, No Symbols, or No Source Found pages
If Visual Studio can't find the files it needs to debug a module in the dump, it shows a No Binary Found, No Symbols Found, or No Source Found page. These pages provide detailed information about the cause of the issue, and provide action links that can help you locate the files. See Specify symbol (.pdb) and source files.
Last Achievements I tried to look online for tutorials about people dumping manually mapped DLLs from games, and I can't find anything. Does anyone know how to dump a manually mapped DLL that was injected from a loader? Thanks.
It's open source as well. Automates IAT reconstruction - it doesn't always work; but it often does.
Yan also use PE-sieve to "unpack" packed binaries for static analysis purposes. Last AchievementsIt's open source as well. Automates IAT reconstruction - it doesn't always work; but it often does.
Yan also use PE-sieve to "unpack" packed binaries for static analysis purposes. Okay thank you for this. I am downloading this now and will try it on a free loader to see if it can dump it. I heard that if you break it on WriteProcessMemory, NtWriteVirtualMemory or NtWow64WriteVirtualMemory64 when its injecting then create a dump with Process Hacker, you can see it. Is this a harder way or a easier way?
It won't always work. When it does, you save lots of time. Last Achievements Hook WPM or whatever the loader uses, scan for unlisted modules and dump it by reading it manually, dump memory outside of game modules and probably scan for modified game memory by comparing with the original file for example (i guess you want to crack a cheat so scanning for modified shit would help) Last Achievements
Remember that you actually don't need to map the whole PE file into memory.
So hooking or breaking WriteProcessMemory isn't too easy for beginners when they only write the required bytes after mapping.
But a common mistake those people do is to write code like this
That way you can just search for the MZ header in the loader process dynamic memory when you break on OpenProcess or WriteProcessMemory.
Last AchievementsHello Please help unpacker Remove Logo Now 2.1
Last AchievementsThanks dumped the dll but still not readable in ida.
We strive to provide all our services for free and not interrupt your visit with intrusive advertisements or restrictions - support us by disabling your ad blocker or whitelisting our site.
| Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| [Help] x64dbg ported IDASkins compiling | synthfx | General Programming and Reversing | 0 | 13th August 2016 09:33 PM |
| [Help] Setting HW breakpoint in x64dbg or IDA | Basher4 | General Programming and Reversing | 0 | 20th February 2016 03:20 PM |
| OllyDbg - X64DBG Problem | Radiocity | General Programming and Reversing | 4 | 5th December 2015 05:28 PM |
| [Help] How to modify loaded dll? | linkcodestudio | C and C++ | 1 | 14th January 2010 12:58 AM |
| Getting the base addressof a dynamically loaded module (.dll) | goggles99 | Battlefield 2 | 3 | 29th June 2005 05:57 AM |
| Tags |
| dll, dump, x64dbg, [question], loaded |
Читайте также: