vmprotect v3 debugger detected

Aesculapius · #1 02-03-2018, 09:10

change windows build number to a random number and you should be good to go. VMP detects debugger based upon hardcoded syscall numbers according to windows build number. If build number is not supported then VMP goes back to old detection methods.

Edit:

Because I see good people is interested in how to bypass this, here its the procedure more or less:

it goes like this: load your target in ollydbg, press G fs:[30] in command bar. At that memory location + 2 bytes you should read 0x01 if debugger is attached or 0x00 if debugger isn't attached (or you have installed any kind of anti-debugging plugin). This is BeingDebugged flag. It tells you are in the right track. At that base address, pointed by fs:[30]) add 0xA4 and you should read OSMajorVersion, and at 0xAC you should read OSBuildNumber. Change these last two parameters to any random number and you should be good to go. _PEB is a per-process structure so it won't affect anything else. I would tell you also to try ollydbg stolystruct plugin to quickly find all of this but its outdated and you could end up modifying a different member of the _PEB struct, although it is worth trying too if you are using win7. Remember _PEB has evolved slightly throughout the years. In any case, such changes have been fully described in this handy reference which is always good to have: http://blog.rewolf.pl/blog/wp-conten..._Evolution.pdf.

Stingered · #2 02-03-2018, 12:46

Quote:

Originally Posted by Aesculapius

change windows build number to a random number and you should be good to go. VMP detects debugger based upon hardcoded syscall numbers according to windows build number. If build number is not supported then VMP goes back to old detection methods.

Nice little tidbit!

More here:

https://lifeinhex.com/tag/vmprotect/

bolo2002 · #3 02-08-2018, 00:37

[QUOTE=bolo2002;112161]

Quote:

Originally Posted by Stingered

Nice little tidbit!

+Aesculapius,old school and still alive,respect.

chants · #4 08-26-2018, 09:26

Have been revisiting and compiling info on VMP 3.x as trying to automate execution tracing while devirtualizing only key important parts of code on the code on the fly sort of tool. I had wondered why different machines had different behavior.

Quote:

Originally Posted by Aesculapius

If build number is not supported then VMP goes back to old detection methods.

This explains clearly why I have not seen this behavior while staying in the Windows 10 insider fast ring. Suppose its the one benefit of it

.

Respect to the old school reversers who have posted some real knowledge and true info in this thread.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Debugger detected	StilLearning	General Discussion	4	03-06-2004 08:32

The Following 2 Users Gave Reputation+1 to Aesculapius For This Useful Post:
copyleft (02-09-2018), sh3dow (02-08-2018)

The Following 12 Users Say Thank You to Aesculapius For This Useful Post:
cachito (09-25-2018), chants (08-26-2018), ionioni (02-13-2018), m0nix (02-18-2019), niculaita (02-04-2018), schrodyn (04-30-2018), sh3dow (02-08-2018), Stingered (02-03-2018), Tomy73 (02-10-2018), traf0 (02-08-2018)

The Following User Says Thank You to bolo2002 For This Useful Post:
Aesculapius (02-08-2018)