boot Posted March 20 Share Posted March 20 On 3/19/2024 at 2:41 PM, windowbase said: Doesn't work... It may be convenient to debug VMP after loading the driver. However, the shortcomings are that signature verification and patch guard issues need to be solved. Spoiler For signature verification, if it is a Win7 x64 system, you can write tricks in the driver source code to bypass it: it can be loaded directly without enabling testing mode and without adding any signatures to the driver. Patch Guard is quite troublesome, so you can consider Etw Hook. I'm not sure if the latest version of Win11 is applicable, as Microsoft plans to fix it. 1 Link to comment Share on other sites More sharing options...
azufo Posted March 20 Share Posted March 20 (edited) 6 hours ago, windowbase said: @azufo Can you show me screenshot of scyllahide checked options. Regards. sean. Read here... https://github.com/x64dbg/ScyllaHide/issues/83 here's an easy way to bypass vmp from me. Open your target whit x64dbg, remove standart one time breaking point and boom now is not detected. + rename dbg Edited March 20 by azufo Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 20 Share Posted March 20 (edited) 1 hour ago, azufo said: Read here... https://github.com/x64dbg/ScyllaHide/issues/83 here's an easy way to bypass vmp from me. Open your target whit x64dbg, remove standart one time breaking point and boom now is not detected. + rename dbg @azufo I am using windows 11. https://github.com/x64dbg/ScyllaHide/issues/83#issuecomment-527385743 Regards. sean. Edited March 20 by windowbase editing some words. 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 20 Share Posted March 20 4 hours ago, boot said: It may be convenient to debug VMP after loading the driver. However, the shortcomings are that signature verification and patch guard issues need to be solved. Reveal hidden contents For signature verification, if it is a Win7 x64 system, you can write tricks in the driver source code to bypass it: it can be loaded directly without enabling testing mode and without adding any signatures to the driver. Patch Guard is quite troublesome, so you can consider Etw Hook. I'm not sure if the latest version of Win11 is applicable, as Microsoft plans to fix it. @boot How to solve this issue? Regards. sean. Link to comment Share on other sites More sharing options...
azufo Posted March 20 Share Posted March 20 11 minutes ago, windowbase said: @boot How to solve this issue? Regards. sean. If you use TitanHide turn off kernel mode on windows debugging or you will get the screen of death. 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 20 Share Posted March 20 1 minute ago, azufo said: If you use TitanHide turn off kernel mode on windows debugging or you will get the screen of death. @azufo How to turn off it? Regards. sean. Link to comment Share on other sites More sharing options...
jackyjask Posted March 20 Share Posted March 20 google it 2 Link to comment Share on other sites More sharing options...
boot Posted March 20 Share Posted March 20 2 hours ago, windowbase said: @boot How to solve this issue? Regards. sean. Due to using a leaked signature, it prompted that the certificate has been revoked and the driver cannot be loaded successfully. You can recompile the driver, and the compiler will add the default test signature; Alternatively, you can add a new test signature to the driver and enable testing mode to load it. Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 4 hours ago, windowbase said: @azufo How to turn off it? Regards. sean. 1. bcdedit /debug off 2. Restart. Regards. sean. Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 Video_2024-03-21_120223.mp4 What is wrong with this? Regards. sean. 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 31 minutes ago, windowbase said: Video_2024-03-21_120223.mp4 3.63 MB · 0 downloads What is wrong with this? Regards. sean. @boot How should I do to bypass it? Regards. sean. Link to comment Share on other sites More sharing options...
boot Posted March 21 Share Posted March 21 1 hour ago, windowbase said: How should I do to bypass it? I have recompiled and published the attachment. Please enable testing mode and follow my video. MyDrv_Plugin_x64_v_0.001.zip Video_2024-03-21_133313.mp4 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 31 minutes ago, boot said: I have recompiled and published the attachment. Please enable testing mode and follow my video. MyDrv_Plugin_x64_v_0.001.zip 57.84 kB · 2 downloads Video_2024-03-21_133313.mp4 5.52 MB · 0 downloads @boot what is this application? where can I download it? Regards. sean. Link to comment Share on other sites More sharing options...
boot Posted March 21 Share Posted March 21 3 minutes ago, windowbase said: what is this application? where can I download it? Google Search DriverMonitor and download it. 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 38 minutes ago, boot said: Google Search DriverMonitor and download it. @boot No way to download it. Can you upload your files? Regards. sean. Link to comment Share on other sites More sharing options...
jackyjask Posted March 21 Share Posted March 21 @windowbase I've found a VMP 2.x target for you to play: VmDetect.vmp2138.zip 1 Link to comment Share on other sites More sharing options...
boot Posted March 21 Share Posted March 21 16 minutes ago, windowbase said: @boot No way to download it. Can you upload your files? Regards. sean. Monitor.zip 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 1 hour ago, boot said: I have recompiled and published the attachment. Please enable testing mode and follow my video. MyDrv_Plugin_x64_v_0.001.zip 57.84 kB · 2 downloads Video_2024-03-21_133313.mp4 5.52 MB · 0 downloads https://youtu.be/v9Vf9AFBjoM Regards. sean. Link to comment Share on other sites More sharing options...
boot Posted March 21 Share Posted March 21 25 minutes ago, windowbase said: https://youtu.be/v9Vf9AFBjoM Regards. sean. Strange issue, perhaps related to system version - not compatible with the latest version of Win11 x64. I also tested my driver and plugin on Win7 x64 without any issues. I remember you installed the Win7 virtual machine environment, you can try it inside. e.g. Spoiler Video_2024-03-21_155113.mp4 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 (edited) 10 minutes ago, boot said: Strange issue, perhaps related to system version - not compatible with the latest version of Win11 x64. I also tested my driver and plugin on Win7 x64 without any issues. I remember you installed the Win7 virtual machine environment, you can try it inside. e.g. Hide contents Video_2024-03-21_155113.mp4 2.61 MB · 0 downloads @boot I installed windows 7 x32 in the virtual machine. Okay I will install x64 windows 7 in the virtual machine and test it, reply. Regards. sean. Edited March 21 by windowbase editing some words. Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 I can debug it without any issues in windows 7 x64 virtual machine. https://youtu.be/K_NYon5eqec Regards. sean. 1 Link to comment Share on other sites More sharing options...
boot Posted March 21 Share Posted March 21 19 minutes ago, windowbase said: I can debug it without any issues in windows 7 x64 virtual machine. https://youtu.be/K_NYon5eqec Regards. sean. Yes. This driver & plugin can also bypass two samples here. https://forum.tuts4you.com/topic/44425-vmprotect-heavens-gate-anti-debug-bypass-to-vectorhandler/?do=findComment&comment=216918 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 5 minutes ago, boot said: Yes. This driver & plugin can also bypass two samples here. https://forum.tuts4you.com/topic/44425-vmprotect-heavens-gate-anti-debug-bypass-to-vectorhandler/?do=findComment&comment=216918 @boot Can you upload x32 bit version of TitanHide driver? Regards. sean. Link to comment Share on other sites More sharing options...
boot Posted March 21 Share Posted March 21 11 minutes ago, windowbase said: @boot Can you upload x32 bit version of TitanHide driver? Regards. sean. Done! Added 32-bit driver and x32Dbg plugin. Note: Most of 32-bit (Win32/x86) drivers are not allowed to be loaded on the 64-bit (x64) system. If you want to use this 32-bit driver, please try it on a 32-bit (x86) system. MyDrv_Plugin_v0.002.zip 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 17 minutes ago, boot said: Done! Added 32-bit driver and x32Dbg plugin. Note: Most of 32-bit (Win32/x86) drivers are not allowed to be loaded on the 64-bit (x64) system. If you want to use this 32-bit driver, please try it on a 32-bit (x86) system. MyDrv_Plugin_v0.002.zip 109.19 kB · 0 downloads @boot This driver has been blocked from loading. what's wrong? Regards. sean. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now