dillodie removing armadillo tamper protection n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
DilloDie: Removing Armadillo Tamper-Protection PowerPoint Presentation
Download Presentation
DilloDie: Removing Armadillo Tamper-Protection

Loading in 2 Seconds...

play fullscreen
1 / 10

DilloDie: Removing Armadillo Tamper-Protection - PowerPoint PPT Presentation


  • 220 Views
  • Uploaded on

DilloDie: Removing Armadillo Tamper-Protection. Matt Renzelmann, Kevin Roundy. Why tamper protection?. A Solution?. ?. What does it do?. Obscures “Original Entry Point”. What does it do?. Corrupts “Import Address Table”. Address. Data. IAT. 0x40101A. JMP DWORD PTR DS:[402008]. ….

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

DilloDie: Removing Armadillo Tamper-Protection


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. DilloDie: Removing Armadillo Tamper-Protection Matt Renzelmann, Kevin Roundy

    2. Why tamper protection?

    3. A Solution? ?

    4. What does it do? Obscures “Original Entry Point”

    5. What does it do? Corrupts “Import Address Table” Address Data IAT 0x40101A JMP DWORD PTR DS:[402008] … 0x402000 0x7F76DE64 0x402004 0x7F76AEF0 0x402008 0x77D804EA 0x35FE4888 0x40200C 0x3234AF38 … 0x77D804EA Windows API …

    6. What does it do? Prevents debugging • IsDebuggerPresent(); • Exploit bugs ? // BUGS! int *p = NULL; *p = 5;

    7. Our Tools OllyDbg v1.10 • Binary debugger • Pass exceptions to program • Hijack API calls made by program LordPE • Dump address space of executing process • Fix executable header, wipe sections ImpRec (Trojan horse?) • Import Address Table Manipulation

    8. Honing the Blade • Tutorials for older Armadillo versions • Crackmes Armadillo Standard Protection Standard + Debug Blocker Standard + Debug Blocker + Copymem • Breaking the latest version – Armadillo 4.66 • Broke message box, console applications

    9. Packaged Malware Why automate Armadillo removal? • Suppose a virus is Armadillo protected • Want to strip Armadillo, check with anti-virus

    10. What is left to do? Write OEP finder • For Armadillo’s standard protection Study Armadillo’s advanced features • Debug Blocker • Copymem Win the Turing award