Obfuscating dump files

Question

Like in my previous question, I want to make some dump files available for learning dump analysis and reverse engineering.

To organize my example programs from which I create the dumps, I give them meaningful names. However, that usually means that I can type | in WinDbg to find out what it demonstrates. I want to remove that workaround.

Is it possible to obfuscate a dump file, i.e. rename my modules to a random name while keeping the dump itself intact? (not renaming the system modules of course)

Are there already any tools which could help me accomplishing this task? Something which breaks the dump into its streams and can reassemble streams would be nice.

I am looking for

• dumps of a program which has dependencies on other modules.

I am not looking for

• the simple single executable case. I can rename the executable before creating the dump as part of my build script.
• obfuscation of .NET methods. I can obfuscate the .NET code as part of my build script.

Answer 1

if you are fine with hexediting the stream is documented in dbghelp.inc that comes with windbg sdk

use dumpchk on the dmp file and find the rva of the ModuleList stream

if it is say 0x294

you will see the _MINIDUMP_MODULE_LIST located there ignoring the first dword which is Number of modules _MINIDUMP_MODULE follows use sizeof (_MINIDUMP_MODULE) to navigate to the next module one of the field in each module struct is an rva to the module name

the format of module name is

ulong32 size of string
wstr  name  

you can hexedit the name there

C:\>dumpchk foo.dmp | grep ModuleListStream
Loading dump file foo.dmp
Stream 1: type ModuleListStream (4), size 000004A8, RVA 00000294


C:\>xxd -s 0x294 -l 0x70 -g 4 foo.dmp
0000294: 0b000000 00000001 00000000 00f00100  ................
00002a4: fcd70100 10847d3b 660a0000 bd04effe  ......};f.......
00002b4: 00000100 01000500 0000280a 01000500  ..........(.....
00002c4: 0000280a 3f000000 00000000 04000400  ..(.?...........
00002d4: 01000000 00000000 00000000 00000000  ................
00002e4: 19000000 22110000 00000000 00000000  ...."...........
00002f4: 00000000 00000000 00000000 00000000  ................

C:\>xxd -s 0xa66 -l 0x20 -g 1 foo.dmp
0000a66: 10 00 00 00 63 00 61 00 6c 00 63 00 2e 00 65 00  ....c.a.l.c...e.
0000a76: 78 00 65 00 00 00 12 00 00 00 6e 00 74 00 64 00  x.e.......n.t.d.

C:\>echo pathched with hxd
pathched with hxd

C:\>xxd -s 0xa66 -l 0x20 -g 1 foo.dmp
0000a66: 10 00 00 00 64 00 61 00 6c 00 63 00 2e 00 65 00  ....d.a.l.c...e.
0000a76: 78 00 65 00 00 00 12 00 00 00 6e 00 74 00 64 00  x.e.......n.t.d.

C:\>cdb -z foo.dmp

0:000> |
.  0    id: 548 examine name: dalc.exe
0:000>

here is how to delete peb from the dump file created with .dump /marR

C:\>cdb -c ".dump /marR /u c:\foo.dmp;q" calc

0:000> cdb: Reading initial command '.dump /marR /u c:\foo.dmp;q'
Creating c:\foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp - mini user dump
Dump successfully written
quit:


C:\>ls -lh foo*
-rw-rw-rw-  1 Admin 0 14M 2014-03-22 13:38 foo_0fa4_2014-03-22_13-38-25-062_00a0
.dmp

C:\>cdb  -c "!peb;q" -z foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
0:000> cdb: Reading initial command '!peb;q'
PEB at 7ffde000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         01000000
    Ldr                       001a1ea0


C:\>dumpchk foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp | grep -i peb
Loading dump file foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
PEB at 7ffde000

C:\>dumpchk foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp | grep -i 7ffde000
Loading dump file foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
      62 00DA7ACE    7ffde000   00001000
PEB at 7ffde000

C:\>xxd -s 0xda7ace -l 0x10 -g 1 foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
0da7ace: 00 00 01 00 ff ff ff ff 00 00 00 01 a0 1e 1a 00  ................

C:\> filled 0x1000 bytes with 0 with hxd (selct block -> fill)

C:\>xxd -s 0xda7ace -l 0x10 -g 1 foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
0da7ace: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


C:\>cdb  -c "!peb;q" -z foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp


0:000> cdb: Reading initial command '!peb;q'
PEB at 7ffde000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No
    ImageBaseAddress:         00000000
    Ldr                       00000000
    *** unable to read Ldr table at 00000000
    SubSystemData:     00000000
    ProcessHeap:       00000000
    ProcessParameters: 00000000
    *** unable to read process parameters
quit: