DilloDie: Removing Armadillo Tamper-Protection
description
Transcript of DilloDie: Removing Armadillo Tamper-Protection
DilloDie: Removing Armadillo Tamper-Protection
Matt Renzelmann, Kevin Roundy
Why tamper protection?
A Solution?
?
What does it do?
Obscures “Original Entry Point”
What does it do?
Corrupts “Import Address Table”
JMP DWORD PTR DS:[402008]
0x7F76AEF0
0x7F76DE64
0x77D804EA
0x3234AF38
0x40101A
0x402000
0x402004
0x402008
0x40200C
0x77D804EA Windows API
IAT
…
…
…
Address Data
0x35FE4888
// BUGS!int *p = NULL;*p = 5;
Prevents debugging–
– IsDebuggerPresent();– Exploit bugs
What does it do?
?
Our Tools
OllyDbg v1.10– Binary debugger– Pass exceptions to program– Hijack API calls made by program
LordPE– Dump address space of executing process– Fix executable header, wipe sections
ImpRec (Trojan horse?)– Import Address Table Manipulation
Honing the Blade
– Tutorials for older Armadillo versions
– Crackmes
– Breaking the latest version – Armadillo 4.66– Broke message box, console applications
Armadillo Standard Protection
Standard + Debug Blocker
Standard + Debug Blocker + Copymem
Packaged Malware
Why automate Armadillo removal?– Suppose a virus is Armadillo protected– Want to strip Armadillo, check with anti-virus
What is left to do?
Write OEP finder– For Armadillo’s standard protection
Study Armadillo’s advanced features– Debug Blocker– Copymem
Win the Turing award