Results 1 to 5 of 5

Thread: arma's processes

  1. #1

    arma's processes

    a few days back , i decided to move on to armadillo.
    i found some good tuts on armadillo from arteam

    but i am not able to understand what arma is trying to do??
    i guess process and thread related api's get important in the case of arma.
    why do we place a breakpoint on getmodulehandle for finding the magic jump??
    why do we place a breakpoint on createthread for finding the oep??

    i have read in a no of posts that arma creates a no of processes. how do we find when a process is created and why??

    who is the "father" , "son" or the "grandfather" ?? ( Naides was referring such stuff in one of his posts under "Arma is breeding like a rabbit" )

    arma raises questions and questions. i definitely need some help.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    you place bp on createthread because arma is using CreateThread just a few instructions before call to oep. There are other ways to find oep by analyzing virtual.dll executed by arma, but with createthread is the easies and fastest.

    What is arma trying to do -> depending on options
    debug blocker:
    - spawns yet another process which is debugged, here is only loop that passes exceptions to child process
    - most people talk about Debug Blocke and CopyMem II as separate options when those are present. This is wrong, to be able to use CopyMemII arma has to Debug Child process, and whole concept is that on code section father sets PAGE_GUARD and decrypts parts of code when those are needed by target
    - stolen jccs from original code replaced by int3h and emulated by father. Father acts like debugger.
    Import Elimination
    - original IAT is rebased to different memory location so if you don't fix it you can't fix IAT properly. As I remember it shuffls IAT aswell so imprec can't be used, thats why I wrote this small import reconstructing code :
    Code splices
    - some parts of code are stolen and executed in separate buffer, easy to fix.

    Those are all protections present in arma and that's what arma is trying to do
    Last edited by deroko; March 28th, 2007 at 07:20.

  3. #3
    err, i still dont understand one thing - who is the father and the child??

    is arma creating more than one process to make reversing difficult or just the executable needs more than 1 process to function.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    father - process which creates another process
    child - process created from 1st process

    arma creates 2nd process because it is required by some protection options - cmII, nanomites or debug blocker.

  5. #5
    deroko knows his stuff........good and clear answers. Arma is a pita
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

Similar Threads

  1. an arma question
    By LiSa in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: April 28th, 2008, 04:50
  2. ArmaGUI - Yet another arma tool
    By Spec0p in forum Tools of Our Trade (TOT) Messageboard
    Replies: 27
    Last Post: February 9th, 2008, 13:54
  3. Having trouble with an ARTtut.....arma related
    By kittmaster in forum Malware Analysis and Unpacking Forum
    Replies: 18
    Last Post: June 11th, 2006, 10:57
  4. new arma tricks ?
    By BenJ in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: October 31st, 2003, 11:26
  5. question about crussader's tut on arma
    By kyrios in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: March 30th, 2003, 12:59


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts