Problems with vmprotect about tiny_tracer HOT 8 OPEN

@merfin993 - After the latest updates, TinyTracer is finally able to bypass this Trap-based check. I tested with your sample application, as well as with my own testcases, protected by VMProtect with the mentioned settings.

The bypass works when ANTIDEBUG mode is enabled

from tiny_tracer.

hi @merfin993 !
I know that VMProtect tries to disrupt analysis tools in various ways. Depending on the version, and the used settings, some of this disruptions can be counteracted, and others not. If you can share a sample packed with the settings that you found causing the issue, I will reproduce the problem, and try to resolve it.
You can attach the sample here, or send to my email: hasherezade-at-protonmail.com

from tiny_tracer.

Hi @hasherezade, thanks for the reply.
The setting that doesn't run the payload with Tiny_Tracer (vmprotect demo latest version)

And the sample
sample.zip (Password "infected")

You will find the 3 payloads I made for safe testing.
Is a sample that injects shellcode (which starts calc.exe) into another process (explorer.exe) via direct system calls. (queueAPCthread)

The two samples that have "ok" in the name are traced correctly while the one called "debugger" does not execute the payload.

For simplicity the vmprotect antivm flags are disabled in all 3 samples.

I'm also trying to find a solution.

Thank you

from tiny_tracer.

thank you @merfin993 ! I appreciate. I am gonna check it & get back to you soon

from tiny_tracer.

Hi @hasherezade.
Today I was able (with a driver) to get trace of system calls used by vmprotect with usermode and usermode + kernelmode antidebug flags enabled.

I wanted to ask if they could be useful to identify the problems that tiny_tracer has with vmprotect.

I thank you again.

from tiny_tracer.

hi @merfin993 ! was you able to pinpoint what exactly are the flags that VMProtect checks? to be honest, so far I wasn't able to find the exact ones. I am afraid finding them will require deeper digging, and devirtualization of this stub.

so far I made some blackbox tests using Al-khaser, and I found what of the standard flags used by debuggers are set by PIN. And indeed I found something: it seems to set ProcessDebugFlags.
For now I just tried to bypass the option "Usermode debugger"

So I implemented in tiny_tracer an option to hide it:

• https://github.com/hasherezade/tiny_tracer/tree/hide (branch hide).

The feature seems to work correct (yet it turned out not to be sufficient to solve the original problem with VMProtect).

This is before hiding enabled:

This is after hiding enabled:

Next I am gonna try to hide the marker based on INT 2D.
UPDATE: it does not seem to be INT 2D either...

So, so far I am trying to pinpoint what exactly is the check done by VMProtect for which I should find the workaround. If your collected material provides any clues about it, I would be grateful if you share!

from tiny_tracer.

Hi @hasherezade.

I did some tests by disabling virtualization and mutations to get the cleanest trace possible. (the sample is contained in the archive)
Using a driver to get syscall callbacks I got the trace. (I didn't use pins)

I send you the results of the syscalls obtained through a driver. vmptrace.zip

I'm still analyzing the traces to determine what checks vmprotect does (syscalls side)

In case it's not a check made via syscalls these are some projects I'm analyzing:

• https://github.com/dcdelia/dbi-detector
• https://github.com/season-lab/bluepill (pe32)
• https://github.com/Maff1t/JuanLesPIN-Public (pe32)

from tiny_tracer.

Hi @merfin993, just a small update.
I found what was the reason why no error message was displayed. It was due to the Trap Flag, that was causing the tracer to crash. The latest version 2.6 automatically unsets the Trap Flag and makes it go a bit more forward. You can enable it by selecting an option ANTIDEBUG in the INI file (more info here).
Note that it is not a complete bypass that would cause the payload to execute, but at least we know more details of what is happening.

I hope soon I am gonna have more time to dedicate to TinyTracer again, and I will dig into details and try to make a complete bypass.

from tiny_tracer.