Comments (8)
@merfin993 - After the latest updates, TinyTracer is finally able to bypass this Trap-based check. I tested with your sample application, as well as with my own testcases, protected by VMProtect with the mentioned settings.
The bypass works when ANTIDEBUG mode is enabled
from tiny_tracer.
hi @merfin993 !
I know that VMProtect tries to disrupt analysis tools in various ways. Depending on the version, and the used settings, some of this disruptions can be counteracted, and others not. If you can share a sample packed with the settings that you found causing the issue, I will reproduce the problem, and try to resolve it.
You can attach the sample here, or send to my email: hasherezade-at-protonmail.com
from tiny_tracer.
Hi @hasherezade, thanks for the reply.
The setting that doesn't run the payload with Tiny_Tracer (vmprotect demo latest version)
And the sample
sample.zip (Password "infected")
You will find the 3 payloads I made for safe testing.
Is a sample that injects shellcode (which starts calc.exe) into another process (explorer.exe) via direct system calls. (queueAPCthread)
The two samples that have "ok" in the name are traced correctly while the one called "debugger" does not execute the payload.
For simplicity the vmprotect antivm flags are disabled in all 3 samples.
I'm also trying to find a solution.
Thank you
from tiny_tracer.
thank you @merfin993 ! I appreciate. I am gonna check it & get back to you soon
from tiny_tracer.
Hi @hasherezade.
Today I was able (with a driver) to get trace of system calls used by vmprotect with usermode and usermode + kernelmode antidebug flags enabled.
I wanted to ask if they could be useful to identify the problems that tiny_tracer has with vmprotect.
I thank you again.
from tiny_tracer.
hi @merfin993 ! was you able to pinpoint what exactly are the flags that VMProtect checks? to be honest, so far I wasn't able to find the exact ones. I am afraid finding them will require deeper digging, and devirtualization of this stub.
so far I made some blackbox tests using Al-khaser, and I found what of the standard flags used by debuggers are set by PIN. And indeed I found something: it seems to set ProcessDebugFlags
.
For now I just tried to bypass the option "Usermode debugger"
So I implemented in tiny_tracer an option to hide it:
- https://github.com/hasherezade/tiny_tracer/tree/hide (branch
hide
).
The feature seems to work correct (yet it turned out not to be sufficient to solve the original problem with VMProtect).
This is before hiding enabled:
This is after hiding enabled:
Next I am gonna try to hide the marker based on INT 2D.
UPDATE: it does not seem to be INT 2D either...
So, so far I am trying to pinpoint what exactly is the check done by VMProtect for which I should find the workaround. If your collected material provides any clues about it, I would be grateful if you share!
from tiny_tracer.
Hi @hasherezade.
I did some tests by disabling virtualization and mutations to get the cleanest trace possible. (the sample is contained in the archive)
Using a driver to get syscall callbacks I got the trace. (I didn't use pins)
I send you the results of the syscalls obtained through a driver. vmptrace.zip
I'm still analyzing the traces to determine what checks vmprotect does (syscalls side)
In case it's not a check made via syscalls these are some projects I'm analyzing:
- https://github.com/dcdelia/dbi-detector
- https://github.com/season-lab/bluepill (pe32)
- https://github.com/Maff1t/JuanLesPIN-Public (pe32)
from tiny_tracer.
Hi @merfin993, just a small update.
I found what was the reason why no error message was displayed. It was due to the Trap Flag, that was causing the tracer to crash. The latest version 2.6 automatically unsets the Trap Flag and makes it go a bit more forward. You can enable it by selecting an option ANTIDEBUG in the INI file (more info here).
Note that it is not a complete bypass that would cause the payload to execute, but at least we know more details of what is happening.
I hope soon I am gonna have more time to dedicate to TinyTracer again, and I will dig into details and try to make a complete bypass.
from tiny_tracer.
Related Issues (20)
- Improve building steps of pintool HOT 7
- Programs packaged with vmp do not result. HOT 13
- processing all instructions HOT 2
- INS_InsertCall
- Run tiny_tracer through command line instead of right click HOT 1
- Tracing seh exception HOT 1
- More Faster tracing HOT 2
- Unable to trace Nanodump syscalls HOT 2
- Found a blog post on VMP Anti Debugging, Might not be the best. HOT 1
- Failed to trace golang program HOT 3
- Antidebug detection implementation HOT 12
- Do we need function filter support? HOT 7
- INT2D HOT 2
- Specifying target arguments when using tiny_tracer.sh on Linux? HOT 1
- Crash on dumping parameters HOT 1
- Function name displayed in .pdb files HOT 7
- I suggest mentioning in the readme that my_paths.h needs to be modified HOT 2
- Please explain HOT 1
- VMProtect-AntiVM Issue HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tiny_tracer.