Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

VMProtect Heaven's Gate Anti-Debug Bypass to VectorHandler

karan
karan
in Reverse Engineering Articles

Featured Replies

Posted

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.


VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.


An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.


Exception Handler Functions:


1. check that the exception location that occurred is the "sysenter" opcode.


2. Check which Zw** APIs are called (checked in the eax register)


3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)


4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.


Through the above process, I was able to bypass the VMP Anti-Debug!

 

I implemented the function by modifying some of the Scyllahide plugin.

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

 

If you have a better idea, share please.

 

https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

 

    • Like 9
    • Thanks 1
    • Replies 107
    • Views 40.4k
    • Created
    • Last Reply

    Top Posters In This Topic

    Popular Days

    Most Popular Posts

    • boot
      boot

      I have already conducted testing before, and if you compile the 32-bit plugin according to the original source code provided here (https://bbs.kanxue.com/thread-282244.htm).  Original 32-bit (Imp

    • boot
      boot

      Support for Win7 x64:  - Confirmed support for Win7 x64 SP1  - Maybe it also supports Win7 x64 SP0 [Olly v1.10 ScyllaHide] Win7 x64 SP1.zip [x32Dbg ScyllaHide] Win7 x64 SP1.zip Supp

    • karan
      karan

      VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug. VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64,

    Posted Images

    7 hours ago, karan said:

    VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.


    VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.


    An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.


    Exception Handler Functions:


    1. check that the exception location that occurred is the "sysenter" opcode.


    2. Check which Zw** APIs are called (checked in the eax register)


    3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)


    4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.


    Through the above process, I was able to bypass the VMP Anti-Debug!

     

    I implemented the function by modifying some of the Scyllahide plugin.

    VMProtect has a hardcoded syscall number for each OS version.
    i didn't yet implemented the version-specific syscall_number table.

     

    If you have a better idea, share please.

     

    https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

     

    Has your modified Scyllahide been compiled?

    • Author
    15 minutes ago, Noob boy said:

    Has your modified Scyllahide been compiled?

     

    What is your os version?
    The environment I tested is Windows 10 x64 22H2 19045.3324.
    As mentioned earlier, errors can occur because the syscall number may be different.
    If you still want to take the test, take the attached file and try it.

    plugins.zip

    •
    • Like 1

    Thanks for great work

    Is it possible to build plugin for Olly v2  as well?

     

    • Author
    1 hour ago, jackyjask said:

    Thanks for great work

    Is it possible to build plugin for Olly v2  as well?

     

    I haven't tested it, so I don't know :(

    Edited by karan

    • Author

    The x64 version is also working on automation, but it calls syscall directly

    Unfortunately, need to have use kernel debugger mode.

    1.PNG.e0de90e50a1a379c272d1892b62e5bf8.PNG

     

     

     

    :( 

     

    Edited by karan

    30 minutes ago, karan said:

    The x64 version

    Will you share it as well?

    If x32/x64Dbg/ with the ScyllaHide plugin could run these two samples directly without being detected, that would be even better... :)

    Samples:
    https://workupload.com/archive/vuCqfTLdLw

    On 9/1/2023 at 10:41 AM, karan said:

    VMProtect has a hardcoded syscall number for each OS version.
    i didn't yet implemented the version-specific syscall_number table.

    I've build the Olly2 plugin and tried it inside Win7 SP1 on 32 bit exe, but it fails....

    as far as I understand the reason is as you said - your plugin has hardcoded syscall numbers for specific OS as follows:

    image.png.b53dc42c6bbd517853a364f396c73e63.png

    will it be enough to update these to another OS then all should be fine? Could you please also hint the source of syscall numbers you did get from

    Thanks!

    @boot  I was able to run your VMP-ed x32 bit binary under Olly v2:

    image.png.935a367b7c819e21cdc51cbdf0aa10d6.png

    at the same time same approach did not work in IDA77

    image.png.5efcbe973c06e58d2fa2e94830466d12.png

    • Like 1

    I tried using the ScyllaHide x86/x64 plugin, but it didn't seem to work, so I bypassed Anti-Debug detection in other ways. Perhaps I need some time to study the ScyllaHide plugin...

    https://workupload.com/file/Lz2bu2avWsx

    • Like 1

    great!  so you must have used another plugin to hide from VMP beast or... modify source of debugger and thus hide?

    I"ve prepared some test binaries that are failed to start in my case (x32) https://www.sendspace.com/file/nuqg2b

    let me know how it's going on your magic tool

     

    • Like 1

    hmm it turned out that older vmp (3.6.x ) uses different set of sysenter calls... (comparing to 3.8.1)

    eg:

      Message = Debug string: VMPSysenterHandler sysenter 0x30
     

    @jackyjask can you please share the method ,how was you able to run @boot vmp exe into ollyv2?

    @Oliver  what OS are you interested in?  cause my plugin is for old good Win7 SP1x64 only 

    but if you wish to build it yourself there are no any big secrets - all the steps are explaine above, all you need to do is to find your specific win build service table (cause there are dozens of builds and you have to be carefull because x32 table != x64 one!

    there lots of tables onlnie, I've used info from this one, but it is not up to date, for example it does not have win11, etc

    https://j00ru.vexillium.org/syscalls/nt/32/

    • Like 2

    @jackyjaskbig thanks for your guid ,going to install windows 7 sp1 x64 ,so lets see what happens😊

    @jackyjaski would need your plugins ,please share if possible ,i don't have any knowledge to build or modify the plugins

    Thanks.

    What does VMP do if it encounters an OS for which it does not have syscall numbers?

    @deepzero  some good info could be explored over here

    • Like 2

    @Oliver  here you are

    put in your Ollydebug v2 plugin dir

    select VMPprofile (see above what checkboxes are in need)

    scyllahide-Olly-v2-plugin-Win7SP1.zip

    • Like 1
    • Thanks 2

    Does it work for olly64?

    Link how to set directory with plugins?

    @jackyjaskbig thanks bro🥰

    @jackyjask through your beautiful steps i was able to run @bootexe in olly v2 

     

    thanks so much again

    Screenshot_2.png

    8 hours ago, MiīzäěLa said:

    Does it work for olly64?

    Link how to set directory with plugins?

    Well, it's a pity but Olly64 is alpha version, so no support for plugins yet :(

    Xdbg is user friendly for me ,i always use it to analyse my targets ,waiting for someone to make vmp latest solution for xdbg ,i think @boot already done that but did't share the solution yet. Hope so he will share it after completing his analysis, i already tried @karan scylla hide plugin in same windows 10 build as he mentioned above but it's not working for me.

    On 9/1/2023 at 11:11 PM, karan said:

     

    What is your os version?
    The environment I tested is Windows 10 x64 22H2 19045.3324.
    As mentioned earlier, errors can occur because the syscall number may be different.
    If you still want to take the test, take the attached file and try it.

    plugins.zip 310.22 kB · 41 downloads

    Windows 10 Enterprise x64 21H2 19044.2604

     

    Hi bro, can you help to build Olly1 and x32 x64DBG for Windows 10 Enterprise x64 21H2 19044.2604 system
    A plug-in? thank you so much

    Edited by Noob boy
    expression error

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.