boot Posted March 20 Posted March 20 On 3/19/2024 at 2:41 PM, windowbase said: Doesn't work... It may be convenient to debug VMP after loading the driver. However, the shortcomings are that signature verification and patch guard issues need to be solved. Spoiler For signature verification, if it is a Win7 x64 system, you can write tricks in the driver source code to bypass it: it can be loaded directly without enabling testing mode and without adding any signatures to the driver. Patch Guard is quite troublesome, so you can consider Etw Hook. I'm not sure if the latest version of Win11 is applicable, as Microsoft plans to fix it. 1
azufo Posted March 20 Posted March 20 (edited) 6 hours ago, windowbase said: @azufo Can you show me screenshot of scyllahide checked options. Regards. sean. Read here... https://github.com/x64dbg/ScyllaHide/issues/83 here's an easy way to bypass vmp from me. Open your target whit x64dbg, remove standart one time breaking point and boom now is not detected. + rename dbg Edited March 20 by azufo
Sean the hard worker Posted March 20 Posted March 20 (edited) 1 hour ago, azufo said: Read here... https://github.com/x64dbg/ScyllaHide/issues/83 here's an easy way to bypass vmp from me. Open your target whit x64dbg, remove standart one time breaking point and boom now is not detected. + rename dbg @azufo I am using windows 11. https://github.com/x64dbg/ScyllaHide/issues/83#issuecomment-527385743 Regards. sean. Edited March 20 by windowbase editing some words. 1 1
Sean the hard worker Posted March 20 Posted March 20 4 hours ago, boot said: It may be convenient to debug VMP after loading the driver. However, the shortcomings are that signature verification and patch guard issues need to be solved. Reveal hidden contents For signature verification, if it is a Win7 x64 system, you can write tricks in the driver source code to bypass it: it can be loaded directly without enabling testing mode and without adding any signatures to the driver. Patch Guard is quite troublesome, so you can consider Etw Hook. I'm not sure if the latest version of Win11 is applicable, as Microsoft plans to fix it. @boot How to solve this issue? Regards. sean. 1
azufo Posted March 20 Posted March 20 11 minutes ago, windowbase said: @boot How to solve this issue? Regards. sean. If you use TitanHide turn off kernel mode on windows debugging or you will get the screen of death. 1
Sean the hard worker Posted March 20 Posted March 20 1 minute ago, azufo said: If you use TitanHide turn off kernel mode on windows debugging or you will get the screen of death. @azufo How to turn off it? Regards. sean. 1
boot Posted March 20 Posted March 20 2 hours ago, windowbase said: @boot How to solve this issue? Regards. sean. Due to using a leaked signature, it prompted that the certificate has been revoked and the driver cannot be loaded successfully. You can recompile the driver, and the compiler will add the default test signature; Alternatively, you can add a new test signature to the driver and enable testing mode to load it.
Sean the hard worker Posted March 21 Posted March 21 4 hours ago, windowbase said: @azufo How to turn off it? Regards. sean. 1. bcdedit /debug off 2. Restart. Regards. sean. 1
Sean the hard worker Posted March 21 Posted March 21 Video_2024-03-21_120223.mp4 What is wrong with this? Regards. sean. 2
Sean the hard worker Posted March 21 Posted March 21 31 minutes ago, windowbase said: Video_2024-03-21_120223.mp4 3.63 MB · 0 downloads What is wrong with this? Regards. sean. @boot How should I do to bypass it? Regards. sean. 1
boot Posted March 21 Posted March 21 1 hour ago, windowbase said: How should I do to bypass it? I have recompiled and published the attachment. Please enable testing mode and follow my video. MyDrv_Plugin_x64_v_0.001.zip Video_2024-03-21_133313.mp4 1
Sean the hard worker Posted March 21 Posted March 21 31 minutes ago, boot said: I have recompiled and published the attachment. Please enable testing mode and follow my video. MyDrv_Plugin_x64_v_0.001.zip 57.84 kB · 2 downloads Video_2024-03-21_133313.mp4 5.52 MB · 0 downloads @boot what is this application? where can I download it? Regards. sean. 1
boot Posted March 21 Posted March 21 3 minutes ago, windowbase said: what is this application? where can I download it? Google Search DriverMonitor and download it. 1
Sean the hard worker Posted March 21 Posted March 21 38 minutes ago, boot said: Google Search DriverMonitor and download it. @boot No way to download it. Can you upload your files? Regards. sean. 1
jackyjask Posted March 21 Posted March 21 @windowbase I've found a VMP 2.x target for you to play: VmDetect.vmp2138.zip 1
boot Posted March 21 Posted March 21 16 minutes ago, windowbase said: @boot No way to download it. Can you upload your files? Regards. sean. Monitor.zip 1
Sean the hard worker Posted March 21 Posted March 21 1 hour ago, boot said: I have recompiled and published the attachment. Please enable testing mode and follow my video. MyDrv_Plugin_x64_v_0.001.zip 57.84 kB · 2 downloads Video_2024-03-21_133313.mp4 5.52 MB · 0 downloads https://youtu.be/v9Vf9AFBjoM Regards. sean. 1
boot Posted March 21 Posted March 21 25 minutes ago, windowbase said: https://youtu.be/v9Vf9AFBjoM Regards. sean. Strange issue, perhaps related to system version - not compatible with the latest version of Win11 x64. I also tested my driver and plugin on Win7 x64 without any issues. I remember you installed the Win7 virtual machine environment, you can try it inside. e.g. Spoiler Video_2024-03-21_155113.mp4 1
Sean the hard worker Posted March 21 Posted March 21 (edited) 10 minutes ago, boot said: Strange issue, perhaps related to system version - not compatible with the latest version of Win11 x64. I also tested my driver and plugin on Win7 x64 without any issues. I remember you installed the Win7 virtual machine environment, you can try it inside. e.g. Hide contents Video_2024-03-21_155113.mp4 2.61 MB · 0 downloads @boot I installed windows 7 x32 in the virtual machine. Okay I will install x64 windows 7 in the virtual machine and test it, reply. Regards. sean. Edited March 21 by windowbase editing some words. 1
Sean the hard worker Posted March 21 Posted March 21 I can debug it without any issues in windows 7 x64 virtual machine. https://youtu.be/K_NYon5eqec Regards. sean. 2
boot Posted March 21 Posted March 21 19 minutes ago, windowbase said: I can debug it without any issues in windows 7 x64 virtual machine. https://youtu.be/K_NYon5eqec Regards. sean. Yes. This driver & plugin can also bypass two samples here. https://forum.tuts4you.com/topic/44425-vmprotect-heavens-gate-anti-debug-bypass-to-vectorhandler/?do=findComment&comment=216918
Sean the hard worker Posted March 21 Posted March 21 5 minutes ago, boot said: Yes. This driver & plugin can also bypass two samples here. https://forum.tuts4you.com/topic/44425-vmprotect-heavens-gate-anti-debug-bypass-to-vectorhandler/?do=findComment&comment=216918 @boot Can you upload x32 bit version of TitanHide driver? Regards. sean. 1
boot Posted March 21 Posted March 21 11 minutes ago, windowbase said: @boot Can you upload x32 bit version of TitanHide driver? Regards. sean. Done! Added 32-bit driver and x32Dbg plugin. Note: Most of 32-bit (Win32/x86) drivers are not allowed to be loaded on the 64-bit (x64) system. If you want to use this 32-bit driver, please try it on a 32-bit (x86) system. MyDrv_Plugin_v0.002.zip 1
Sean the hard worker Posted March 21 Posted March 21 17 minutes ago, boot said: Done! Added 32-bit driver and x32Dbg plugin. Note: Most of 32-bit (Win32/x86) drivers are not allowed to be loaded on the 64-bit (x64) system. If you want to use this 32-bit driver, please try it on a 32-bit (x86) system. MyDrv_Plugin_v0.002.zip 109.19 kB · 0 downloads @boot This driver has been blocked from loading. what's wrong? Regards. sean. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now