Page MenuHomedesp's stash
Files F368736

No OneTemporary
Actions

View Options

diff --git a/README.md b/README.md
index d5ce2a2..71290c6 100644
--- a/README.md
+++ b/README.md
@@ -1,136 +1,141 @@
Scylla - x64/x86 Imports Reconstruction
=======================================
ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table,
but they all have some major disadvantages, so I decided to create my own tool for this job.
Scylla's key benefits are:
- x64 and x86 support
- full unicode support
- written in C/C++
- plugin support
- works great with Windows 7
This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system.
But it may work with XP and Vista, too.
Source code is licensed under GNU GENERAL PUBLIC LICENSE v3.0
Known Bugs
----------
### Only Windows XP x64:
Windows XP x64 has some API bugs. 100% correct imports reconstruction is impossible.
If you still want to use XP x64, here are some hints:
* EncodePointer/DecodePointer exported by kernel32.dll have both the same VA.
Scylla, CHimpREC and other tools cannot know which API is correct. You need to fix this manually.
Your fixed dump will probably run fine on XP but crash on Vista/7.
### ImpREC plugin support:
Some ImpREC Plugins don't work with Windows Vista/7 because they don't "return 1" in the DllMain function.
Keyboard Shortcuts
------------------
- CTRL + D: [D]ump
- CTRL + F: [F]ix Dump
- CTRL + R: PE [R]ebuild
- CTRL + O: L[o]ad Tree
- CTRL + S: [S]ave Tree
- CTRL + T: Auto[t]race
- CTRL + G: [G]et Imports
- CTRL + I: [I]AT Autosearch
Changelog
---------
+Version 0.9.3
+
+- new dll function: iat search
+- new dll function: iat fix auto
+
Version 0.9.2
- Pick DLL -> Set DLL Entrypoint
- Advanced IAT Search Algorithm (Enable/Disable it in Options), thanks to ahmadmansoor
- Fixed bug in Options
- Added donate information, please feel free to donate some BTC to support this project
Version 0.9.1
- Fixed virtual device bug
- Fixed 2 minor bugs
Version 0.9
- updated to distorm v3.3
- added application exception handler
- fixed bug in dump engine
- improved "suspend process" feature, messagebox on exit
Version 0.8
- added OriginalFirstThunk support. Thanks to p0c
- fixed malformed dos header bug
- NtCreateThreadEx added infos from waliedassar, thanks!
Version 0.7 Beta
- fixed bug Overlapped Headers
- fixed bug SizeOfOptionalHeader
- added feature: suspend process for dumping, more information
- improved disassembler
- fixed various bugs
Version 0.6b
- internal code changes
- added option: fix iat and oep
Version 0.6a
- fixed buffer to small bug in dump memory
Version 0.6
- added dump memory regions
- added dump pe sections -> you can edit some values in the dialog
- improved dump engine with intelligent dumping
- improved pe rebuild engine -> removed yoda's code
- fixed various bugs
Version 0.5a:
- fixed memory leak
- improved IAT search
Version 0.5:
- added save/load import tree feature
- multi-select in tree view
- fixed black icons problem in tree view
- added keyboard shortcuts
- dll dump + dll dump fix now working
- added support for scattered IATs
- pre select target path in open file dialogs
- improved import resolving engine with api scoring
- api selection dialog
- minor bug fixes and improvements
Version 0.4:
- GUI code improvements
- bug fixes
- imports by ordinal
Version 0.3a:
- Improved import resolving
- fixed buffer overflow errors
Version 0.3:
- ImpREC plugin support
- minor bug fix
diff --git a/Scylla_Exports.txt b/Scylla_Exports.txt
index fd94992..10bab30 100644
--- a/Scylla_Exports.txt
+++ b/Scylla_Exports.txt
@@ -1,118 +1,138 @@
+Scylla DLL Export List:
+
+BOOL __stdcall ScyllaDumpCurrentProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
+BOOL __stdcall ScyllaDumpCurrentProcessA(const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
+
+BOOL __stdcall ScyllaDumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
+BOOL __stdcall ScyllaDumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
+
+BOOL __stdcall ScyllaRebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
+BOOL __stdcall ScyllaRebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
+
+const WCHAR * __stdcall ScyllaVersionInformationW();
+const char * __stdcall ScyllaVersionInformationA();
+DWORD __stdcall ScyllaVersionInformationDword();
+
+int __stdcall ScyllaStartGui(DWORD dwProcessId, HINSTANCE mod);
+
+int __stdcall ScyllaIatSearch(DWORD dwProcessId, DWORD_PTR * iatStart, DWORD * iatSize, DWORD_PTR searchStart, BOOL advancedSearch);
+int __stdcall ScyllaIatFixAutoW(DWORD_PTR iatAddr, DWORD iatSize, DWORD dwProcessId, const WCHAR * dumpFile, const WCHAR * iatFixFile);
+
Prototyps:
----------------------------------------------------------------------------------------------------------------------------------------------------
C/C++:
------------
BOOL __stdcall ScyllaDumpCurrentProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
BOOL __stdcall ScyllaDumpCurrentProcessA(const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
BOOL __stdcall ScyllaDumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
BOOL __stdcall ScyllaDumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
------------
32-Bit assembly e.g. MASM:
------------
ScyllaDumpCurrentProcessW PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
ScyllaDumpCurrentProcessA PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
ScyllaDumpProcessW PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
ScyllaDumpProcessA PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
------------
64-Bit assembly:
------------
ScyllaDumpCurrentProcessW PROTO :QWORD, :QWORD, :QWORD, :QWORD
ScyllaDumpCurrentProcessA PROTO :QWORD, :QWORD, :QWORD, :QWORD
ScyllaDumpProcessW PROTO :QWORD, :QWORD, :QWORD, :QWORD
ScyllaDumpProcessA PROTO :QWORD, :QWORD, :QWORD, :QWORD
fileToDump -> string pointer, this can be 0
imagebase -> imagebase base of target
entrypoint -> entrypoint
fileResult -> string pointer, resulting file
pid -> target process PID
----------------------------------------------------------------------------------------------------------------------------------------------------
C/C++:
------------
BOOL __stdcall ScyllaRebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
BOOL __stdcall ScyllaRebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
------------
32-Bit assembly e.g. MASM:
------------
ScyllaRebuildFileW PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
ScyllaRebuildFileA PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
------------
64-Bit assembly:
------------
ScyllaRebuildFileW PROTO :QWORD, :DWORD, :DWORD, :DWORD
ScyllaRebuildFileA PROTO :QWORD, :DWORD, :DWORD, :DWORD
fileToRebuild - string pointer
removeDosStub - to remove the dos stub -> 1 (TRUE) or 0 (FALSE)
updatePeHeaderChecksum - to update the pe header checksum field -> 1 (TRUE) or 0 (FALSE)
createBackup - create a backup file -> 1 (TRUE) or 0 (FALSE)
----------------------------------------------------------------------------------------------------------------------------------------------------
C/C++:
------------
-WCHAR * __stdcall ScyllaVersionInformationW();
-char * __stdcall ScyllaVersionInformationA();
+const WCHAR * __stdcall ScyllaVersionInformationW();
+const char * __stdcall ScyllaVersionInformationA();
DWORD __stdcall ScyllaVersionInformationDword();
------------
64-Bit/32-Bit assembly e.g. MASM:
------------
ScyllaVersionInformationW PROTO
ScyllaVersionInformationA PROTO
ScyllaVersionInformationDword PROTO
ScyllaVersionInformation - return value is a pointer to a string e.g. "Scylla x86 v0.7 Beta 6"
ScyllaVersionInformationDword - return value is always a DWORD:
e.g. 0x00007600
0000 -> major version
7600 -> minor version
----------------------------------------------------------------------------------------------------------------------------------------------------
Example:
typedef BOOL (__stdcall * def_ScyllaDumpCurrentProcessW)(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
typedef BOOL (__stdcall * def_RebuildFileA)(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
HMODULE mod = LoadLibraryA("ScyllaDLL.dll");
def_ScyllaDumpCurrentProcessW ScyllaDumpCurrentProcessW = (def_ScyllaDumpCurrentProcessW)GetProcAddress(mod, "ScyllaDumpCurrentProcessW");
def_RebuildFileA RebuildFileA = (def_RebuildFileA)GetProcAddress(mod, "RebuildFileA");
ScyllaDumpCurrentProcessW(0, (DWORD_PTR)GetModuleHandleA((LPCSTR)0), 0x13370000, L"C:\\dump.exe");
RebuildFileA("some.exe", 1, 1, 1);
MASM:
szScyllaDll db "ScyllaDLL.dll",0h
szRebuildFileA db "RebuildFileA",0h
szTargetExe db "some.exe",0h
push offset szScyllaDll
call LoadLibraryA
push offset szRebuildFileA
push eax
call GetProcAddress
xor ecx, ecx
inc ecx
push ecx
push ecx
push ecx
push offset szTargetExe
call eax

File Metadata

Mime Type
text/x-diff
Expires
Sat, Jul 5, 11:03 AM (19 h, 19 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
92/24/23e8aebd5a06ac18e5cd9bf5b7c1

Event Timeline

Back to Main Site