1 / 10

DilloDie: Removing Armadillo Tamper-Protection

DilloDie: Removing Armadillo Tamper-Protection. Matt Renzelmann, Kevin Roundy. Why tamper protection?. A Solution?. ?. What does it do?. Obscures “Original Entry Point”. What does it do?. Corrupts “Import Address Table”. Address. Data. IAT. 0x40101A. JMP DWORD PTR DS:[402008]. ….

joella
Download Presentation

DilloDie: Removing Armadillo Tamper-Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DilloDie: Removing Armadillo Tamper-Protection Matt Renzelmann, Kevin Roundy

  2. Why tamper protection?

  3. A Solution? ?

  4. What does it do? Obscures “Original Entry Point”

  5. What does it do? Corrupts “Import Address Table” Address Data IAT 0x40101A JMP DWORD PTR DS:[402008] … 0x402000 0x7F76DE64 0x402004 0x7F76AEF0 0x402008 0x77D804EA 0x35FE4888 0x40200C 0x3234AF38 … 0x77D804EA Windows API …

  6. What does it do? Prevents debugging • IsDebuggerPresent(); • Exploit bugs ? // BUGS! int *p = NULL; *p = 5;

  7. Our Tools OllyDbg v1.10 • Binary debugger • Pass exceptions to program • Hijack API calls made by program LordPE • Dump address space of executing process • Fix executable header, wipe sections ImpRec (Trojan horse?) • Import Address Table Manipulation

  8. Honing the Blade • Tutorials for older Armadillo versions • Crackmes Armadillo Standard Protection Standard + Debug Blocker Standard + Debug Blocker + Copymem • Breaking the latest version – Armadillo 4.66 • Broke message box, console applications

  9. Packaged Malware Why automate Armadillo removal? • Suppose a virus is Armadillo protected • Want to strip Armadillo, check with anti-virus

  10. What is left to do? Write OEP finder • For Armadillo’s standard protection Study Armadillo’s advanced features • Debug Blocker • Copymem Win the Turing award

More Related