-2

How can I defeat erase PE from memory ?

First: The executable I'm working on is a CLR Host in c++ so the program behind is in C# Second: The C# program erase the PE header with the function Virtual Protect (Very common protection for anti-dumping)

In all cases I dumped the C# program with x64dbg, and then I can't really achieve my goal because of the erase PE header. The only way I found to patch this is at the startup of the program to replace the VirutalProtect calls by NOP and then the program will not be able to erase the PE header, maybe ?

PS: I can't patch the dumped file via the original because there is no original the only executable I have is the CLR host in c++ and the dumped executable that is in C#.

I will appreciate any help, sorry for my bad English.

DrayNeur
  • 9
  • 1
  • c# is managed and c++ is not managed. So c# adds selectors in the microprocessor so if exceptions occur and PC doesn't get a blue screen. When an application gets executed from a file the the loader assigns the selectors before the application runs using the System credentials which has access to the microprocessor registers. So you have lots of huddles to over comes to get you code to run. It would be better to write a c++ app that is managed code to be an interface between c# and the executable you want to run. – jdweng Dec 26 '20 at 11:15

1 Answers1

0

Edit: I finally understand how to dump it i just add a breakpoint just before the program really start and then explore all the PE headers stored in the memory

DrayNeur
  • 9
  • 1