Hi, I've been unpacking some armadillo targets and I have been quite sucsefull; standard and minimal protection I can deal without problems, code splicing is easy, import elimination is pain in the ass but I can handle it.

Then I followed MEPHISTO's tutorial for dealing with Debug Blocker feature. It's actualy easy to deattach processes and defeat this kind of protection. But I just learned way how to do it. I didn't learn what is going on there. Untill now, I found lot of tutorials that goes in detail "put bp here...put bp there" but none of them explains theory of two processes, debugging etc.

I would like to read some stuff about debugging and how applications do that, in order to understand this better. Can anyone provide me some good (but not too hard) reading material (links)? Or give me short description of Debug Blocker feature here?

Regards.

Hi, mr haggar

From my experience with dillo, I found that the Debug Blocker feature works in the following manner:

1. First the father (first process) calls CreateProcess on the same file to start the son process
2. It then writes an infinite loop at the child's entry point (for now this is the same as the father's of course), initializes some things - I haven't studied what it does in this part, and restores the original bytes of the son process
3. At some point (probably during the last step) the father calls DebugActiveProcess API on the son process and lets the son run
4. Then, the father starts a loop of calling WaitForDebugEvent, handling events received from the son, and calling ContinueDebugEvent
5. The son process works autonomously until an exception occurs, and then the process is paused and control is passed to the father.
The father gets a DebugEvent record, checks to see if the event occurred (mostly exceptions) is expected, and usually just lets the son continue running

In order to detach the father from the son, we use the DebugActiveProcessStop API in order to be able to debug the son (only one debugger at a time can debug a process)

Now, mostly you can just detach the father from the son, and the son process will continue to run without the father. However, sometimes the code in the son process is encrypted in blocks of 1000h bytes and the memory containing this page is marked as a guarded page (using Virtual Protect). Then, when the son is trying to execute any code from these 1000h bytes, an exception occurs and the father decrypts the code for this memory page (1000h bytes). This technique is very similar to that of the operating system which marks memory pages as protected, and when the CPU is trying to access such a page, an exception occurs, the OS loads the correct page into the memory and execution continues.

Hope this answers your question.

read my tuts of how create a loader debugger, this loader debug the victim, and you put Bps, BPMs, and hardware bpx and catch with the loader and modify the victim in the same form armadillo father work.

Ricardo Narvaja

TresPasser, thanks alot that clears some things and I'm gona read some papers in future. This is very interesting but it requires some knowledge about debugging which I don't have.

Going to check your tutorials Ricardo, but what the hell is with you site, I't says that site is removed for braking some rules. It seams that you have lot of problems with hosting your material.

yes always there are problems write and i can tell you the ftp or http server of my machine for look the tutorials.

Ricardo

I will put this aside for now, I don't have much time for this now. Anyway, I found some spanish site whee there lot of your tutorials along with couple more guys.

Regards.