Native CLR with Anti Dump/Debug fails to dump

Question

Native CLR with Anti Dump/Debug fails to dump

Closed this issue 3 years ago · 5 comments

explorer_npdHYckwYs.mp4

You can find the executable on Tuts4You. I made it a few years ago. Have fun.

Answer 1 · 2022-06-17T06:36:30.000Z

I guess u detect for modification in the called function before calling it, like int3 but in my case because of the hook it detects as a debugger. I have not checked it till now, but I think it will be cool! Thanks

Answer 2 · 2022-06-17T07:26:42.000Z

I was wrong lol, it detects the parent process(still not sure) , but yea adding parent spoofing for that.

Answer 3 · 2022-06-17T08:37:22.000Z

i think it does not use clrcreateinstance and all to load .net assembly, right? it is not supported.

Answer 4 · 2022-06-17T12:19:27.000Z

i think it does not use clrcreateinstance and all to load .net assembly, right? it is not supported.

The app is fully managed, and I would have no doubt it's clr loaded.

Answer 5 · 2022-06-17T13:03:43.000Z

obviously it a .net application, there is no doubt about that, but clrdumper is not a dumper like extremedumper or scylla dump, its a tool to dynamically dump .net, vbscript, jscript which are dynamically loaded for e.g. in a crypter or malware.