DilloDie: Removing Armadillo Tamper-Protection. Matt Renzelmann, Kevin Roundy. Why tamper protection?. A Solution?. ?. What does it do?. Obscures “Original Entry Point”. What does it do?. Corrupts “Import Address Table”. Address. Data. IAT. 0x40101A. JMP DWORD PTR DS:. ….
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
DilloDie: Removing Armadillo Tamper-Protection Matt Renzelmann, Kevin Roundy
What does it do? Obscures “Original Entry Point”
What does it do? Corrupts “Import Address Table” Address Data IAT 0x40101A JMP DWORD PTR DS: … 0x402000 0x7F76DE64 0x402004 0x7F76AEF0 0x402008 0x77D804EA 0x35FE4888 0x40200C 0x3234AF38 … 0x77D804EA Windows API …
What does it do? Prevents debugging • IsDebuggerPresent(); • Exploit bugs ? // BUGS! int *p = NULL; *p = 5;
Our Tools OllyDbg v1.10 • Binary debugger • Pass exceptions to program • Hijack API calls made by program LordPE • Dump address space of executing process • Fix executable header, wipe sections ImpRec (Trojan horse?) • Import Address Table Manipulation
Honing the Blade • Tutorials for older Armadillo versions • Crackmes Armadillo Standard Protection Standard + Debug Blocker Standard + Debug Blocker + Copymem • Breaking the latest version – Armadillo 4.66 • Broke message box, console applications
Packaged Malware Why automate Armadillo removal? • Suppose a virus is Armadillo protected • Want to strip Armadillo, check with anti-virus
What is left to do? Write OEP finder • For Armadillo’s standard protection Study Armadillo’s advanced features • Debug Blocker • Copymem Win the Turing award