Posted Friday at 05:54 PM5 days I'm a beginner in reverse engineering. I'm studying and practicing unpacking malware.I accidentally downloaded a protected sample from Malware Bazaar that is obfuscated and has anti-debugging techniques.bdda0a3d90cf0ee7423b918b0b268f5f8d9768c64399446014ff73d80d47ed0chttps://bazaar.abuse.ch/sample/bdda0a3d90cf0ee7423b918b0b268f5f8d9768c64399446014ff73d80d47ed0c/I'm using the excellent book Kyle Cucci — Evasive Malware as a reference.I've already tried all the anti-debug techniques from the book, namely:List of techniquesDirect PEB acess (+0x2, +0x18, +0x68)TrapFlag instruction (pushfd, pop eax, or eax, 0x0100, push eax, popfd)We were trying hardware and software breakpointsbp IsDebuggerPresentbp CheckRemoteDebuggerPresentbp NtQueryInformationProcessbp NtQuerySystemInformation Checking OutputDebugStringbp SetLastErrorbp OutputDebugString Enumerating Windowsbp FindWindowbp EnumWindowsEnumeration Loaded Modulesbp GetModuleHandlebp Module32Firstbp Module32Next Searching for debugger processbp CreateToolHelp32Snapshotbp Process32Nextbp Process32First Time Based Checkbp GetTickCountbp GetLocalTimebp GetSystemTimebp NtQuerySystemTimerdtscMy friend and I have been trying to find the technique for three days now.DetectItEasy says the sample uses VMProtect, and the message "Please turn off debugger" also looks like a standard VMProtect MessageBox.But I've never bypassed this protection before, and I'm very interested in learning how.Maybe it's not a good sample for study, but I thought that sample from real life would be much better to study than crackme's.If anyone has free time to look at this sample and give a hint — or if someone has already encountered this technique — I'd appreciate any help.
Friday at 06:16 PM5 days You can search:https://forum.tuts4you.com/search/?&q=vmprotect&quick=1&start_after=any&updated_after=any
Saturday at 01:15 AM4 days Author Also, can you explain this to me?In this sample, right after the Entry Point the program calls NtQueryInformationProcess with ProcessInformationClass = 0x7.You would think the function should return a non-zero value, because the sample was opened with x64dbg.But for some reason after the call EAX = 0.That totally throws me off, since plugins like ScyllaHide were not running.And also, for some reason at PEB + 0x2 the value is 0 by default, even though the process is being debugged.
Create an account or sign in to comment