Jump to content
Tuts 4 You

VMProtect Heaven's Gate Anti-Debug Bypass to VectorHandler

karan

By karan
in Reverse Engineering Articles

 Share

Recommended Posts

  • Replies 104
  • Created
  • Last Reply

Top Posters In This Topic

  • jackyjask

    23

  • karan

    14

  • boot

    14

  • Oliver

    13

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

boot
boot

Support for Win7 x64:  - Confirmed support for Win7 x64 SP1  - Maybe it also supports Win7 x64 SP0 [Olly v1.10 ScyllaHide] Win7 x64 SP1.zip [x32Dbg ScyllaHide] Win7 x64 SP1.zip Supp

boot
boot

I have already conducted testing before, and if you compile the 32-bit plugin according to the original source code provided here (https://bbs.kanxue.com/thread-282244.htm).  Original 32-bit (Imp

karan
karan

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug. VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64,

Posted Images

boot

boot

Posted
Posted (edited)

It has been confirmed that the ScyllaHide plugin is feasible in Win7 x64 SP1, so the Olly v1.10 plugin for Win7 x64 SP1 has been compiled, which can bypass the Anti-Debug of VMP 3.8.1. Due to the lack of a lot of data, plugins that support other OSs are waiting for analysis...

updated:

https://forum.tuts4you.com/topic/44425-vmprotect-heavens-gate-anti-debug-bypass-to-vectorhandler/?do=findComment&comment=217057

Edited by boot
  • Like 1
Link to comment
Share on other sites
jackyjask

jackyjask

Posted
Posted

@boot  why do you need to keep 2 Olly v1 plugins wiht the same functinality? they definitely will fight for the same functionality and thus make debugger unstalble

image.png.91d57c9b2ce40ceab449970021d00021.png

and ScyallHide

image.png.b2ab21bb8fb7b0331ad30ee543dbfa13.png

as per my understanding it is enough to have just one - eg ScyallHider

Link to comment
Share on other sites
boot

boot

Posted
Posted
2 hours ago, jackyjask said:

they definitely will fight for the same functionality and thus make debugger unstalble...

Yes, in StrongOD plugin, there are some options/check-boxes that do not need to be checked because they are already selected in ScyllaHide plugin, otherwise it will cause a crash. But there is one option that must be checked, which is the 'Skip Some Exceptions' option.

Link to comment
Share on other sites
jackyjask

jackyjask

Posted
Posted (edited)

But you already could use that feature "Skip Some Exceptions" in ScyllaHide plugin, look - 

image.png.22433d27659bd4e8649d3214a79cc13e.png

 

and on your video that check is unchecked..

could you try it out? (remove StrongOD and use these checkboxes and see if you still able to run the target protected app)

 

Edited by jackyjask
Link to comment
Share on other sites
krotty

krotty

Posted
Posted
5 hours ago, jackyjask said:

@boot  why do you need to keep 2 Olly v1 plugins wiht the same functinality? they definitely will fight for the same functionality and thus make debugger unstalble

image.png.91d57c9b2ce40ceab449970021d00021.png

and ScyallHide

image.png.b2ab21bb8fb7b0331ad30ee543dbfa13.png

as per my understanding it is enough to have just one - eg ScyallHider

Can I get this olly ?

Link to comment
Share on other sites
Noob boy

Noob boy

Posted
Posted
On 9/1/2023 at 3:41 PM, karan said:

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.


VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.


An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.


Exception Handler Functions:


1. check that the exception location that occurred is the "sysenter" opcode.


2. Check which Zw** APIs are called (checked in the eax register)


3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)


4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.


Through the above process, I was able to bypass the VMP Anti-Debug!

 

I implemented the function by modifying some of the Scyllahide plugin.

VMProtect has a hardcoded syscall number for each OS version.
i didn't yet implemented the version-specific syscall_number table.

 

If you have a better idea, share please.

 

https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

 

Hi brother, can you upload a copy of the ScyllaHide source code you modified! for reference?

Link to comment
Share on other sites
boot

boot

Posted
Posted (edited)
On 9/14/2023 at 4:11 PM, boot said:

It has been confirmed that the ScyllaHide plugin is feasible in Win7 x64 SP1...

plugins && videos download:

 

 

I have built and tested two new versions of the Olly v1.10 plugins,

Support for Win10 x64:
 - Confirmed support for Win10_ Version x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

Support for Win11 x64:
 - Confirmed support for Win11_ Version x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

updated:

https://forum.tuts4you.com/topic/44425-vmprotect-heavens-gate-anti-debug-bypass-to-vectorhandler/?do=findComment&comment=217057

Edited by boot
  • Like 3
  • Thanks 2
Link to comment
Share on other sites
jackyjask

jackyjask

Posted
Posted

Thanks @boot  very nice video format for readme :)  while watching it I"ve got one more idea - how about you consider record some more vids about bunch of your plugins that you are keeping in your Olly / boot edition great debugger

some I know but some not, would be nice for newbies to educate and learn in a super modern video like lesson(s) :)

image.png.fc906647e1ce5b47a4673628392a4eff.png

  • Like 1
Link to comment
Share on other sites
Oliver

Oliver

Posted
Posted (edited)
3 hours ago, boot said:

plugins && videos download:

[Olly v1.10 ScyllaHide] - Supports Win10_x64-22H2-19045.3448.rar 3.56 MB · 10 downloads

[Olly v1.10 ScyllaHide] - Supports Win11_x64-22H2-22621.2215.rar 5.86 MB · 7 downloads

I have built and tested two new versions of the Olly v1.10 plugins,

Support for Win10 x64:
 - Confirmed support for Win10_ Version x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

Support for Win11 x64:
 - Confirmed support for Win11_ Version x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

@boot thanks , appreciate your hard work,waiting for you to build Scylla for x32dbg/x64dbg .

Edited by Oliver
Link to comment
Share on other sites
jackyjask

jackyjask

Posted
Posted

@Oliver nice video master piece :)

I've got a question to your Olly v1 plugin list as well

how do you guys manage to have (I"ve counted) 5 (!!) anti-debug plugins at the same time? :)   doesn't it confict with each other?   what are your top 3 plugins used mostly in day to day work?

image.png.1c16f1998541db04a824bc97bf0e6191.png

Link to comment
Share on other sites
Oliver

Oliver

Posted
Posted

@jackyjask i mostly use 4 plugins ,strogod,sharpod,phantom,scylla. i downloaded this olly v1 from somewhere and i got these all plugins inside ,i disabled all plugins except that 4 which i use mostly 🙂

Link to comment
Share on other sites
jackyjask

jackyjask

Posted
Posted
2 hours ago, Noob boy said:

Try this demoVMProtect SDK for E Demo.vmp.zip

what vmp version have you used? I does not run in my case... neither does not complain about found debugger? ! 

10 minutes ago, Oliver said:

@jackyjask i mostly use 4 plugins ,strogod,sharpod,phantom,scylla. i downloaded this olly v1 from somewhere and i got these all plugins inside ,i disabled all plugins except that 4 which i use mostly 🙂

when plugin is present in Ollydbg menu it means i t is already used!  even if you disable the checkbox in features, the plugin

a) was loaded by Olly - occupies memory segments

b) it receives lots of events/callbacks from Olly - potential way may lead to error prone cases

c) the aggressive SW has more means to detect deugger by scanning memory and looking for some debug strings

d)  you add more here :)

 

Link to comment
Share on other sites
Oliver

Oliver

Posted
Posted
30 minutes ago, jackyjask said:

what vmp version have you used? I does not run in my case... neither does not complain about found debugger? ! 

when plugin is present in Ollydbg menu it means i t is already used!  even if you disable the checkbox in features, the plugin

a) was loaded by Olly - occupies memory segments

b) it receives lots of events/callbacks from Olly - potential way may lead to error prone cases

c) the aggressive SW has more means to detect deugger by scanning memory and looking for some debug strings

d)  you add more here :)

 

@jackyjask aah great ,thanks for good informations🥰

Link to comment
Share on other sites
Noob boy

Noob boy

Posted
Posted
14 hours ago, boot said:

plugins && videos download:

[Olly v1.10 ScyllaHide] - Supports Win10_x64-22H2-19045.3448.rar 3.56 MB · 18 downloads

[Olly v1.10 ScyllaHide] - Supports Win11_x64-22H2-22621.2215.rar 5.86 MB · 19 downloads

I have built and tested two new versions of the Olly v1.10 plugins,

Support for Win10 x64:
 - Confirmed support for Win10_ Version x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

Support for Win11 x64:
 - Confirmed support for Win11_ Version x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

 

7 hours ago, Noob boy said:

Try this demoVMProtect SDK for E Demo.vmp.zip

Would you like to fix the plugin for demo olydbg1

@boot

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...