search

vijaykumarmit55 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Bypass Active Anti-Debugging and Anti-Dumping Protection #408

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
there is a new freeware tool on the market called:
http://forensic.belkasoft.com/en/ram-capturer

They claim they the only one on the market are able to capture the dump if anti 
dumping protection is enabled.

Could you confirm if it's really so? If true, you could think about a similar 
implementation too.

Original issue reported on code.google.com by blshkv on 15 Apr 2013 at 8:43

GoogleCodeExporter commented 9 years ago 
Their anti-dumping protection is specific to nProtect GameGuard by using 
NtLoadDriver instead of StartService. The anti-debugging is based on calling 
GetTickCount() in a loop and its all done in user-mode, not kernel mode like 
they claim. I'll CC the author of winpmem just so he's aware that you've asked 
this question, but its really not a goal of ours to match such features when 
they really wouldn't protect against anything remotely sophisticated anyway.

Original comment by michael.hale@gmail.com on 16 Apr 2013 at 6:01