dillodie: removing armadillo tamper-protection

DilloDie: Removing Armadillo Tamper-Protection

Matt Renzelmann, Kevin Roundy

Why tamper protection?

A Solution?

?

What does it do?

Obscures “Original Entry Point”

What does it do?

Corrupts “Import Address Table”

JMP DWORD PTR DS:[402008]

0x7F76AEF0

0x7F76DE64

0x77D804EA

0x3234AF38

0x40101A

0x402000

0x402004

0x402008

0x40200C

0x77D804EA Windows API

IAT

…

…

…

Address Data

0x35FE4888

// BUGS!int *p = NULL;*p = 5;

Prevents debugging–

– IsDebuggerPresent();– Exploit bugs

What does it do?

?

Our Tools

OllyDbg v1.10– Binary debugger– Pass exceptions to program– Hijack API calls made by program

LordPE– Dump address space of executing process– Fix executable header, wipe sections

ImpRec (Trojan horse?)– Import Address Table Manipulation

Honing the Blade

– Tutorials for older Armadillo versions

– Crackmes

– Breaking the latest version – Armadillo 4.66– Broke message box, console applications

Armadillo Standard Protection

Standard + Debug Blocker

Standard + Debug Blocker + Copymem

Packaged Malware

Why automate Armadillo removal?– Suppose a virus is Armadillo protected– Want to strip Armadillo, check with anti-virus

What is left to do?

Write OEP finder– For Armadillo’s standard protection

Study Armadillo’s advanced features– Debug Blocker– Copymem

Win the Turing award