Circumvent (Themida/Hackshield/Etc..) Ultimate Memory Dump Tutorial
Backstory & Information
This tutorial was made possible by Nexon’s Counter-Strike Online 2 that nasty piece of shit left me no choice but to resort to this brutal nasty method.
Now to give a little info first in case anyone reading this has no idea what I’m talking about or doesn’t understand the concept of memory. Games & Applications that run on your system all use RAM. Sometimes they store sensitive information or valuable data there that shouldn’t be accessed by the end-user, for example an AES encryption key or maybe game assets like models/textures/scripts. This data isn’t usually protected as you can force a dump of an application’s memory, however some software/game developers like to restrict user access to this data usually to stop cheaters or people exploiting their software (like myself 😈 ). Now I won’t go into detail on what the kernel is nor what userland means but I will say that these developers use methods of protecting memory data which can be circumvented with a simple trick. The example case I will be using in this tutorial is the game Counter-Strike Online 2. Nexon the developers of this game are utilizing a technique to elevate the game process into kernel level. This means trying to access the game process or memory isn’t possible by the user anymore, normally achieved via a driver installed on the system. In CS Online2’s case Hackshields EagleNT.SYS elevates the process CounterStrikeOnline2.exe and access is not possible anymore.
So how do we circumvent this?
Since the user can’t access the process and process memory there are two ways around this. The first won’t be covered in this tutorial but requires you to write a driver of your own which has kernel level access. The Second will be to force the system into a BSOD (Blue Screen Of Death), normally this occurring would be a bad thing (faulty hardware/bad drivers) but we are using it to our advantage as you can force the system to dump all of it’s memory to a single file before rebooting.
Prepare for the BSOD memory dump
The first thing that needs to be done and you can read more about this over at this Microsoft site is to configure the system to capture a “complete dump”. A complete dump as stated by MS is:
A memory dump that records all the contents of the system memory when your computer stops unexpectedly.
A complete memory dump may contain data from processes that were running when the memory dump was collected.
This is what we want, a full capture of the system’s memory. The steps are below:
A word of warning, if you own a Solid State Drive (SSD) I would recommend you set the dump location to another disk drive as this will degrade your SSDs life if it was to dump a whole 16GB file onto the disk. Make sure you have enough disk space!
Registry key method didn’t work?
You can try using the html application I have packed here to do it in case the above method didn’t work
Causing the BSOD
Now there are many ways to trigger a BSOD but the “safest” would be to use a manual interrupt which can be done by pressing a few keyboard shortcuts. Once again you need to enable this feature in the registry. More on that here: http://support.microsoft.com/kb/244139
I have packed up a zip file with the required registry keys to enable this here. Now depending on your keyboard (PS/2 or USB) Run the required key files. Some times you will need to run both the PS/2 one and the USB one
Once you have activated the keyboard shortcut for manual interrupt which is defaulted to:
CTRL+SCROLL LOCK+SCROLL LOCK
Prepare your computer by exiting all other applications that you wish not to capture from, for example your antivirus protection and your Internet browser. Exit as many applications as you can except of course the application you wish to capture from. Once this is done hit those keys and your system should now BSOD, here is a picture from when I did it on my Asus laptop.
The dump process
You will now need to wait a while (depending on the size of your RAM) for the dump to take place. Once this has completed your system should reboot.
Analysis and Gold panning!
Alright now navigate to the folder you had set for the dump file
Have fun digging through it with a hex editor 🙂
Reference & Sources
- Visit the following Microsoft Web site to download the NotMyFault tool: http://download.sysinternals.com/files/NotMyFault.zip
- Click Start, and then click Command Prompt.
- At the command line, type NotMyfault.exe /crash, and then press ENTER.