Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Armadillo feature anti debug

Yazuki
Yazuki
in Software Security

Featured Replies

Posted

hi you,


 


i read and saw a lot of tutorials about the protection armadillo because my target is protected by armadillo. a lot of information is here on the net, so i got confused about the debug-blocker of armadillo.


 


to understand whats going on with this feature, i wrote a little summary of the debug-blocker. all i need to know if what i wrote down, is this summary valid information?, so here it comes.


 



 


Debug Blocker:


The first process (the parent) is creating a second process (the child).

The child process attaches its parent to it. From here, another processes can't attach

the parent process, because the parent acts as a user-mode debugger, which can be

attach just 1 process.


 


I'd word it a bit differently, altough you are mostly correct: there is no active action performed by the child toward the parent since the child is under its (of the parent) control ever since it is created.
Another little correction: "From here, another processes can't attach the parent process" --> nope, you can't attach to the child process; the parent is still accessible.

Edited by SmilingWolf

    • Like 1

    Yep.


    Something alike.


    The father-child process create a dummy process and the puppeteer controls the puppet in order to confuse the debugger.


    Just bypass by Mutex trick.


    Edited by GIV

    • Like 1

    Breakpoint on OpenMutexA, forzating the value of eax many time is enough for the child process is not created....


    •
    • Like 1
    • Author

    so with some corrections i got this now, this should be correct now right?


     



     


    Debug Blocker:


    The first process (the parent) is creating a second process (the child).

    The child process doesn't perform active actions, just only attaching its parent to it.

    From here, another processes can't attach the child process, because the parent process

    acts like a user-mode debugger, which can be attach just 1 process at the same time.

    So it becomes impossible to debug the child process.


     


    thanks for the corrections and help,i just changed eax after the mutex and not child process is created.


    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.