Log in

View Full Version : arma's processes


cse_india
March 28th, 2007, 06:17
a few days back , i decided to move on to armadillo.
i found some good tuts on armadillo from arteam

but i am not able to understand what arma is trying to do??
i guess process and thread related api's get important in the case of arma.
why do we place a breakpoint on getmodulehandle for finding the magic jump??
why do we place a breakpoint on createthread for finding the oep??

i have read in a no of posts that arma creates a no of processes. how do we find when a process is created and why??

who is the "father" , "son" or the "grandfather" ?? ( Naides was referring such stuff in one of his posts under "Arma is breeding like a rabbit" )

arma raises questions and questions. i definitely need some help.

deroko
March 28th, 2007, 07:11
you place bp on createthread because arma is using CreateThread just a few instructions before call to oep. There are other ways to find oep by analyzing virtual.dll executed by arma, but with createthread is the easies and fastest.

What is arma trying to do -> depending on options
debug blocker:
- spawns yet another process which is debugged, here is only loop that passes exceptions to child process
CopyMemII
- most people talk about Debug Blocke and CopyMem II as separate options when those are present. This is wrong, to be able to use CopyMemII arma has to Debug Child process, and whole concept is that on code section father sets PAGE_GUARD and decrypts parts of code when those are needed by target
Nanomites
- stolen jccs from original code replaced by int3h and emulated by father. Father acts like debugger.
Import Elimination
- original IAT is rebased to different memory location so if you don't fix it you can't fix IAT properly. As I remember it shuffls IAT aswell so imprec can't be used, thats why I wrote this small import reconstructing code : http://deroko.phearless.org/import.rar
Code splices
- some parts of code are stolen and executed in separate buffer, easy to fix.

Those are all protections present in arma and that's what arma is trying to do

cse_india
March 28th, 2007, 08:18
err, i still dont understand one thing - who is the father and the child??

is arma creating more than one process to make reversing difficult or just the executable needs more than 1 process to function.

deroko
March 28th, 2007, 08:31
father - process which creates another process
child - process created from 1st process

arma creates 2nd process because it is required by some protection options - cmII, nanomites or debug blocker.

kittmaster
April 8th, 2007, 22:25
deroko knows his stuff........good and clear answers. Arma is a pita