Jump to content
Tuts 4 You

VMProtect Heaven's Gate Anti-Debug Bypass to VectorHandler


karan

Recommended Posts

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.


VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.


An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.


Exception Handler Functions:


1. check that the exception location that occurred is the "sysenter" opcode.


2. Check which Zw** APIs are called (checked in the eax register)


3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)


4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.


Through the above process, I was able to bypass the VMP Anti-Debug!

 

I implemented the function by modifying some of the Scyllahide plugin.

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

 

If you have a better idea, share please.

 

https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

 

  • Like 8
  • Thanks 1
Link to comment
Share on other sites

7 hours ago, karan said:

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.


VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.


An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.


Exception Handler Functions:


1. check that the exception location that occurred is the "sysenter" opcode.


2. Check which Zw** APIs are called (checked in the eax register)


3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)


4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.


Through the above process, I was able to bypass the VMP Anti-Debug!

 

I implemented the function by modifying some of the Scyllahide plugin.

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

 

If you have a better idea, share please.

 

https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

 

Has your modified Scyllahide been compiled?

Link to comment
Share on other sites

15 minutes ago, Noob boy said:

Has your modified Scyllahide been compiled?

 

What is your os version?
The environment I tested is Windows 10 x64 22H2 19045.3324.
As mentioned earlier, errors can occur because the syscall number may be different.
If you still want to take the test, take the attached file and try it.

plugins.zip

  • Like 1
Link to comment
Share on other sites

1 hour ago, jackyjask said:

Thanks for great work

Is it possible to build plugin for Olly v2  as well?

 

I haven't tested it, so I don't know :(

Edited by karan
Link to comment
Share on other sites

On 9/1/2023 at 10:41 AM, karan said:

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

I've build the Olly2 plugin and tried it inside Win7 SP1 on 32 bit exe, but it fails....

as far as I understand the reason is as you said - your plugin has hardcoded syscall numbers for specific OS as follows:

image.png.b53dc42c6bbd517853a364f396c73e63.png

will it be enough to update these to another OS then all should be fine? Could you please also hint the source of syscall numbers you did get from

Thanks!

Link to comment
Share on other sites

hmm it turned out that older vmp (3.6.x ) uses different set of sysenter calls... (comparing to 3.8.1)

eg:

  Message = Debug string: VMPSysenterHandler sysenter 0x30
 

Link to comment
Share on other sites

@Oliver  what OS are you interested in?  cause my plugin is for old good Win7 SP1x64 only 

but if you wish to build it yourself there are no any big secrets - all the steps are explaine above, all you need to do is to find your specific win build service table (cause there are dozens of builds and you have to be carefull because x32 table != x64 one!

there lots of tables onlnie, I've used info from this one, but it is not up to date, for example it does not have win11, etc

https://j00ru.vexillium.org/syscalls/nt/32/

  • Like 2
Link to comment
Share on other sites

8 hours ago, MiīzäěLa said:

Does it work for olly64?

Link how to set directory with plugins?

Well, it's a pity but Olly64 is alpha version, so no support for plugins yet :(

Link to comment
Share on other sites

Xdbg is user friendly for me ,i always use it to analyse my targets ,waiting for someone to make vmp latest solution for xdbg ,i think @boot already done that but did't share the solution yet. Hope so he will share it after completing his analysis, i already tried @karan scylla hide plugin in same windows 10 build as he mentioned above but it's not working for me.

Link to comment
Share on other sites

On 9/1/2023 at 11:11 PM, karan said:

 

What is your os version?
The environment I tested is Windows 10 x64 22H2 19045.3324.
As mentioned earlier, errors can occur because the syscall number may be different.
If you still want to take the test, take the attached file and try it.

plugins.zip 310.22 kB · 41 downloads

Windows 10 Enterprise x64 21H2 19044.2604

 

Hi bro, can you help to build Olly1 and x32 x64DBG for Windows 10 Enterprise x64 21H2 19044.2604 system
A plug-in? thank you so much

Edited by Noob boy
expression error
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...