De-division of standard Armadillo shells in two processes

Yesterday I saw the dual-process standard shell NOTEPAD of csjwoman. EXE, I really don't know how to do it at the beginning, neither can I use the COPYMEMII (it didn't use the memory to write the function) method, you cannot simply use the method that removes the standard shell (because it still has sub-processes ), later, I carefully referred to mysqladm's article "Try armadillo3.50a some experiences" with some inspiration (I recently learned a lot from this article ). Let's talk about how to remove the standard shell of this dual process.
Recently, I am very lazy and don't want to write anything, so I will not talk about any principle. (For details, refer to mysqladm's detachment.) Here I will briefly describe the method. In fact, it is very easy to avoid the parent process to generate child processes. So we can do this.
Hide OD after loading, ignore all exceptions, and then run BP OpenMutexA and F9. After disconnection, enter the following code in a blank space. Enter the code in section 401000 as follows (copied)
00401000 60 PUSHAD
00401001 9C PUSHFD
00401002 68 B4FB1200 PUSH 12FBB4 (here 12fbb4 is MutexName, which can be seen through the stack or in a register. I thought it was always in EDX, later we found that the value in section 2000 is in ECX. Correct the value .)
00401007 33C0 xor eax, EAX
00401009 50 PUSH EAX
0040100A 50 PUSH EAX
0040100B E8 E694A677 CALL KERNEL32.CreateMutexA
00401010 9D POPFD
00401011 61 POPAD
00401012-E9 8F9FA777 JMP KERNEL32.OpenMutexA
Create a new origin in section 401000. F9, the program broke back to OpenMutexA and cleared the breakpoint and the work code. In this case, we can debug it like debugging a standard shell, because it does not generate a sub-process but runs itself as a sub-process.
In this case, we disconnected bp VirtualProtect, F9, and then cleared the breakpoint 9-10 times after the interruption, and then bp GetCurrentThreadId. After the disconnection, ALT + F9 is returned, call edi after a few f8.
00DB455C C705 DCDBDB00 E> mov dword ptr [DBDBDC], 0DBE6EC; ASCII "RB"
00DB4566 FF15 1481DB00 CALL [DB8114]; kernel32.GetCurrentThreadId
00DB456C A3 AC56DC00 MOV [DC56AC], EAX returns here,
00DB4571 E8 1537 feff call 00D97C8B
00DB4576 6A 00 PUSH 0
00DB4578 e8648 ffeff call 00D9D4E1
00DB457D 6A 00 PUSH 0
00DB457F C705 DCDBDB00 E> mov dword ptr [DBDBDC], 0DBE6E8; ASCII "RC"
00DB4589 E8 7231 feff call 00D97700
00DB458E 59 pop ecx; 0012FF2C
00DB458F 59 pop ecx; 0012FF2C
00DB4590 E8 4A11FFFF CALL 00DA56DF
00DB4595 8BF8 mov edi, EAX
00DB4597 A1 9455DC00 mov eax, [DC5594]
00DB459C 8B48 70 mov ecx, [EAX + 70]
00DB459F 3348 40 xor ecx, [EAX + 40]
00DB45A2 3348 08 xor ecx, [EAX + 8]
00DB45A5 03F9 add edi, ECX
00DB45A7 8B0E mov ecx, [ESI]
00DB45A9 85C9 test ecx, ECX
00DB45AB 75 2F jnz short 00DB45DC
00DB45AD 8B78 70 mov edi, [EAX + 70]
00DB45B0 E8 2A11FFFF CALL 00DA56DF
00DB45B5 8B0D 9455DC00 mov ecx, [DC5594]; NOTEPAD.0044D260
00DB45BB FF76 14 push dword ptr [ESI + 14]
00DB45BE 8B51 40 mov edx, [ECX + 40]
00DB45C1 FF76 10 push dword ptr [ESI + 10]
00DB45C4 3351 08 xor edx, [ECX + 8]
00DB45C7 FF76 0C push dword ptr [ESI + C]
00DB45CA 33D7 xor edx, EDI
00DB45CC 03C2 add eax, EDX
00DB45CE 8B51 68 mov edx, [ECX + 68]
00DB45D1 3351 04 xor edx, [ECX + 4]
00DB45D4 33D7 xor edx, EDI
00DB45D6 2BC2 sub eax, EDX
00DB45D8 FFD0 CALL EAX
00DB45DA EB 25 jmp short 00DB4601
00DB45DC 83F9 01 cmp ecx, 1
00DB45DF 75 22 jnz short 00DB4603
00DB45E1 FF76 04 push dword ptr [ESI + 4]
00DB45E4