Thread: Obsidium protection scheme as a target!
View Single Post
  #19  
Old 10-15-2014, 13:58
Carbon Carbon is offline
VIP
  
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 60 Times in 19 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
I don't have much time at the moment, but this is what I found so far:

Breakpoint on CreateFileW is very good.

After some breaks:
Code:
0018FD8C     757A3F66  /CALL to CreateFileW from kernel32.757A3F61
0018FD90     00C882F0  |FileName = "\\\\.\\VBoxGuest"
0018FD94     C0000000  |Access = GENERIC_READ|GENERIC_WRITE
0018FD98     00000003  |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0018FD9C     00000000  |pSecurity = NULL
0018FDA0     00000003  |Mode = OPEN_EXISTING
0018FDA4     40000080  |Attributes = NORMAL|OVERLAPPED
0018FDA8     00000000  \hTemplateFile = NULL
Obsidium is checking for Virtual Box VM! If Obsidium is run under VBox, some anti-debug stuff will be disabled. I guess it is a hardware anti-debug check. Maybe something with HWBP.

Yeh, this is a hot trick in general...

here is the vbox check

00383929 83F8 FF CMP EAX,-1
0038392C 74 20 JE 0038394E

don't let it jump and enjoy less anti-debug
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following User Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (10-16-2014)