View Single Post
  #9  
Old 02-03-2018, 09:10
Aesculapius Aesculapius is offline
Family
 
Join Date: Jun 2016
Location: USA
Posts: 142
Rept. Given: 1
Rept. Rcvd 42 Times in 27 Posts
Thanks Given: 22
Thanks Rcvd at 456 Times in 118 Posts
Aesculapius Reputation: 43
change windows build number to a random number and you should be good to go. VMP detects debugger based upon hardcoded syscall numbers according to windows build number. If build number is not supported then VMP goes back to old detection methods.

Edit:

Because I see good people is interested in how to bypass this, here its the procedure more or less:

it goes like this: load your target in ollydbg, press G fs:[30] in command bar. At that memory location + 2 bytes you should read 0x01 if debugger is attached or 0x00 if debugger isn't attached (or you have installed any kind of anti-debugging plugin). This is BeingDebugged flag. It tells you are in the right track. At that base address, pointed by fs:[30]) add 0xA4 and you should read OSMajorVersion, and at 0xAC you should read OSBuildNumber. Change these last two parameters to any random number and you should be good to go. _PEB is a per-process structure so it won't affect anything else. I would tell you also to try ollydbg stolystruct plugin to quickly find all of this but its outdated and you could end up modifying a different member of the _PEB struct, although it is worth trying too if you are using win7. Remember _PEB has evolved slightly throughout the years. In any case, such changes have been fully described in this handy reference which is always good to have: http://blog.rewolf.pl/blog/wp-conten..._Evolution.pdf.

Last edited by Aesculapius; 02-08-2018 at 06:51. Reason: some more info added
Reply With Quote
The Following 2 Users Gave Reputation+1 to Aesculapius For This Useful Post:
copyleft (02-09-2018), sh3dow (02-08-2018)
The Following 12 Users Say Thank You to Aesculapius For This Useful Post:
cachito (09-25-2018), chants (08-26-2018), ionioni (02-13-2018), m0nix (02-18-2019), niculaita (02-04-2018), schrodyn (04-30-2018), sh3dow (02-08-2018), Stingered (02-03-2018), Tomy73 (02-10-2018), traf0 (02-08-2018)