search

hasherezade / tiny_tracer

A Pin Tool for tracing API calls etc
1.25k stars 138 forks source link

VMProtect-AntiVM Issue #48

Closed 0x000007B closed 3 days ago

0x000007B commented 1 year ago

image_No_VM image

image VMPTest.vmp.zip - Test executable. With the AntiVM preset enabled. VMP Demo 3.7.3, you will need to compile the source on your PC since the demo has HWID-Lock.

VMPTest.vmp.exe.tag.zip - Trace of the protected test executable, with the AntiVM preset.

VMPTest.zip - Plain EXE (No Protection)

TinyTracer.ini ↓

ENABLE_SHORT_LOGGING=True
USE_DEBUG_SYMBOLS=False
FOLLOW_SHELLCODES=1
;FOLLOW_SHELLCODES:
; 0 : trace only the main target module
; 1 : follow only the first shellcode called from the main module
; 2 : follow also the shellcodes called recursively from the the original shellcode
; 3 : follow any shellcodes
TRACE_RDTSC=False
TRACE_INT=False
TRACE_SYSCALL=False
LOG_SECTIONS_TRANSITIONS=True
LOG_SHELLCODES_TRANSITIONS=True
HEXDUMP_SIZE=8
HOOK_SLEEP=False
SLEEP_TIME=10
; ANTIDEBUG: (Windows only)
; 0 : Disabled
; 1 : Standard
; 2 : Deep (may lead to some false positives)
ANTIDEBUG=1
ANTIVM=0

There is an issue with a tiny tracer currently related to VMProtect. The issue is that when AntiVM is enabled and under the tiny tracer, VMProtect throws an error that says "Sorry this application cannot run under a Virtual Machine.", I'm not on a VM. So I don't know why it's throwing that error while running under a tiny tracer. I suppose the newest tiny tracer update has something to do with this happening. Based on the "Trap Flag". But I'm not so sure.

Regards Dynamic.

hasherezade commented 1 year ago

hi @0x000007B ! Thanks for reporting, I will check it soon (not at home right now). But the first thing that I noticed is that you are not using the latest TinyTracer (which is 2.7). Can you try first with the latest one?

hasherezade commented 1 year ago

Also noticed that the case without "Virtualization tools" runs ok. And the recently implemented bypass was for "Usermode + kernelmode debugger" - so this works fine. There is nothing wrong with the "Trap Flag" bypass.

Just the bypass for the mode with "Virtualization tools" is not implemented yet. I will see what exactly it checks for and implement this bypass in the further release. Probably it is about the presence of the injected DLL, or maybe the altered RDTSC.

0x000007B commented 1 year ago

Hey, @hasherezade !, thanks for the quick reply. Yes my theory was wrong, I thought the "Trap Flag" played in this error. But I was wrong sorry. I now understand, Thanks!