Basic knowledge of cainiao shelling (II) -- Principle of DUMP

Basic knowledge of cainiao shelling (2)
-- DUMP Principle
After the shell is executed, it will jump to the Entry Point of the original program, that is, Entry Point, also known as OEP! When the encryption strength is not a very large shell, there will be a large cross-segment at the end of the shell and jump to OEP, similar to the "Demarcation Line" between a shell and the program entry point! When we reach the OEP of the program, we need to run the DUMP program. When will we DUMP a program? Here I quoted a sentence from fly!
"The ideal dump time for manual shell shelling is that the shell has completely decrypted all the program code, including resources and other data, and restored data such as the input table, but has not filled the system function address, and the DLL has not been relocated, in this case, you only need to modify the OEP, ImportTableRVA, and other information of the files dumped by dump to complete shelling."
Not all programs can be shelled only when they reach the OEP. They only need to release all the compressed code data to the memory and initialize some required items, we can select the appropriate DUMP point!
So what is DUMP? DUMP is translated in Chinese, that is, the memory image is captured, that is, the image file with the specified memory address is read, and then saved as a file!
Our commonly used DUMP software includes LordPE, PETools, and other tools. These tools basically use Module32Next to obtain information about the Dump process. Let's open MSDN to view the prototype of this function:
Bool winapi Module32Next (HANDLE hSnapshot, LPMODULEENTRY32 lpme );
Let's take a look at his parameters:
Parameters
HSnapshot
Handle to the snapshot returned from a previous call to the createconlhelp32snapshot function. // the snapshot returned by the previous createconlhelp32snapshot function
Lpme
Pointer to a MODULEENTRY32 structure. // Pointer to MODULEENTRY32

Let's look at the structure of MODULEENTRY32 on MSDN:

Typedef struct tagMODULEENTRY32 {
DWORD dwSize; // the size of this structure
DWORD th32ModuleID;
DWORD th32ProcessID; // process identifier
DWORD GlblcntUsage;
DWORD ProccntUsage;
BYTE * modBaseAddr; // The base address of the process's image
DWORD modBaseSize; // The impact of the process
HMODULE hModule; // Process Handle
Char szModule [MAX_MODULE_NAME32 + 1];
Char szExePath [MAX_PATH];} MODULEENTRY32;
Typedef MODULEENTRY32 * PMODULEENTRY32; typedef MODULEENTRY32 * LPMODULEENTRY32;

LordPE uses modBaseSize and modBaseAddr in this structure to obtain the image size and base address of the process, and then calls ReadProcessMemory to read the data stored in the process. LordPE does not use the file header of the process, directly read the file header of the original file, read the memory data, and then save the data in the process to the hard disk file.
OllyDump, a plug-in of OllyDbg, also supports the DUMP function. It is easy to use, but it is not convenient to use DUMP to obtain the DLL file image!

Full documentation:
Http://www.bkjia.com/uploadfile/2012/1202/20121202072507103.zip