Skip to content

wisetek/AutoDump

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitattributes
.gitattributes
 
 
README.md
README.md
 
 
helper_dll.c
helper_dll.c
 
 
injector.c
injector.c
 
 

Repository files navigation

Reverse Engineering Toolkit

A comprehensive toolkit for process reverse engineering:

  • Stealth DLL Injector - Reflective injection with thread hijacking
  • Helper DLL - Dumps decrypted memory + extracts ALL offsets automatically

Compilation

gcc -O2 -o injector.exe injector.c
gcc -O2 -shared -o helper.dll helper_dll.c

Usage

  1. Place injector.exe and helper.dll in the same directory
  2. Run as Administrator
  3. Execute: 
    .\injector.exe ourprocess.exe
  4. Wait 2 minutes - the helper DLL will:
    • Track TLS callbacks
    • Decrypt and dump all memory
    • Extract ALL offsets (functions + globals)
    • Create output files in our target process directory

Stealth & Anti-Detection Methods

Injector (injector.c)

Reflective DLL Injection:

  • Manual PE loading without LoadLibrary
  • No entry in process module list
  • PE sections written individually
  • Relocations processed manually
  • Imports resolved manually
  • Memory zeroed after injection

Thread Hijacking:

  • No new thread creation (avoids CreateRemoteThread detection)
  • Selects existing worker thread with low CPU time
  • Suspends thread, modifies RIP register, resumes
  • Uses NtAlertThread to ensure execution

Direct Syscalls:

  • NtOpenProcess - Bypasses OpenProcess hooks
  • NtAllocateVirtualMemory - Direct memory allocation
  • NtWriteVirtualMemory / NtReadVirtualMemory - Direct memory access
  • NtProtectVirtualMemory - Memory protection changes
  • NtFreeVirtualMemory - Memory cleanup
  • NtOpenThread / NtSuspendThread / NtResumeThread - Thread manipulation
  • NtGetContextThread / NtSetContextThread - Context manipulation
  • NtDelayExecution - Stealth sleep (no Sleep() API calls)
  • NtAlertThread - Thread wake-up

Timing Obfuscation:

  • RDTSC-based random delays (no GetTickCount)
  • Random timing between operations (50-100ms)
  • Stealth sleep using NtDelayExecution

Memory Security:

  • StealthZeroMemory - Volatile memory zeroing before free
  • Secure cleanup of DLL buffer after injection

Helper DLL (helper_dll.c)

PEB Unlinking:

  • Removes DLL from InLoadOrderModuleList
  • Removes from InMemoryOrderModuleList
  • Removes from InInitializationOrderModuleList
  • Invisible to all module enumeration APIs

Direct Syscalls:

  • NtDelayExecution - Stealth sleep
  • NtAllocateVirtualMemory / NtFreeVirtualMemory - Memory management
  • NtProtectVirtualMemory - Protection changes
  • NtCreateFile / NtWriteFile / NtClose - File operations
  • NtQueryVirtualMemory - Memory queries
  • NtReadVirtualMemory / NtWriteVirtualMemory - Memory access

Spoofed Function Calls:

  • Uses process's own memcpy/RtlMoveMemory from IAT
  • Triggers auto-decryption for some memory regions
  • Avoids detection by using legitimate process functions

Eidolon Bypass:

  • Decrypt gadget at RVA 0x1E7040 (pattern: 48 8B 01 C3)
  • Triggers Eidolon to decrypt PAGE_NOACCESS pages
  • Page-by-page processing with forced decryption
  • Vectored Exception Handler (VEH) for decryption capture

Hidden File Operations:

  • NtCreateFile with HIDDEN + SYSTEM attributes
  • Files invisible in Explorer by default
  • NT path format (\??\C:\...)

Memory Cleanup:

  • SecureZeroBuffer - Volatile writes prevent optimization
  • Memory zeroed before VirtualFree
  • _ReadWriteBarrier() to prevent compiler optimization

Thread Pool Execution:

  • Uses Windows thread pool (TrySubmitThreadpoolCallback)
  • Minimal detection footprint
  • Asynchronous execution

TLS Callback Tracking:

  • Continuous scanning every 10ms for 2 minutes
  • Captures callbacks even if they get overwritten
  • Tracks up to 64 unique callbacks
  • All callbacks preserved in final dump

Import Address Table (IAT) Reconstruction:

  • Reads original import descriptors
  • Walks PEB module list (no LoadLibrary)
  • Resolves function addresses dynamically
  • Rebuilds IAT in dump for analysis tools

PE Header Fixing:

  • PointerToRawData = VirtualAddress
  • SizeOfRawData = VirtualSize
  • FileAlignment = SectionAlignment
  • Clears bound import and security directories
  • Compatible with IDA Pro and Ghidra

Requirements

  • Windows 10/11 x64
  • Administrator privileges
  • GCC compiler (MinGW-w64 recommended)
  • Target process must be running (or will wait for it)

Notes

  • dont run this
  • especially dont run this on an account you want to keep
  • this is my first attempt at this, the methods used may be ultra detected. who knows.
  • Process continues running normally during capture
  • Game remains fully playable
  • Dump happens silently in background
  • Files created with HIDDEN + SYSTEM attributes
  • 2-minute wait ensures complete capture
  • this is a WIP, id like to eventually have it be more "fool proof"
  • further reversal of the loader.dll

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

19 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages