Armadillo Question

Try to follow MEPHiST0's tutorial on Armadillo v3.xx, only to find out that
Windows 2000 has no DebugActiveProcessStop() in its kernel32.dll.
Is there any work-around on this issue? Or there is no way to unpack it
under Win2K and I have to install WinXP/Win2003?

[wassim_]

Search for process memory manipulator, it detaches father from son, there are no documentation available so I really don't know if it works on OS other than XP

[ricnar456]

Only is in WIN XP .

In win2000/98/95 is not possible detach nothing .

Ricardo Narvaja

I have tried with ppm
but it doesn't work....
i have installed the sp4
but it still doesn't work..

I'm sure there must be a method to detach
the son or some workaround...

[ricnar456]

Is not possible detach a process without close the program in win 2000.
PPM use DebugActiveProcessStop and this api was made for XP, don't work in w2000.

Ricardo Narvaja

I had to resort to installing Windows 98 SE on a cracking box since SoftICE doesnt work well for me in XP.

Its a mess to work in the NT based windows.

Quote:

Originally Posted by ricnar456

Is not possible detach a process without close the program in win 2000.
PPM use DebugActiveProcessStop and this api was made for XP, don't work in w2000.

Ricardo Narvaja

Hi Ricardo,
Probably someone has already told it..you are great.
I have a question on arma too: i'm thinking to avoid the problem of detaching
as follows:
using code ignition we could create another process from the parent.
every time we need to copy the 1k bytes on the son we also copy it in our new process. the advantage should be that the new process doesn't need to be detached. What do you think about it? What problems are there i can't see? Am I dreaming?

[ricnar456]

I don't try this idea, but sounds logic, of the most crazy ideas, go the most great solutions, when i try the first copymem2, and i have the two process and I don't know the possibilities of the api for detach, i think innumerables crazy posibilities for defeat this protection.
One posibility is very close to yours.
Injection of the api WriteProcessMemory in memory, for when write to the son a 1k block, write to the same direction of the father this block, the first section of the father was empty and was unused.
maybe with this you can get the dumped in the first section of the father.
I don't try make this is only the crazy ideas with possibilities I analize when i don't sleep with the arma with copymem2 trouble.

Ricardo Narvaja