Jump to content
Tuts 4 You

VMProtect Heaven's Gate Anti-Debug Bypass to VectorHandler

karan

By karan
in Reverse Engineering Articles

 Share

Recommended Posts

  • Replies 104
  • Created
  • Last Reply

Top Posters In This Topic

  • jackyjask

    23

  • karan

    14

  • boot

    14

  • Oliver

    13

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

boot
boot

Support for Win7 x64:  - Confirmed support for Win7 x64 SP1  - Maybe it also supports Win7 x64 SP0 [Olly v1.10 ScyllaHide] Win7 x64 SP1.zip [x32Dbg ScyllaHide] Win7 x64 SP1.zip Supp

boot
boot

I have already conducted testing before, and if you compile the 32-bit plugin according to the original source code provided here (https://bbs.kanxue.com/thread-282244.htm).  Original 32-bit (Imp

karan
karan

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug. VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64,

Posted Images

boot

boot

Posted
Posted
10 hours ago, Noob boy said:

Would you like to fix the plugin for demo olydbg1

It will take some time to test your sample in Win7 x64, Win10 x64 and Win11 x64, because some OSs still lack data... Later, I will upload Olly v1.10/x32dbg plugins again.

Thanks to @Karan for updating the code. :)

  • Like 1
Link to comment
Share on other sites
Oliver

Oliver

Posted
Posted
1 hour ago, boot said:

It will take some time to test your sample in Win7 x64, Win10 x64 and Win11 x64, because some OSs still lack data... Later, I will upload Olly v1.10/x32dbg plugins again.

Thanks to @Karan for updating the code. :)

@boot great ,i"ve waiting for🙂

Link to comment
Share on other sites
boot

boot

Posted
Posted
10 hours ago, boot said:

upload Olly v1.10/x32dbg plugins again.

Thanks to @karan for updating the code. :)

Support for Win7 x64:
 - Confirmed support for Win7 x64 SP1
 - Maybe it also supports Win7 x64 SP0

[Olly v1.10 ScyllaHide] Win7 x64 SP1.zip

[x32Dbg ScyllaHide] Win7 x64 SP1.zip

Support for Win10 x64:
 - Confirmed support for Win10_x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

[Olly v1.10 ScyllaHide] Win10_x64.zip

[x32Dbg ScyllaHide] Win10_x64.zip

Support for Win11 x64:
 - Confirmed support for Win11_x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

[Olly v1.10 ScyllaHide] Win11_x64.zip

[x32Dbg ScyllaHide] Win11_x64.zip

  • Like 11
Link to comment
Share on other sites
karan

karan

Posted
  • Author
Posted
On 9/14/2023 at 1:49 AM, deepzero said:

What does VMP do if it encounters an OS for which it does not have syscall numbers?

 

As a result of the analysis, I couldn't find how to check the version.
However, if the "wine_get_version" api exists in the ntdll module, they calling a normal Nt series function.
I don't know if I can do this in Plugin. :(

Link to comment
Share on other sites
Oliver

Oliver

Posted
Posted
13 hours ago, boot said:

Support for Win7 x64:
 - Confirmed support for Win7 x64 SP1
 - Maybe it also supports Win7 x64 SP0

[Olly v1.10 ScyllaHide] Win7 x64 SP1.zip 2.72 MB · 4 downloads

[x32Dbg ScyllaHide] Win7 x64 SP1.zip 2.51 MB · 4 downloads

Support for Win10 x64:
 - Confirmed support for Win10_x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

[Olly v1.10 ScyllaHide] Win10_x64.zip 2.05 MB · 4 downloads

[x32Dbg ScyllaHide] Win10_x64.zip 2.51 MB · 6 downloads

Support for Win11 x64:
 - Confirmed support for Win11_x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

[Olly v1.10 ScyllaHide] Win11_x64.zip 4.57 MB · 5 downloads

[x32Dbg ScyllaHide] Win11_x64.zip 5.5 MB · 1 download

@boot have a look at this sample:

sample can be found here: https://mega.nz/file/TmJQwCZT#NfHuDu5z-OtXvFeWzBx6nIdRFX_T2CIkFw41p6VlNxQ

Link to comment
Share on other sites
stylog

stylog

Posted
Posted

I believe there are 2 antidebug checks. The regular one that works with old plugins and techniques, and the new one which checks the old methods including it's new method. 

I'm not sure, I am a windows 7 32x user, so I don't have much problems seeing that vmprotect is at it's weakest on older windows 😅

  • Like 1
Link to comment
Share on other sites
  • 3 weeks later...
  • 3 weeks later...
Noob boy

Noob boy

Posted
Posted
On 9/17/2023 at 9:11 PM, boot said:

Support for Win7 x64:
 - Confirmed support for Win7 x64 SP1
 - Maybe it also supports Win7 x64 SP0

[Olly v1.10 ScyllaHide] Win7 x64 SP1.zip 2.72 MB · 13 downloads

[x32Dbg ScyllaHide] Win7 x64 SP1.zip 2.51 MB · 17 downloads

Support for Win10 x64:
 - Confirmed support for Win10_x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

[Olly v1.10 ScyllaHide] Win10_x64.zip 2.05 MB · 12 downloads

[x32Dbg ScyllaHide] Win10_x64.zip 2.51 MB · 22 downloads

Support for Win11 x64:
 - Confirmed support for Win11_x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

[Olly v1.10 ScyllaHide] Win11_x64.zip 4.57 MB · 23 downloads

[x32Dbg ScyllaHide] Win11_x64.zip 5.5 MB · 16 downloads

Hello, can you build a version of Win10 19045.3636.

I have upgraded my system. Thank you again

Link to comment
Share on other sites
TRISTAN Pro

TRISTAN Pro

Posted
Posted (edited)
On 11/8/2023 at 3:48 AM, karan said:

The latest version of vmprotect can no longer bypass Anti-Debug through this method.

RIP.

Post that file here for testing.

After studying it's the same as before 

I can bypass it as always may be need to learn coding and make plugin for bypass all vmp antidebugger😂🤣.

The plugin by boot still work on it.

😁

Edited by TRISTAN Pro
Same security nothing change.
Link to comment
Share on other sites
boot

boot

Posted
Posted (edited)
On 11/8/2023 at 2:46 PM, karan said:

 

The attachments appear to have been deleted. x86 target(s) or x64 target(s)? If you can please re-upload and I will try these.

EDIT: Downloaded... Thanks karan :)

Edited by boot
Link to comment
Share on other sites
  • 3 weeks later...
Guruhardoi7

Guruhardoi7

Posted
Posted

Hello everyone I was check some unpackme. Mostly are working on debugger but some are not working on debugger with this plugin also.i make all vmprotect version into a zip file for test your antidbg/vm (i spend 2 months to understand these all 😫).I also includes one impossible file check it out😁

 

Good for noob like me for vmp startup. 

https://mega.nz/file/Vq1ESbAQ#WGYZj4Ky8oP4-3yrLxDj8Gic7henaUaLdkZx3uKJVg8

PW:= tuts4you

 

Planing to add tutorial also launce soon😇

ALL VMP TEST.rar

  • Like 2
Link to comment
Share on other sites
  • 1 month later...
  • 4 months later...
tejinaji

tejinaji

Posted
Posted

Can anyone help, please. I did rebuild for me this repo https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass.git

But now luck. I've checked the syscalls is the same for my win10 2h22 19045.4170

No olly 1, no 2 and x32dbg doesn't handle vmp 3.6 T_T

Link to comment
Share on other sites
Progman

Progman

Posted
Posted
On 5/22/2024 at 9:54 PM, tejinaji said:

Can anyone help, please. I did rebuild for me this repo https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass.git

But now luck. I've checked the syscalls is the same for my win10 2h22 19045.4170

No olly 1, no 2 and x32dbg doesn't handle vmp 3.6 T_T

You didn't give any idea of what target you have and there are some known issues as mentioned here so just the OS and 3 tools alone isn't enough 

  • Like 1
Link to comment
Share on other sites
  • 1 month later...
boot

boot

Posted
Posted

The plugin has been updated, and for debugging 64-bit VMP APPs, no specific Windows version is required:

1. Only supports Win7 x64/64-bit systems and above. This version of the plugin only supports 64-bit debuggers for debugging 64-bit APPs
2. As there is no need to load some kernel drivers, the blue screen will not be triggered

ScyllaHide_2024_x64_v0.001.zip

ScyllaHide 64-bit x64:
3.8.1 ✔
3.8.4 ✔
3.8.5 
3.8.7 ✔

VMP_3.8.1_x64_64-bit.vmp.exe

VMP_3.8.4_x64_64-bit.vmp.exe

VMP_3.8.7_x64_64-bit.vmp.exe

  • Like 3
  • Thanks 2
Link to comment
Share on other sites
The Binary Expert

The Binary Expert

Posted
Posted (edited)

You need to disable the options of the SharpOD by @Xjun to use this plugin

 

screenshot-146.png

 

10 minutes ago, boot said:

The plugin has been updated, and for debugging 64-bit VMP APPs, no specific Windows version is required:

1. Only supports Win7 x64/64-bit systems and above. This version of the plugin only supports 64-bit debuggers for debugging 64-bit APPs
2. As there is no need to load some kernel drivers, the blue screen will not be triggered

ScyllaHide_2024_x64_v0.001.zip 4.21 MB · 0 downloads

ScyllaHide 64-bit x64:
3.8.1 ✔
3.8.4 ✔
3.8.5 
3.8.7 ✔

VMP_3.8.1_x64_64-bit.vmp.exe 1.37 MB · 0 downloads

VMP_3.8.4_x64_64-bit.vmp.exe 1.21 MB · 0 downloads

VMP_3.8.7_x64_64-bit.vmp.exe 1.07 MB · 0 downloads

@boot It works like magic. many thanks for your effort.

by the way, how did you modify the source code of the original ScyllaHide x64 plugin?

Regards.

sean.

Edited by The Binary Expert
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...