EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 05-27-2015, 16:29
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 80
Rept. Given: 41
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 21
Thanks Rcvd at 65 Times in 30 Posts
Insid3Code Reputation: 60
I Agree with you!

I appreciate a lot his works (old and new) (open source/closed source/PoCs and more...) and specially his coding style (Delphi 5/C/C++/Native API).

Repo recently created!
PHP Code:
https://github.com/hfiref0x?tab=repositories 
Also DrvMon coded together with you, unfortunately (release 2.x not available for public)
PHP Code:
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=217 
Quote:
We decided to do not release newer version (2.x) to the public. Overall it's now completely different application than that attached here.
Reply With Quote
  #17  
Old 08-06-2015, 05:04
Ahmed18
 
Posts: n/a
thanks bro
Reply With Quote
  #18  
Old 01-08-2018, 06:04
Sakaroz Sakaroz is offline
Friend
 
Join Date: Jan 2018
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 7 Times in 3 Posts
Sakaroz Reputation: 0
it doesn't work correctly very unstable .. VMWare Workstation has a lot of secret options by manually editing the .vmx file you can make it almost undetectable .. changing the CPU IDs, disabling the VMWARE Tools, reflecting the host information to virtual machine .. using the Actual Hard drive instead of Virtual Machine controller .. , changing the ethernet mac address, memory addresses, ........ I was unable to get this software to work but by Modifying Vmware using a Custom BIOS I was able to defeat all the targets with virtual machine detection in VMWare Environment ..
Reply With Quote
The Following 2 Users Say Thank You to Sakaroz For This Useful Post:
niculaita (01-09-2018), TechLord (01-08-2018)
  #19  
Old 01-08-2018, 11:01
TechLord TechLord is offline
Reverse Engineer
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 657
Rept. Given: 385
Rept. Rcvd 243 Times in 110 Posts
Thanks Given: 736
Thanks Rcvd at 1,672 Times in 451 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
Quote:
Originally Posted by Sakaroz View Post
it doesn't work correctly very unstable .. VMWare Workstation has a lot of secret options by manually editing the .vmx file you can make it almost undetectable .. changing the CPU IDs, disabling the VMWARE Tools, reflecting the host information to virtual machine .. using the Actual Hard drive instead of Virtual Machine controller .. , changing the ethernet mac address, memory addresses, ........ I was unable to get this software to work but by Modifying Vmware using a Custom BIOS I was able to defeat all the targets with virtual machine detection in VMWare Environment ..
Maybe you can share a sample .VMX file for all of us to know better.

Yes, even I do some of the stuff that you mentioned but a sample VMX file (as well as the custom BIOS taht actually works) as an example would be nice

Maybe as a PoC, we can see if it can bypass the Anti-VMWare/VM functions of the VMProtect v3.xx without needing to make any changes to the actual protected executable.
Am sure would be an interesting exercise ...

Thank you..

Last edited by TechLord; 01-08-2018 at 15:12. Reason: Added more details
Reply With Quote
The Following 4 Users Say Thank You to TechLord For This Useful Post:
bolo2002 (01-09-2018), niculaita (01-09-2018), Stingered (01-10-2018), tonyweb (01-09-2018)
  #20  
Old 01-10-2018, 02:50
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 71
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 100
Thanks Rcvd at 49 Times in 22 Posts
Stingered Reputation: 2
Talking

Quote:
Originally Posted by TechLord View Post
Maybe you can share a sample .VMX file for all of us to know better.

Yes, even I do some of the stuff that you mentioned but a sample VMX file (as well as the custom BIOS taht actually works) as an example would be nice

Maybe as a PoC, we can see if it can bypass the Anti-VMWare/VM functions of the VMProtect v3.xx without needing to make any changes to the actual protected executable.
Am sure would be an interesting exercise ...

Thank you..
YES!!! Sakaroz, if you could proved a PoC that could be what would make me switch over the VMware.
Reply With Quote
  #21  
Old 01-12-2018, 08:51
Sakaroz Sakaroz is offline
Friend
 
Join Date: Jan 2018
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 7 Times in 3 Posts
Sakaroz Reputation: 0
I will make an article and will share it ..

You can verify your system file with this :
https://github.com/LordNoteworthy/al-khaser

there are two main difficulty .. assigning actual hard drive to virtual machine to avoid using the VMWare IDE/SCSI/SATA Controller

and BIOS patching .. you need to extract the BIOS and Change the VMWare values in the BIOS , modify the .vmx file to read your modified BIOS ..

I will share everything in that article ..
Reply With Quote
The Following 2 Users Say Thank You to Sakaroz For This Useful Post:
Stingered (01-12-2018), tonyweb (01-15-2018)
  #22  
Old 01-12-2018, 10:40
TechLord TechLord is offline
Reverse Engineer
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 657
Rept. Given: 385
Rept. Rcvd 243 Times in 110 Posts
Thanks Given: 736
Thanks Rcvd at 1,672 Times in 451 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
Quote:
Originally Posted by Sakaroz View Post
You can verify your system file with this :
https://github.com/LordNoteworthy/al-khaser

...
Yes, I'd shared that on this very forum at least twice ... Here and here for example



Quote:
Originally Posted by Sakaroz View Post
there are two main difficulty .. assigning actual hard drive to virtual machine to avoid using the VMWare IDE/SCSI/SATA Controller

and BIOS patching .. you need to extract the BIOS and Change the VMWare values in the BIOS , modify the .vmx file to read your modified BIOS ..
..
Yes, not only me but many others are also aware of these practical difficulties ... After all, this is a forum for members advanced in RE

What I ( and I presume others following this thread) are looking for, is mainly an account of how you actually managed to achieve it, so that we could possibly replicate it .

Articles are numerous and while they are useful, since you'd specifically stated earlier in this thread that "I was unable to get this software to work but by Modifying Vmware using a Custom BIOS I was able to defeat all the targets with virtual machine detection in VMWare Environment .. " , we are looking to see a practical example of how you managed to accomplish it...

In fact, content from this repo is still relevant but seems to fail when attempting to bypass the VM Check of VMP 3.1 ..
These steps still continue to work on a majority of targets...

As I said earlier, a good PoC would be if you could show us an example of how a VM Check of an executable protected with VMProtect >v3.1 could be bypassed without any modification to the executable (or to its image in memory using a loader etc) itself, as we are already well aware of how to do so when we are allowed to patch the executable or its memory space.

Thank you

Last edited by TechLord; 01-12-2018 at 11:13.
Reply With Quote
The Following 4 Users Say Thank You to TechLord For This Useful Post:
gsaralji (01-12-2018), Sakaroz (01-12-2018), Stingered (01-12-2018), tonyweb (01-15-2018)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DSEFix x64 (kernelmode.info) Insid3Code x64 OS 1 05-15-2017 01:53
[C/C++] UACME (kernelmode.info) Insid3Code Source Code 0 03-29-2015 18:32
[C/C++ ] VMDE (kernelmode.info) Insid3Code Source Code 0 03-18-2015 20:47
WinObjEx64 (kernelmode.info) Insid3Code Community Tools 1 03-02-2015 00:04
Hardened Anti-Reverse Engineering System (HARES) atomix General Discussion 7 02-15-2015 21:14


All times are GMT +8. The time now is 14:56.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX