Analysis of full protection split for < turn >vmp3.0.9

The following to avoid plug-in interference, so the use of x64dbg original analysis.

First, I check the debugger's pop-up window to stack backtracking, to locate the key point:
CALL eax

As a result of contact VMP, so is the protection of separate to carry out the analysis, will be relatively simple, but the full protection is actually together, just pay attention to the order of the line.

This post simply analyzes the underlying protection anti-debug anti-virtual machine, etc., and does not involve restoring VMS and analyzing VM code parts. belongs to the novice paste a kind, suitable for the new watch, big guy light spray, there are mistakes, please correct me, thank you.

Everedit Editor is the addition of a vmp shell, although the characteristics and the analysis here is not quite consistent, but the anti-debugging path is roughly the same, and although it is vmp trace and analysis through trace can also be brute force, can bring practiced hand, here recommend.

First, anti-debugging protection 1. Call Isdebuggerpresent, judge the return value eax==1 be debugged, eax==0 not debug.

2.CheckRemoteDebuggerPresent, determine whether the buffer return value is 0 or 0 is debugged, no debugging.

3.NTQUERYINFORMATIONPROCESS,PROCESSINFOCLASS=0X1E to get the debug handle, to determine whether it is being debugged, the debug handle returns 0 and the EAX return value is 0xc0000353

4.ntsetinformationthread,threadinfoclass=0x11, this is not testing debugging, but set not to send debug information to the debugger, you can directly change the 0x11 to 0x3 or other values can be.

5.zwquerysysteminformation,systeminfoclass=0x23 (macro:systemkerneldebuggerinformation), the return value is a bool value of 2 bytes and is set to 0.

6.ZWQUERYSYSTEMINFORMATION,SYSTEMINFOCLASS=0XB (macro:systemmoduleinformation), will go through the kernel module, and then to judge, The first time is to obtain the buffer length that needs to be stored, the second is to actually get the information, as long as the buffer is set to 0, the debugging is not detected, and the location of the buffer will be used after the first call to use the LocalAlloc request space to store

7.CloseHandle Anti-debugging, if it is debugged, then the Kiraiseuserexceptiondispatcher function will be called, go exception processing flow, if it is not debugged state, will not move to the abnormal process.

8. Detecting hardware breakpoints is the next software breakpoint that is processed by SEH exception first in SEH chain to the current module's SEH head

The Dr0, DR1, DR2, Dr3, DR6, DR7 Debug registers in the diagram are then modified to 0

Then F9 again to call EAX when the Getprrocessaffinitymask function is called, indicating that the anti-debugging has passed smoothly. PS: On the face of the call EAX is a hardware breakpoint, be careful not to lower the software breakpoint, because the front zwsetinformationthread (User-mode anti-debugging) or the third time after the last NtQuerySystemInformation ( Kernel-mode) anti-debugging will be as shown in the software breakpoint detection, in fact, VMP memory protection part of the principle and this consistent, code features almost the same, the hex bytes taken out is also stored in the ESI register. Therefore, in order to facilitate, it is best to lower the hardware breakpoint, because the hardware breakpoint check trigger timing is in the SEH function, very good interception.

Second, anti-virtual machine 1. The CPUID determines whether the highest bit of ECX 31 bits is 1, and if it is 1 then in the virtual machine, if it is 0 that is on the host. My own shell of this sample has two cpuid detection points, and so it executes after the modification ecx the highest bit is 0 on the line. However, the following map illustrates the more convenient way to use the. VMX configuration file to modify the virtual machine.

2. Use getsystemfirewaretable to obtain the system firmware information and determine if there are any of the following strings: VMware, VirtualBox, Parallels. Note the case, just wait for the getsystemfirewaretable to search for the VMware string (because I use a VMware virtual machine) and then populate it with 0 for the virtual machine to detect. I'm going to post a script that works with Od+strondod+drxprotect, mostly populating the VMware strings. Iii. IAT decryption 1. I did not analyze how it is encrypted, just a simple analysis of the calling function of the decryption process, in fact, very simple: into the decryption function after one step f7, when seen similar: lea register，dword ptr[register+imm](Register: Register, IMM: Immediate number) of the statement, after the completion of the register is a function, and then tracking a few steps through the RET class to execute the real function of 2. I don't know if there is any omission ... Iv. memory protection 1. Memory protection and the above analysis of the software breakpoint almost the same, for you to modify the memory hardware access breakpoint, you can see in the hex byte and then operation, no longer map, as long as the value of the ESI to replace the values of the original value of 2. I do not know if there is any omission.

This article transferred from: https://bbs.pediy.com/thread-226455.htm

Analysis of full protection split for < turn >vmp3.0.9