Jump to content
Tuts 4 You

VMProtect Heaven's Gate Anti-Debug Bypass to VectorHandler


Recommended Posts

Posted

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.


VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.


An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.


Exception Handler Functions:


1. check that the exception location that occurred is the "sysenter" opcode.


2. Check which Zw** APIs are called (checked in the eax register)


3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)


4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.


Through the above process, I was able to bypass the VMP Anti-Debug!

 

I implemented the function by modifying some of the Scyllahide plugin.

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

 

If you have a better idea, share please.

 

https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

 

  • Like 9
  • Thanks 1
Posted
7 hours ago, karan said:

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.


VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.


An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.


Exception Handler Functions:


1. check that the exception location that occurred is the "sysenter" opcode.


2. Check which Zw** APIs are called (checked in the eax register)


3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)


4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.


Through the above process, I was able to bypass the VMP Anti-Debug!

 

I implemented the function by modifying some of the Scyllahide plugin.

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

 

If you have a better idea, share please.

 

https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

 

Has your modified Scyllahide been compiled?

Posted
15 minutes ago, Noob boy said:

Has your modified Scyllahide been compiled?

 

What is your os version?
The environment I tested is Windows 10 x64 22H2 19045.3324.
As mentioned earlier, errors can occur because the syscall number may be different.
If you still want to take the test, take the attached file and try it.

plugins.zip

  • Like 1
Posted

Thanks for great work

Is it possible to build plugin for Olly v2  as well?

 

Posted (edited)
1 hour ago, jackyjask said:

Thanks for great work

Is it possible to build plugin for Olly v2  as well?

 

I haven't tested it, so I don't know :(

Edited by karan
Posted (edited)

The x64 version is also working on automation, but it calls syscall directly

Unfortunately, need to have use kernel debugger mode.

1.PNG.e0de90e50a1a379c272d1892b62e5bf8.PNG

 

 

 

:( 

 

Edited by karan
Posted
30 minutes ago, karan said:

The x64 version

Will you share it as well?

Posted
On 9/1/2023 at 10:41 AM, karan said:

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

I've build the Olly2 plugin and tried it inside Win7 SP1 on 32 bit exe, but it fails....

as far as I understand the reason is as you said - your plugin has hardcoded syscall numbers for specific OS as follows:

image.png.b53dc42c6bbd517853a364f396c73e63.png

will it be enough to update these to another OS then all should be fine? Could you please also hint the source of syscall numbers you did get from

Thanks!

Posted

@boot  I was able to run your VMP-ed x32 bit binary under Olly v2:

image.png.935a367b7c819e21cdc51cbdf0aa10d6.png

at the same time same approach did not work in IDA77

image.png.5efcbe973c06e58d2fa2e94830466d12.png

  • Like 1
Posted

great!  so you must have used another plugin to hide from VMP beast or... modify source of debugger and thus hide?

I"ve prepared some test binaries that are failed to start in my case (x32) https://www.sendspace.com/file/nuqg2b

let me know how it's going on your magic tool

 

  • Like 1
Posted

hmm it turned out that older vmp (3.6.x ) uses different set of sysenter calls... (comparing to 3.8.1)

eg:

  Message = Debug string: VMPSysenterHandler sysenter 0x30
 

Posted

@Oliver  what OS are you interested in?  cause my plugin is for old good Win7 SP1x64 only 

but if you wish to build it yourself there are no any big secrets - all the steps are explaine above, all you need to do is to find your specific win build service table (cause there are dozens of builds and you have to be carefull because x32 table != x64 one!

there lots of tables onlnie, I've used info from this one, but it is not up to date, for example it does not have win11, etc

https://j00ru.vexillium.org/syscalls/nt/32/

  • Like 2
Posted

@jackyjaskbig thanks for your guid ,going to install windows 7 sp1 x64 ,so lets see what happens😊

@jackyjaski would need your plugins ,please share if possible ,i don't have any knowledge to build or modify the plugins

Thanks.

Posted

What does VMP do if it encounters an OS for which it does not have syscall numbers?

Posted

Does it work for olly64?

Link how to set directory with plugins?

Posted
8 hours ago, MiīzäěLa said:

Does it work for olly64?

Link how to set directory with plugins?

Well, it's a pity but Olly64 is alpha version, so no support for plugins yet :(

Posted

Xdbg is user friendly for me ,i always use it to analyse my targets ,waiting for someone to make vmp latest solution for xdbg ,i think @boot already done that but did't share the solution yet. Hope so he will share it after completing his analysis, i already tried @karan scylla hide plugin in same windows 10 build as he mentioned above but it's not working for me.

Posted (edited)
On 9/1/2023 at 11:11 PM, karan said:

 

What is your os version?
The environment I tested is Windows 10 x64 22H2 19045.3324.
As mentioned earlier, errors can occur because the syscall number may be different.
If you still want to take the test, take the attached file and try it.

plugins.zip 310.22 kB · 41 downloads

Windows 10 Enterprise x64 21H2 19044.2604

 

Hi bro, can you help to build Olly1 and x32 x64DBG for Windows 10 Enterprise x64 21H2 19044.2604 system
A plug-in? thank you so much

Edited by Noob boy
expression error

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...