Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Pass Debugger Check in VMprotect 2.x

mojtaba
mojtaba
in Malware Reverse Engineering

Featured Replies

On 3/19/2024 at 2:41 PM, windowbase said:

Doesn't work...

It may be convenient to debug VMP after loading the driver. However, the shortcomings are that signature verification and patch guard issues need to be solved.

Spoiler

For signature verification, if it is a Win7 x64 system, you can write tricks in the driver source code to bypass it: it can be loaded directly without enabling testing mode and without adding any signatures to the driver. Patch Guard is quite troublesome, so you can consider Etw Hook. I'm not sure if the latest version of Win11 is applicable, as Microsoft plans to fix it.

 

    • Confused 1
    • Replies 86
    • Views 19.4k
    • Created
    • Last Reply

    Top Posters In This Topic

    Popular Days

    Most Popular Posts

    • jackyjask
      jackyjask

      Just old good professional grade Ollydbg v2  + ScyllaHide, no any dangerous driver based titan hiders Before Be   After   Scylla Hide plugin:

    • X0rby
      X0rby

      @windowbasedon't use titanhide on your main system.

    • X0rby
      X0rby

      Even if you do everything correctly it can crush your system and give you a blue screen, not that only but as I already told you in the past you MUST create a VM dedicated only to RCE, not your main e

    Posted Images

    6 hours ago, windowbase said:

    @azufo Can you show me screenshot of scyllahide checked options.

    Regards.

    sean.

    Read here...

    https://github.com/x64dbg/ScyllaHide/issues/83

    here's an easy way to bypass vmp from me. Open your target whit x64dbg, remove standart one time breaking point and boom now is not detected. :D + rename  dbg 

    Edited by azufo

    1 hour ago, azufo said:

    Read here...

    https://github.com/x64dbg/ScyllaHide/issues/83

    here's an easy way to bypass vmp from me. Open your target whit x64dbg, remove standart one time breaking point and boom now is not detected. :D + rename  dbg 

    @azufo I am using windows 11.

    https://github.com/x64dbg/ScyllaHide/issues/83#issuecomment-527385743

    Regards.

    sean.

    Edited by windowbase
    editing some words.

    • Like 1
    • Haha 1
    4 hours ago, boot said:

    It may be convenient to debug VMP after loading the driver. However, the shortcomings are that signature verification and patch guard issues need to be solved.

      Reveal hidden contents

    For signature verification, if it is a Win7 x64 system, you can write tricks in the driver source code to bypass it: it can be loaded directly without enabling testing mode and without adding any signatures to the driver. Patch Guard is quite troublesome, so you can consider Etw Hook. I'm not sure if the latest version of Win11 is applicable, as Microsoft plans to fix it.

     

    @boot

    How to solve this issue?

    screenshot_41.png.275f59388377a7db3476d76318491512.png

    Regards.

    sean.

    • Like 1
    11 minutes ago, windowbase said:

    @boot

    How to solve this issue?

    screenshot_41.png.275f59388377a7db3476d76318491512.png

    Regards.

    sean.

    If you use TitanHide turn off kernel mode on windows debugging or you will get the screen of death. 

    • Thanks 1
    1 minute ago, azufo said:

    If you use TitanHide turn off kernel mode on windows debugging or you will get the screen of death. 

    @azufo How to turn off it?

    Regards.

    sean.

    • Like 1

    google it

    • Like 2
    2 hours ago, windowbase said:

    @boot

    How to solve this issue?

    screenshot_41.png.275f59388377a7db3476d76318491512.png

    Regards.

    sean.

    Due to using a leaked signature, it prompted that the certificate has been revoked and the driver cannot be loaded successfully. You can recompile the driver, and the compiler will add the default test signature; Alternatively, you can add a new test signature to the driver and enable testing mode to load it.

    4 hours ago, windowbase said:

    @azufo How to turn off it?

    Regards.

    sean.

    1. bcdedit /debug off

    2. Restart.

    Regards.

    sean.

    • Like 1

     

    What is wrong with this?

    Regards.

    sean.

    • Like 2
    1 hour ago, windowbase said:

    How should I do to bypass it?

    I have recompiled and published the attachment. Please enable testing mode and follow my video. :)

    MyDrv_Plugin_x64_v_0.001.zip

     

     

    • Thanks 1
    3 minutes ago, windowbase said:

    what is this application? where can I download it?

    Google Search DriverMonitor and download it.

    • Thanks 1
    38 minutes ago, boot said:

    Google Search DriverMonitor and download it.

    @boot No way to download it.

    Can you upload your files?

    Regards.

    sean.

    • Like 1

    @windowbase I've found a VMP 2.x target for you to play:

    image.png.90448d17313ca601ef7871738e0b5003.png

     

    VmDetect.vmp2138.zip

    • Like 2
    16 minutes ago, windowbase said:

    @boot No way to download it.

    Can you upload your files?

    Regards.

    sean.

    Monitor.zip

    • Thanks 1
    25 minutes ago, windowbase said:

    https://youtu.be/v9Vf9AFBjoM

    Regards.

    sean.

    Strange issue, perhaps related to system version - not compatible with the latest version of Win11 x64. I also tested my driver and plugin on Win7 x64 without any issues. I remember you installed the Win7 virtual machine environment, you can try it inside.

    e.g.

    Spoiler

     

    • Thanks 1
    10 minutes ago, boot said:

    Strange issue, perhaps related to system version - not compatible with the latest version of Win11 x64. I also tested my driver and plugin on Win7 x64 without any issues. I remember you installed the Win7 virtual machine environment, you can try it inside.

    e.g.

      Hide contents

     

     

    @boot I installed windows 7 x32 in the virtual machine. Okay I will install x64 windows 7 in the virtual machine and test it, reply.

    Regards.

    sean.

    Edited by windowbase
    editing some words.

    • Like 1

    I can debug it without any issues in windows 7 x64 virtual machine.

    https://youtu.be/K_NYon5eqec

    Regards.

    sean.

    • Like 2
    11 minutes ago, windowbase said:

    @boot Can you upload x32 bit version of TitanHide driver?

    Regards.

    sean.

    Done! Added 32-bit driver and x32Dbg plugin.

    Note: Most of 32-bit (Win32/x86) drivers are not allowed to be loaded on the 64-bit (x64) system. If you want to use this 32-bit driver, please try it on a 32-bit (x86) system.

    MyDrv_Plugin_v0.002.zip

    • Like 1
    17 minutes ago, boot said:

    Done! Added 32-bit driver and x32Dbg plugin.

    Note: Most of 32-bit (Win32/x86) drivers are not allowed to be loaded on the 64-bit (x64) system. If you want to use this 32-bit driver, please try it on a 32-bit (x86) system.

    MyDrv_Plugin_v0.002.zip 109.19 kB · 0 downloads

    @boot This driver has been blocked from loading.

    what's wrong?

    Regards.

    sean.

    • Like 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.