To make sure if the app acts like a debugger of itself set a bpx on DebugActiveProcess and see if it breaks.But i think your assumption is very probable because newer versions of safedisc do this.
Quote:
|
Originally Posted by SystemeD
2 - If I try to inline patch it, I have no rights to write on the loaded dll space and moreover I don't know where the dll will be loaded so I don't have the right address to patch. I must use VirtualProtect?
|
If you debug the app you'll get LOAD_DLL_DEBUG_INFO if a dll is loaded or you can use the ToolHelp api to check if the dll is loaded -> you have the ImageBase -> you can patch (if the memory is protected use VirtualProtectEx to make it writeable).After you patched the dll call DebugActiveProcessStop so that safedisc can start to debug the app.But all this only works if the dll is loaded before safedisc starts to debug the app!If the dll is loaded after the call to DebugActiveProcess you have to look for another solution.
Quote:
|
Originally Posted by SystemeD
3 - Does other packers work this same way?
|
armadillo with debugblocker for example