try setting breakpoint on
kernel32.dll
CreateProcessInternalA
CreateProcessInternalW
because those are one of lowest level apis for creating a process and a lot of the higher level api calls will funnel down to this one eventually
then once breakpoint, go to x64dbg Memory Map and look for "Protection=ERW" which means executable, read, and write ... and look for it outside the normal spots
Looking for MZ (to find a full executable in memory)
Once found, in memory map right-click "Dump memory to file" and save this executable
Load into PE Bear
If text segment is all zeros, then it's unmapped, so you must
- copy Virtual Addr. column values to the Raw Addr. column values on the section headers tab
- under optional header tab, change the image base to the 'address' field in the memory map on the x64dbg
- save the executable under a different name
No comments:
Post a Comment