karan Posted September 1, 2023 Posted September 1, 2023 VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug. VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system. An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception. Exception Handler Functions: 1. check that the exception location that occurred is the "sysenter" opcode. 2. Check which Zw** APIs are called (checked in the eax register) 3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass) 4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode. Through the above process, I was able to bypass the VMP Anti-Debug! bandicam 2023-08-30 23-52-29-912.mp4 I implemented the function by modifying some of the Scyllahide plugin. VMProtect has a hardcoded syscall number for each OS version. i didn't yet implemented the version-specific syscall_number table. If you have a better idea, share please. https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master 9 1
Noob boy Posted September 1, 2023 Posted September 1, 2023 7 hours ago, karan said: VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug. VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system. An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception. Exception Handler Functions: 1. check that the exception location that occurred is the "sysenter" opcode. 2. Check which Zw** APIs are called (checked in the eax register) 3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass) 4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode. Through the above process, I was able to bypass the VMP Anti-Debug! bandicam 2023-08-30 23-52-29-912.mp4 5.8 MB · 0 downloads I implemented the function by modifying some of the Scyllahide plugin. VMProtect has a hardcoded syscall number for each OS version. i didn't yet implemented the version-specific syscall_number table. If you have a better idea, share please. https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master Has your modified Scyllahide been compiled?
karan Posted September 1, 2023 Author Posted September 1, 2023 15 minutes ago, Noob boy said: Has your modified Scyllahide been compiled? What is your os version? The environment I tested is Windows 10 x64 22H2 19045.3324. As mentioned earlier, errors can occur because the syscall number may be different. If you still want to take the test, take the attached file and try it. plugins.zip 1
jackyjask Posted September 1, 2023 Posted September 1, 2023 Thanks for great work Is it possible to build plugin for Olly v2 as well?
karan Posted September 1, 2023 Author Posted September 1, 2023 (edited) 1 hour ago, jackyjask said: Thanks for great work Is it possible to build plugin for Olly v2 as well? I haven't tested it, so I don't know Edited September 1, 2023 by karan
karan Posted September 2, 2023 Author Posted September 2, 2023 (edited) The x64 version is also working on automation, but it calls syscall directly Unfortunately, need to have use kernel debugger mode. bandicam 2023-09-02 20-17-05-975.mp4 Edited September 2, 2023 by karan
X0rby Posted September 2, 2023 Posted September 2, 2023 30 minutes ago, karan said: The x64 version Will you share it as well?
boot Posted September 2, 2023 Posted September 2, 2023 If x32/x64Dbg/ with the ScyllaHide plugin could run these two samples directly without being detected, that would be even better... Samples: https://workupload.com/archive/vuCqfTLdLw
jackyjask Posted September 3, 2023 Posted September 3, 2023 On 9/1/2023 at 10:41 AM, karan said: VMProtect has a hardcoded syscall number for each OS version. i didn't yet implemented the version-specific syscall_number table. I've build the Olly2 plugin and tried it inside Win7 SP1 on 32 bit exe, but it fails.... as far as I understand the reason is as you said - your plugin has hardcoded syscall numbers for specific OS as follows: will it be enough to update these to another OS then all should be fine? Could you please also hint the source of syscall numbers you did get from Thanks!
jackyjask Posted September 5, 2023 Posted September 5, 2023 @boot I was able to run your VMP-ed x32 bit binary under Olly v2: at the same time same approach did not work in IDA77 1
boot Posted September 5, 2023 Posted September 5, 2023 I tried using the ScyllaHide x86/x64 plugin, but it didn't seem to work, so I bypassed Anti-Debug detection in other ways. Perhaps I need some time to study the ScyllaHide plugin... https://workupload.com/file/Lz2bu2avWsx 1
jackyjask Posted September 5, 2023 Posted September 5, 2023 great! so you must have used another plugin to hide from VMP beast or... modify source of debugger and thus hide? I"ve prepared some test binaries that are failed to start in my case (x32) https://www.sendspace.com/file/nuqg2b let me know how it's going on your magic tool 1
jackyjask Posted September 6, 2023 Posted September 6, 2023 hmm it turned out that older vmp (3.6.x ) uses different set of sysenter calls... (comparing to 3.8.1) eg: Message = Debug string: VMPSysenterHandler sysenter 0x30
Oliver Posted September 13, 2023 Posted September 13, 2023 @jackyjask can you please share the method ,how was you able to run @boot vmp exe into ollyv2?
jackyjask Posted September 13, 2023 Posted September 13, 2023 @Oliver what OS are you interested in? cause my plugin is for old good Win7 SP1x64 only but if you wish to build it yourself there are no any big secrets - all the steps are explaine above, all you need to do is to find your specific win build service table (cause there are dozens of builds and you have to be carefull because x32 table != x64 one! there lots of tables onlnie, I've used info from this one, but it is not up to date, for example it does not have win11, etc https://j00ru.vexillium.org/syscalls/nt/32/ 2
Oliver Posted September 13, 2023 Posted September 13, 2023 @jackyjaskbig thanks for your guid ,going to install windows 7 sp1 x64 ,so lets see what happens😊 @jackyjaski would need your plugins ,please share if possible ,i don't have any knowledge to build or modify the plugins Thanks.
deepzero Posted September 13, 2023 Posted September 13, 2023 What does VMP do if it encounters an OS for which it does not have syscall numbers?
jackyjask Posted September 13, 2023 Posted September 13, 2023 @deepzero some good info could be explored over here 2
jackyjask Posted September 13, 2023 Posted September 13, 2023 @Oliver here you are put in your Ollydebug v2 plugin dir select VMPprofile (see above what checkboxes are in need) scyllahide-Olly-v2-plugin-Win7SP1.zip 1 2
MiīzäěLa Posted September 13, 2023 Posted September 13, 2023 Does it work for olly64? Link how to set directory with plugins?
Oliver Posted September 14, 2023 Posted September 14, 2023 @jackyjask through your beautiful steps i was able to run @bootexe in olly v2 thanks so much again
jackyjask Posted September 14, 2023 Posted September 14, 2023 8 hours ago, MiīzäěLa said: Does it work for olly64? Link how to set directory with plugins? Well, it's a pity but Olly64 is alpha version, so no support for plugins yet
Oliver Posted September 14, 2023 Posted September 14, 2023 Xdbg is user friendly for me ,i always use it to analyse my targets ,waiting for someone to make vmp latest solution for xdbg ,i think @boot already done that but did't share the solution yet. Hope so he will share it after completing his analysis, i already tried @karan scylla hide plugin in same windows 10 build as he mentioned above but it's not working for me.
Noob boy Posted September 14, 2023 Posted September 14, 2023 (edited) On 9/1/2023 at 11:11 PM, karan said: What is your os version? The environment I tested is Windows 10 x64 22H2 19045.3324. As mentioned earlier, errors can occur because the syscall number may be different. If you still want to take the test, take the attached file and try it. plugins.zip 310.22 kB · 41 downloads Windows 10 Enterprise x64 21H2 19044.2604 Hi bro, can you help to build Olly1 and x32 x64DBG for Windows 10 Enterprise x64 21H2 19044.2604 system A plug-in? thank you so much Edited September 14, 2023 by Noob boy expression error
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now