Jump to content
Tuts 4 You

Armadillo feature anti debug

Yazuki

By Yazuki
in Software Security

Recommended Posts

Yazuki

Yazuki

Posted
Posted

hi you,


 


i read and saw a lot of tutorials about the protection armadillo because my target is protected by armadillo. a lot of information is here on the net, so i got confused about the debug-blocker of armadillo.


 


to understand whats going on with this feature, i wrote a little summary of the debug-blocker. all i need to know if what i wrote down, is this summary valid information?, so here it comes.


 



 


Debug Blocker:


The first process (the parent) is creating a second process (the child).

The child process attaches its parent to it. From here, another processes can't attach

the parent process, because the parent acts as a user-mode debugger, which can be

attach just 1 process.


 


Link to comment
SmilingWolf

SmilingWolf

Posted
Posted (edited)

I'd word it a bit differently, altough you are mostly correct: there is no active action performed by the child toward the parent since the child is under its (of the parent) control ever since it is created.
Another little correction: "From here, another processes can't attach the parent process" --> nope, you can't attach to the child process; the parent is still accessible.

Edited by SmilingWolf
  • Like 1
Link to comment
GIV

GIV

Posted
Posted (edited)

Yep.


Something alike.


The father-child process create a dummy process and the puppeteer controls the puppet in order to confuse the debugger.


Just bypass by Mutex trick.


Edited by GIV
  • Like 1
Link to comment
Yazuki

Yazuki

Posted
  • Author
Posted

so with some corrections i got this now, this should be correct now right?


 



 


Debug Blocker:


The first process (the parent) is creating a second process (the child).

The child process doesn't perform active actions, just only attaching its parent to it.

From here, another processes can't attach the child process, because the parent process

acts like a user-mode debugger, which can be attach just 1 process at the same time.

So it becomes impossible to debug the child process.


 


thanks for the corrections and help,i just changed eax after the mutex and not child process is created.


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...