VMProtect Heaven's Gate Anti-Debug Bypass to VectorHandler

[karan]

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.

VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.

An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.

Exception Handler Functions:

1. check that the exception location that occurred is the "sysenter" opcode.

2. Check which Zw** APIs are called (checked in the eax register)

3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)

4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.

Through the above process, I was able to bypass the VMP Anti-Debug!

 

I implemented the function by modifying some of the Scyllahide plugin.

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

 

If you have a better idea, share please.

 

https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

 

[Noob boy]

7 hours ago, karan said:

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.

VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.

An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.

Exception Handler Functions:

1. check that the exception location that occurred is the "sysenter" opcode.

2. Check which Zw** APIs are called (checked in the eax register)

3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)

4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.

Through the above process, I was able to bypass the VMP Anti-Debug!

 

I implemented the function by modifying some of the Scyllahide plugin.

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

 

If you have a better idea, share please.

 

https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

 

Has your modified Scyllahide been compiled?

[karan]

15 minutes ago, Noob boy said:

Has your modified Scyllahide been compiled?

 

What is your os version?
The environment I tested is Windows 10 x64 22H2 19045.3324.
As mentioned earlier, errors can occur because the syscall number may be different.
If you still want to take the test, take the attached file and try it.

plugins.zip

[jackyjask]

Thanks for great work

Is it possible to build plugin for Olly v2  as well?

 

[karan]

1 hour ago, jackyjask said:

Thanks for great work

Is it possible to build plugin for Olly v2  as well?

 

I haven't tested it, so I don't know

Edited September 1, 2023 by karan

[karan]

The x64 version is also working on automation, but it calls syscall directly

Unfortunately, need to have use kernel debugger mode.

 

 

 

 

 

Edited September 2, 2023 by karan

[X0rby]

30 minutes ago, karan said:

The x64 version

Will you share it as well?

[boot]

If x32/x64Dbg/ with the ScyllaHide plugin could run these two samples directly without being detected, that would be even better... 

Samples:
https://workupload.com/archive/vuCqfTLdLw

[jackyjask]

On 9/1/2023 at 10:41 AM, karan said:

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

I've build the Olly2 plugin and tried it inside Win7 SP1 on 32 bit exe, but it fails....

as far as I understand the reason is as you said - your plugin has hardcoded syscall numbers for specific OS as follows:

will it be enough to update these to another OS then all should be fine? Could you please also hint the source of syscall numbers you did get from

Thanks!

[jackyjask]

@boot  I was able to run your VMP-ed x32 bit binary under Olly v2:

at the same time same approach did not work in IDA77

[boot]

I tried using the ScyllaHide x86/x64 plugin, but it didn't seem to work, so I bypassed Anti-Debug detection in other ways. Perhaps I need some time to study the ScyllaHide plugin...

https://workupload.com/file/Lz2bu2avWsx

[jackyjask]

great!  so you must have used another plugin to hide from VMP beast or... modify source of debugger and thus hide?

I"ve prepared some test binaries that are failed to start in my case (x32) https://www.sendspace.com/file/nuqg2b

let me know how it's going on your magic tool

 

[jackyjask]

hmm it turned out that older vmp (3.6.x ) uses different set of sysenter calls... (comparing to 3.8.1)

eg:

  Message = Debug string: VMPSysenterHandler sysenter 0x30
 

[Oliver]

@jackyjask can you please share the method ,how was you able to run @boot vmp exe into ollyv2?

[jackyjask]

@Oliver  what OS are you interested in?  cause my plugin is for old good Win7 SP1x64 only 

but if you wish to build it yourself there are no any big secrets - all the steps are explaine above, all you need to do is to find your specific win build service table (cause there are dozens of builds and you have to be carefull because x32 table != x64 one!

there lots of tables onlnie, I've used info from this one, but it is not up to date, for example it does not have win11, etc

https://j00ru.vexillium.org/syscalls/nt/32/

[Oliver]

@jackyjaskbig thanks for your guid ,going to install windows 7 sp1 x64 ,so lets see what happens😊

@jackyjaski would need your plugins ,please share if possible ,i don't have any knowledge to build or modify the plugins

Thanks.

[deepzero]

What does VMP do if it encounters an OS for which it does not have syscall numbers?

[jackyjask]

@deepzero  some good info could be explored over here

[jackyjask]

@Oliver  here you are

put in your Ollydebug v2 plugin dir

select VMPprofile (see above what checkboxes are in need)

scyllahide-Olly-v2-plugin-Win7SP1.zip

[MiīzäěLa]

Does it work for olly64?

Link how to set directory with plugins?

[Oliver]

@jackyjaskbig thanks bro🥰

[Oliver]

@jackyjask through your beautiful steps i was able to run @bootexe in olly v2 

 

thanks so much again

[jackyjask]

8 hours ago, MiīzäěLa said:

Does it work for olly64?

Link how to set directory with plugins?

Well, it's a pity but Olly64 is alpha version, so no support for plugins yet

[Oliver]

Xdbg is user friendly for me ,i always use it to analyse my targets ,waiting for someone to make vmp latest solution for xdbg ,i think @boot already done that but did't share the solution yet. Hope so he will share it after completing his analysis, i already tried @karan scylla hide plugin in same windows 10 build as he mentioned above but it's not working for me.

[Noob boy]

On 9/1/2023 at 11:11 PM, karan said:

 

What is your os version?
The environment I tested is Windows 10 x64 22H2 19045.3324.
As mentioned earlier, errors can occur because the syscall number may be different.
If you still want to take the test, take the attached file and try it.

plugins.zip 310.22 kB · 41 downloads

Windows 10 Enterprise x64 21H2 19044.2604

 

Hi bro, can you help to build Olly1 and x32 x64DBG for Windows 10 Enterprise x64 21H2 19044.2604 system
A plug-in? thank you so much

Edited September 14, 2023 by Noob boy
expression error