Fix VMProtect detection #87
Conversation
|
Do you have a sample that triggers the detection? |
uint64_t result[] = { 0x0, 0x1122334455667788 };
uint64_t* result_addr = (uint64_t*)(((PBYTE)&result) + 1);
const auto status = NtQueryInformationProcess(NtCurrentProcess(), PROCESSINFOCLASS::ProcessDebugObjectHandle, result_addr, sizeof(uint64_t), nullptr);
// No Debugging: STATUS_DATATYPE_MISALIGNMENT - 8800000000000000
// With TitanHide: STATUS_PORT_NOT_SET - 0
printf("[ATTEMPT] - Status: %x - Result: %llx\n", status, *result_addr);
Sample: |
|
No I mean an actual VMProtected sample that shows this issue |
|
If you able to provide me an email address, I can. |
|
mrexodia () x64dbg.com |
|
I sent. |
|
Have you tested the sample? |
|
No, but I downloaded it. Hopefully will get to it sometime after Christmas!
…On Wed, 25 Dec 2024 at 15:13, Rexy ***@***.***> wrote:
Have you tested the sample?
—
Reply to this email directly, view it on GitHub
<#87 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AASYFGI3FJ6VP4IOZABEZXD2HK4RDAVCNFSM6AAAAABT3DSW6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNRRHEYDMNRYG4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
I have updated commit, should be working now for 32/64 bit targets. |
|
Wouldn’t this open another detection vector when you set the PHANDLE to page_end-4 (with the next page being inaccessible)? |
|
Does the alignment parameter in ProbeForWrite have any impact on page boundary? |
|
Ah my bad, I read the code incorrectly 🤦🏻♂️ does the original |
|
I didn't debug ntoskrnl, but pseudocode for NtQueryInformationProcess seems like do Also NtSetInformationDebugObject checks for alignment 4 |
|
Awesome, thanks for checking and for bearing with the delays 😅 I'll fix the github actions pipeline and release a new version later this week (hopefully). |
Tested for VMProtect 3.9.2 (latest)
Fix for #85