(Info Request) - VMProtect VM Detection

[madskillz]

Hi

Does anyone know how to bypass the VM detection on vmprotect binaries?

"Sorry, this application can not run under a Virtual Machine "

@White Are you the same author of this post?

https://www.52pojie.cn/thread-623603-1-1.html

If not can someone share that file or explain on how to do it.

Regards

 

[Mahmoudnia]

@madskillz
Try VBoxHardenedLoader

https://github.com/hfiref0x/VBoxHardenedLoader

 

[madskillz]

I have already, vmprotect uses some other trick.

[zixkhalid]

i have the same problem with vmprotect +1

[JohnWho]

VM vendor strings like "VMware" or "VBox" has been appended to tons of hardware related registry entries, try look there.

[atom0s]

A very common method of detecting VMWare,  based on what JohnWho said above, is the video card information/driver information for the video card in the registry. It is generally labeled with VMWare in the name and a lot of VM detections look for it.

[zixkhalid]

any good links talk about how to bypass this stuff in details ?

[binariman]

you can make this for work exe  in vm 

 

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{4D36E968-E325-11CE-08002BE10318}/0000

DriverDesk VMware SVGA 3D -->> ATI/NVIDIA SVGA II

isolation.tools.getPtrLocation.disable = "TRUE"

isolation.tools.setPtrLocation.disable = "TRUE"

isolation.tools.setVersion.disable = "TRUE"

isolation.tools.getVersion.disable = "TRUE"

monitor_control.disable_directexec = "TRUE"

monitor_control.disable_chksimd = "TRUE"

monitor_control.disable_ntreloc = "TRUE"

monitor_control.disable_selfmod = "TRUE"

monitor_control.disable_reloc = "TRUE"

monitor_control.disable_btinout = "TRUE"

monitor_control.disable_btmemspace = "TRUE"

monitor_control.disable_btpriv = "TRUE"

monitor_control.disable_btseg = "TRUE"

monitor_control.restrict_backdoor = "true"