ANTIPDD - Anti ProcDump Full Dump
---------------------------------

I got a lot of mails in the last days concerning peshield.
(Why now? PESHIELD is out since months...)
Some guys were asking how i defeated the PROCDUMP dump function,
maybe this source will help...
The basic idea behind the anti procdump code is, to make procdump
think, the process it wants to dump is longer than it really is.
Therefore I get my hands on the internal windows variable that stores
the process size. For windows 95 and windows NT two different ways
are necessary. (look at the code for it)
When I have changed this variable, PROCDUMP's full dump function tries
to access pages that are not in memory. Windows returns dump not possible
and you will see the nice MessageBox "Dumping this process is not possible"
;)
I saw other protections that are based on VirtualProtect... but I wasn't
able to see any effect, neither under Windows 95 nor under Windows NT...
Maybe I have the wrong service pack... ;)


anakin@bigfoot.de
members.xoom.com/MrANAKiN ; <-- will be fired up in the next days