Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VMProtect-AntiVM tiny trace log no record any syscall #61

Closed
x64bugreport opened this issue Aug 8, 2024 · 8 comments
Closed

VMProtect-AntiVM tiny trace log no record any syscall #61

x64bugreport opened this issue Aug 8, 2024 · 8 comments

Comments

@x64bugreport
Copy link

VMP detects virtualization by using cpuid and some APIs directly called through syscall. Use tiny trace to trace the target program. No syscall calls are recorded, and then the virtual machine is detected. What is the reason for this?
testdemo.zip
@x64bugreport
Copy link
Author

The above is a demo, using vmp3.8.1 protection, only anti-vm is turned on, and the other protection options are turned off. The program only has the function of printing imagebase, so you can use it with confidence.

@x64bugreport
Copy link
Author

testaslr.vmp.exe.tag.zip
This is my trace log.

@x64bugreport
Copy link
Author

ini configuration is as follows
ENABLE_SHORT_LOGGING=True
USE_DEBUG_SYMBOLS=False
FOLLOW_SHELLCODES=3
;FOLLOW_SHELLCODES:
; 0 : trace only the main target module
; 1 : follow only the first shellcode called from the main module
; 2 : follow also the shellcodes called recursively from the the original shellcode
; 3 : follow any shellcodes
TRACE_RDTSC=True
TRACE_INT=True
TRACE_SYSCALL=True
LOG_SECTIONS_TRANSITIONS=True
LOG_SHELLCODES_TRANSITIONS=True
LOG_INDIRECT_CALLS=True
HEXDUMP_SIZE=8
HOOK_SLEEP=False
SLEEP_TIME=10
; ANTIDEBUG: (Windows only)
; 0 : Disabled
; 1 : Standard
; 2 : Deep (may lead to some false positives)
ANTIDEBUG=0
ANTIVM=0

@x64bugreport
Copy link
Author

As a supplement, I am running tiny trace in a virtual machine of vmware17.5+win10 21h2.

@hasherezade
Copy link
Owner

hasherezade commented Aug 8, 2024
edited
Loading

hi @x64bugreport ! Thanks for your report.
I don't know why did you trace it with LOG_INDIRECT_CALLS=True but it is clearly not helping the case, making the log unnecessarily noisy.
I traced your sample on a VM, and then on a real machine. This is what I've got on the VM:

err

Clearly, it is detected by HyperVisor vendor check (described here: https://unprotect.it/technique/cpuid/). Looking at your log, it seems to be the same in your case.

And this is the tracelog that I've got on a physical machine:

testaslr.vmp.exe.tag.txt

Using TinyTacer.ini:

ENABLE_SHORT_LOGGING=True
USE_DEBUG_SYMBOLS=False
FOLLOW_SHELLCODES=1
;FOLLOW_SHELLCODES:
; 0 : trace only the main target module
; 1 : follow only the first shellcode called from the main module
; 2 : follow also the shellcodes called recursively from the the original shellcode
; 3 : follow any shellcodes
TRACE_RDTSC=False
TRACE_INT=False
TRACE_SYSCALL=True
LOG_SECTIONS_TRANSITIONS=True
LOG_SHELLCODES_TRANSITIONS=True
LOG_INDIRECT_CALLS=False
HEXDUMP_SIZE=8
HOOK_SLEEP=False
SLEEP_TIME=10
; ANTIDEBUG: (Windows only)
; 0 : Disabled
; 1 : Standard
; 2 : Deep (may lead to some false positives)
ANTIDEBUG=1
ANTIVM=1

and params:

params.txt

So, the series of the initial checks, basing on CPUID is:

18458d;CPUID:1
18458d;[ANTIVM] --> CPUID - HyperVisor bit check;https://unprotect.it/technique/cpuid/
18649b;CPUID:40000000
18649b;[ANTIVM] --> CPUID - HyperVisor vendor check;https://unprotect.it/technique/cpuid/
18458d;CPUID:40000003

I will see what I can do to evade them in TinyTracer.

@hasherezade
Copy link
Owner

BTW, I see that this version of VMProtect uses the set of evasion tricks described in this blog:
https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks/

@x64bugreport
Copy link
Author

Thank you very much for your reply. I can successfully trace the target using the configuration you provided. Thank you very much for the project you developed. Thank you very much!

hasherezade added a commit that referenced this issue Aug 12, 2024
@hasherezade
Merge branch 'vm_before_and_after' (Issue #61)
dd6b318
@hasherezade
Copy link
Owner

hasherezade commented Aug 12, 2024
edited
Loading

@x64bugreport - please check the latest updates, now you should be able to trace your binary on a VM!
You just need to use the following INI file:

ENABLE_SHORT_LOGGING=True
USE_DEBUG_SYMBOLS=False
FOLLOW_SHELLCODES=1
;FOLLOW_SHELLCODES:
; 0 : trace only the main target module
; 1 : follow only the first shellcode called from the main module
; 2 : follow also the shellcodes called recursively from the the original shellcode
; 3 : follow any shellcodes
TRACE_RDTSC=False
TRACE_INT=False
TRACE_SYSCALL=True
LOG_SECTIONS_TRANSITIONS=True
LOG_SHELLCODES_TRANSITIONS=True
LOG_INDIRECT_CALLS=False
HEXDUMP_SIZE=8
HOOK_SLEEP=False
SLEEP_TIME=10
; ANTIDEBUG: (Windows only)
; 0 : Disabled
; 1 : Standard
; 2 : Deep (may lead to some false positives)
ANTIDEBUG=1
; ANTIVM: (Windows only)
ANTIVM=1
EMULATE_HYPERV=True

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hasherezade @x64bugreport