search

hzqst / VmwareHardenedLoader

Vmware Hardened VM detection mitigation loader (anti anti-vm)
MIT License
1.77k stars 463 forks source link

win7 x64 帮忙看看什么问题 #1

Closed WooZoo86 closed 5 years ago

WooZoo86 commented 6 years ago

vmware:v14.1.3 OS:win7 x64 sp1

虚拟机开启VT,按你的教程来,出现了截图的错误,帮忙看看什么原因。 default

hzqst commented 6 years ago

麻烦上传一下你的环境的C:\Windows\system32\ntoskrnl.exe,我IDA看一下是哪步失败了

WooZoo86 commented 6 years ago

上传了,谢谢 改后缀为gif了 ntoskrnl

tatamyans commented 6 years ago

same issue win7 x64

hzqst commented 6 years ago

上传了,谢谢 改后缀为gif了 ntoskrnl

你上传的这份是Syswow64下的32位ntos,请重新上传一份64位的ntos。建议用资源管理器去system32下复制出ntoskrnl到桌面再上传,以免被wow64重定向影响。

WooZoo86 commented 6 years ago

ntoskrnl_syswow64 ntoskrnl_syswow64 两个都上传了,非常感谢!

WooZoo86 commented 6 years ago

ntoskrnl_sys32

hzqst commented 6 years ago

遍历代码时

if (instLen == 1 && (inst->bytes[0] == 0xCC || inst->bytes[0] == 0x90))
{
    return TRUE;
}

跳过了

PAGE:00000001404B2BF2 loc_1404B2BF2:                          ; CODE XREF: sub_1404B2B70+75j
PAGE:00000001404B2BF2                 mov     r8, rbx         ; Size
PAGE:00000001404B2BF5                 mov     rdx, r14        ; Src
PAGE:00000001404B2BF8                 mov     rcx, rax        ; Dst
PAGE:00000001404B2BFB                 call    memmove
PAGE:00000001404B2C00                 nop ;<-------0x90
PAGE:00000001404B2C01                 mov     rbx, rsi
PAGE:00000001404B2C04                 jmp     short loc_1404B2C15

鬼知道为什么微软会在正常代码里插nop....去掉0x90的判断就好了

hzqst commented 6 years ago

@WooZoo86 请测试一下最新的bin,应该OK了