Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ScyllaHide does not hide from VMP #130

Open
greenozon opened this issue Oct 2, 2021 · 1 comment
Open

ScyllaHide does not hide from VMP #130

greenozon opened this issue Oct 2, 2021 · 1 comment

Comments

@greenozon
Copy link
Contributor

greenozon commented Oct 2, 2021

tested on VMP version 3.5.0
OllyDbg 2.01 + ScyllaHideOlly2Plugin.dll from 23.08.2021
VMProtect x86/x64 profile used

---------------------------
HelloWorld.vmp.exe
---------------------------
A debugger has been found running in your system.
Please, unload it from memory and restart your program.
---------------------------
OK   
---------------------------

Host OS: w7x64SP1

logs from Log window inside Olly2:

Log data
Address   Message
76F50000  Module 'C:\Windows\syswow64\MSCTF.dll'
774F0000  Module 'C:\Windows\system32\IMM32.DLL'
          Analysing Mod_77CA
            0 fuzzy procedures
          Analysing Mod_7578
            0 fuzzy procedures
          Analysing Mod_7557
            0 fuzzy procedures
          Analysing Mod_7556
            0 fuzzy procedures
          Process terminated, exit code 0

          File 'C:\HelloWorld.vmp.exe'
          New process (ID 00000B64) created
00A9FE9E  Main thread (ID 000030B4) created
77A80000  Unload hidden module 77A80000
77790000  Unload hidden module 77790000
77A80000  Unload hidden module 77A80000
77BA0000  Unload hidden module 77BA0000
          [ScyllaHide] Loaded VA for NtUserBlockInput = 0x75BA7E6F
          [ScyllaHide] Loaded VA for NtUserQueryWindow = 0x75B46915
          [ScyllaHide] Loaded VA for NtUserGetForegroundWindow = 0x75B54458
          [ScyllaHide] Loaded VA for NtUserBuildHwndList = 0x75B493F6
          [ScyllaHide] Loaded VA for NtUserFindWindowEx = 0x75B467DD
          [ScyllaHide] Loaded VA for NtUserGetClassName = 0x75B48289
          [ScyllaHide] Loaded VA for NtUserInternalGetWindowText = 0x75B51E67
          [ScyllaHide] Loaded VA for NtUserGetThreadState = 0x75B50DE6
          [ScyllaHide] Hook injection successful, image base 00020000
00400000  Module 'C:\HelloWorld.vmp.exe'
            Code size is extended to include all sections marked as CODE
            Code sections '.text' and '.rdata' will be merged to a single memory block
            Code sections '.rdata' and '.data' will be merged to a single memory block
            Code sections '.data' and '.vmp0' will be merged to a single memory block
            Code sections '.vmp0' and '.vmp1' will be merged to a single memory block
58EE0000  Module 'C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll'
58F20000  Module 'C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll'
58F30000  Module 'C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll'
58F40000  Module 'C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll'
58F50000  Module 'C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll'
591D0000  Module 'C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll'
598E0000  Module 'C:\Windows\system32\VCRUNTIME140.dll'
5FEF0000  Module 'C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll'
72510000  Module 'C:\Windows\system32\WTSAPI32.dll'
727A0000  Module 'C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll'
75070000  Module 'C:\Windows\system32\ucrtbase.DLL'
75220000  Module 'C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll'
75350000  Module 'C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll'
75360000  Module 'C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll'
75370000  Module 'C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll'
75380000  Module 'C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll'
757C0000  Module 'C:\Windows\syswow64\CRYPTBASE.dll'
757D0000  Module 'C:\Windows\syswow64\SspiCli.dll'
75830000  Module 'C:\Windows\syswow64\USP10.dll'
75B30000  Module 'C:\Windows\syswow64\USER32.dll'
75C30000  Module 'C:\Windows\syswow64\GDI32.dll'
75D10000  Module 'C:\Windows\syswow64\ADVAPI32.dll'
75DC0000  Module 'C:\Windows\SysWOW64\sechost.dll'
75E00000  Module 'C:\Windows\syswow64\LPK.dll'
76D20000  Module 'C:\Windows\syswow64\msvcrt.dll'
770E0000  Module 'C:\Windows\syswow64\RPCRT4.dll'
            Code size is extended to include all sections marked as CODE
77220000  Module 'C:\Windows\syswow64\KERNELBASE.dll'
77790000  Module 'C:\Windows\syswow64\kernel32.dll'
77E60000  Module 'C:\Windows\SysWOW64\ntdll.dll'
            Code size is extended to include all sections marked as CODE
75560000  Module <Mod_7556> (anonymous)
            Not an 80x86 executable
75570000  Module <Mod_7557> (anonymous)
            Not an 80x86 executable
75780000  Module <Mod_7578> (anonymous)
            Not an 80x86 executable
77CA0000  Module <Mod_77CA> (anonymous)
            Not an 80x86 executable
75550000  Module 'C:\Windows\system32\VERSION.dll'
75520000  Module 'C:\Windows\SysWOW64\nvinit.dll'
72790000  Module 'C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll'
75970000  Module 'C:\Windows\syswow64\ole32.dll'
            Code sections '.text' and '.orpc' will be merged to a single memory block
76F20000  Module 'C:\Windows\syswow64\CFGMGR32.dll'
77040000  Module 'C:\Windows\syswow64\OLEAUT32.dll'
            Code size is extended to include all sections marked as CODE
            Code sections '.text' and '.orpc' will be merged to a single memory block
75DE0000  Module 'C:\Windows\syswow64\DEVOBJ.dll'
75E20000  Module 'C:\Windows\syswow64\SETUPAPI.dll'
72750000  Module 'C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\nvd3d9wrap.dll'
72730000  Module 'C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\nvdxgiwrap.dll'
72590000  Module 'C:\Windows\system32\uxtheme.dll'
72520000  Module 'C:\Windows\system32\dwmapi.dll'
033B0000  Module C:\Windows\SysWOW64\ole32.dll - failed to initialize
76F50000  Module 'C:\Windows\syswow64\MSCTF.dll'
774F0000  Module 'C:\Windows\system32\IMM32.DLL'
          Analysing Mod_77CA
            0 fuzzy procedures
          Analysing Mod_7578
            0 fuzzy procedures
          Analysing Mod_7557
            0 fuzzy procedures
          Analysing Mod_7556
            0 fuzzy procedures
          Process terminated, exit code DEADC0DE (-559038242.)
@greenozon
Copy link
Contributor Author

The attached doc might help to understand how to mitigate protector attack
Bypassing_Anti-Analysis_of_Commercial_Protector_Methods_Using_DBI_Tools.pdf
s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant