EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-02-2018, 23:54
1ST 1ST is offline
Family
 
Join Date: Apr 2010
Location: Jordan
Posts: 90
Rept. Given: 46
Rept. Rcvd 225 Times in 24 Posts
Thanks Given: 2
Thanks Rcvd at 1 Time in 1 Post
1ST Reputation: 200-299 1ST Reputation: 200-299 1ST Reputation: 200-299
vmprotect v3 debugger detected

Greetings,

i have been away for a couple of years and i can see that a lot of things have been changed, I have been playing around with vmprotect v3 but unfortunately no matter what plugins/options i use my debugger gets detected, anyone know how to successfully hide olly from vmprotect please advise.


Regards
Reply With Quote
  #2  
Old 02-03-2018, 00:29
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 804
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 139
Thanks Rcvd at 208 Times in 107 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
show your target if possible
Reply With Quote
  #3  
Old 02-03-2018, 01:08
isdebuggerpresent isdebuggerpresent is offline
Friend
 
Join Date: Nov 2017
Posts: 3
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 5 Times in 2 Posts
isdebuggerpresent Reputation: 1
Some vmp antidebug is realized by syscall instructions directly in the VM code instead of calling Nt functions
You can also use TitanHide
Reply With Quote
The Following User Says Thank You to isdebuggerpresent For This Useful Post:
Stingered (02-03-2018)
  #4  
Old 02-03-2018, 01:50
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 71
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 100
Thanks Rcvd at 48 Times in 21 Posts
Stingered Reputation: 2
Quote:
Originally Posted by 1ST View Post
Greetings,

i have been away for a couple of years and i can see that a lot of things have been changed, I have been playing around with vmprotect v3 but unfortunately no matter what plugins/options i use my debugger gets detected, anyone know how to successfully hide olly from vmprotect please advise.


Regards
I would say try titanhide, as well. But it would also be good to list the options/plugins you have already tried so that people don't have to guess when they suggest alternatives for you.

Reply With Quote
  #5  
Old 02-03-2018, 03:59
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 187
Rept. Given: 21
Rept. Rcvd 93 Times in 42 Posts
Thanks Given: 31
Thanks Rcvd at 211 Times in 82 Posts
atom0s Reputation: 93
Use a Windows XP VM instead of a newer version of Windows.
Reply With Quote
  #6  
Old 02-03-2018, 04:27
1ST 1ST is offline
Family
 
Join Date: Apr 2010
Location: Jordan
Posts: 90
Rept. Given: 46
Rept. Rcvd 225 Times in 24 Posts
Thanks Given: 2
Thanks Rcvd at 1 Time in 1 Post
1ST Reputation: 200-299 1ST Reputation: 200-299 1ST Reputation: 200-299
i tried windows xp windows 7/8 titanhide scllayhide and no matter what option i use it gets detected,

target can be found here: https://mrt-dongle.org/pages/download

anyone can tell me how to hide olly successfully please let me know plugins used and options.


Regards
Reply With Quote
  #7  
Old 02-03-2018, 06:08
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 71
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 100
Thanks Rcvd at 48 Times in 21 Posts
Stingered Reputation: 2
Quote:
Originally Posted by 1ST View Post
i tried windows xp windows 7/8 titanhide scllayhide and no matter what option i use it gets detected,

target can be found here: https://mrt-dongle.org/pages/download

anyone can tell me how to hide olly successfully please let me know plugins used and options.


Regards
Okay, so you're trying the right options...

Did you run the titanhidetest app to verify that everything is installed correctly and not being detected? I would also suggest trying x64DBG. I too prefer Olly, but maybe would make the difference.
Reply With Quote
  #8  
Old 02-03-2018, 07:00
1ST 1ST is offline
Family
 
Join Date: Apr 2010
Location: Jordan
Posts: 90
Rept. Given: 46
Rept. Rcvd 225 Times in 24 Posts
Thanks Given: 2
Thanks Rcvd at 1 Time in 1 Post
1ST Reputation: 200-299 1ST Reputation: 200-299 1ST Reputation: 200-299
yes i have verified that titanhide is running correctly.
Reply With Quote
The Following User Says Thank You to 1ST For This Useful Post:
Stingered (02-03-2018)
  #9  
Old 02-03-2018, 09:10
Aesculapius Aesculapius is offline
Family
 
Join Date: Jun 2016
Location: USA
Posts: 118
Rept. Given: 0
Rept. Rcvd 38 Times in 24 Posts
Thanks Given: 17
Thanks Rcvd at 286 Times in 74 Posts
Aesculapius Reputation: 38
change windows build number to a random number and you should be good to go. VMP detects debugger based upon hardcoded syscall numbers according to windows build number. If build number is not supported then VMP goes back to old detection methods.

Edit:

Because I see good people is interested in how to bypass this, here its the procedure more or less:

it goes like this: load your target in ollydbg, press G fs:[30] in command bar. At that memory location + 2 bytes you should read 0x01 if debugger is attached or 0x00 if debugger isn't attached (or you have installed any kind of anti-debugging plugin). This is BeingDebugged flag. It tells you are in the right track. At that base address, pointed by fs:[30]) add 0xA4 and you should read OSMajorVersion, and at 0xAC you should read OSBuildNumber. Change these last two parameters to any random number and you should be good to go. _PEB is a per-process structure so it won't affect anything else. I would tell you also to try ollydbg stolystruct plugin to quickly find all of this but its outdated and you could end up modifying a different member of the _PEB struct, although it is worth trying too if you are using win7. Remember _PEB has evolved slightly throughout the years. In any case, such changes have been fully described in this handy reference which is always good to have: http://blog.rewolf.pl/blog/wp-conten..._Evolution.pdf.

Last edited by Aesculapius; 02-08-2018 at 06:51. Reason: some more info added
Reply With Quote
The Following 2 Users Gave Reputation+1 to Aesculapius For This Useful Post:
copyleft (02-09-2018), sh3dow (02-08-2018)
The Following 8 Users Say Thank You to Aesculapius For This Useful Post:
ionioni (02-13-2018), Logic (07-17-2018), niculaita (02-04-2018), schrodyn (04-30-2018), sh3dow (02-08-2018), Stingered (02-03-2018), Tomy73 (02-10-2018), traf0 (02-08-2018)
  #10  
Old 02-03-2018, 12:46
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 71
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 100
Thanks Rcvd at 48 Times in 21 Posts
Stingered Reputation: 2
Quote:
Originally Posted by Aesculapius View Post
change windows build number to a random number and you should be good to go. VMP detects debugger based upon hardcoded syscall numbers according to windows build number. If build number is not supported then VMP goes back to old detection methods.


Nice little tidbit!

More here:

https://lifeinhex.com/tag/vmprotect/
Reply With Quote
  #11  
Old 02-08-2018, 00:37
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 355
Rept. Given: 98
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 85
Thanks Rcvd at 56 Times in 37 Posts
bolo2002 Reputation: 11
[QUOTE=bolo2002;112161]
Quote:
Originally Posted by Stingered View Post


Nice little tidbit!
+Aesculapius,old school and still alive,respect.
__________________
I like this forum!
Reply With Quote
The Following User Says Thank You to bolo2002 For This Useful Post:
Aesculapius (02-08-2018)
  #12  
Old 02-10-2018, 06:06
cachito cachito is offline
Friend
 
Join Date: Aug 2015
Location: argentina
Posts: 53
Rept. Given: 0
Rept. Rcvd 12 Times in 8 Posts
Thanks Given: 129
Thanks Rcvd at 44 Times in 27 Posts
cachito Reputation: 13
It is funny to read the champion of duplicate accounts accusing others of that...
Maybe he doesn't want his title being challenged??
Reply With Quote
The Following User Says Thank You to cachito For This Useful Post:
Aesculapius (02-10-2018)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 14:35.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX