|
|
|
|
#1
08-14-2003, 21:32
|
|||
|
|||
Hello all,
I was following with interest this thread for I just stumbled on a target that is using Armadillo, probably the latest version .. initially I didn't even noticed that the target was packed .. only when I touched a dll this the message "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." pop up and searching I came up with a post on siliconrealms.com site (http://support.siliconrealms.com/index.php?showtopic=1233). Almost all file analyzer don't detect any packing ... only PE-SCAN succeded in finding Armadillo but only on a single dll ... I've used InCtrl5 on the app installation and again on the first run and have seen indeed a lot of keys and values written to the registry: -------- INSTALLATION -------- HKEY_CURRENT_USER\Software\Microsoft\CEStudio HKEY_CURRENT_USER\Software\Microsoft\DevStudio HKEY_CURRENT_USER\Software\Microsoft\Platform Builder HKEY_CURRENT_USER\Software\Whole Tomato HKEY_CLASSES_ROOT\CLSID\{62F53314-142B-11D1-9291-9DE84EB1A651} HKEY_CLASSES_ROOT\Interface\{62F53315-142B-11D1-9291-9DE84EB1A651} HKEY_CLASSES_ROOT\TypeLib\{62F53319-142B-11D1-9291-9DE84EB1A651} HKEY_CLASSES_ROOT\Visual Assist Developer Studio Add-in HKEY_CLASSES_ROOT\VisualAssist.DSAddIn.1 HKEY_LOCAL_MACHINE\SOFTWARE\Gentee HKEY_LOCAL_MACHINE\SOFTWARE\Licenses HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Visual Assist 6.0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HKEY_CLASSES_ROOT\VisualAssist.DSAddIn.1 -------- 1ST USE -------- HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\AddIns\VisualAssist.DSAddin.1\Toolbar HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Keyboard HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Keyboard\Aut HKEY_CLASSES_ROOT\CLSID\{7C0AFA65-A9E6-7204-E2EE-6A144DF5BF7E} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSDEV.exe HKEY_CLASSES_ROOT\SDISERVR50.SDIEVENT -------- WRITTEN FILES -------- c:\Program Files\Visual Assist 6.0 c:\Documents and Settings\Administrator\Local Settings\Temp\A2861D1F.TMP A lot of them I remember in older versions of the application, but a lot are also new ... Also, no HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks key was written to the registry .... unfortunately just today I installed Armadillo on the same computer and so I DO now have such a key ...  BTW is there a file analyzer around capable of detecting the latest versions of Armadillo (PEiD 0.8 and PE Tools 1.5 failed)???? Regards, yaa Last edited by yaa; 08-14-2003 at 21:40. 
|
 |
|
|
Hybrid Mode
