search

hzqst / unicorn_pe

Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files.
MIT License
787 stars 199 forks source link

older version of VMProtect (about 2.x) use rax but eax as NtQuerySystemInformation result #6

Closed hzqst closed 5 years ago

hzqst commented 5 years ago 
//VMProtect 2.x
NtQuerySystemInformation class 11 return 0
fffff8000045be48            ret     
fffff8000001699e            test        bl, al
fffff800000169a0            cmc     
fffff800000169a1            jmp     0xfffff8000000cb03
fffff8000000cb03            jmp     0xfffff8000000ba81
fffff8000000ba81            or      rax, rax  <---damn VMProtect
fffff8000000ba84            jmp     0xfffff800000100c7
fffff800000100c7            jmp     0xfffff800000130b9
fffff800000130b9            jne     0xfffff8000000bd7d
//VMProtect 3.x
NtQuerySystemInformation class 11 return 0
fffff80000a2ec40            ret     
fffff8000023008e            mov     rbp, qword ptr [rsp + 0x50]
fffff80000230093            jmp     0xfffff8000038a8af
fffff8000038a8af            test        eax, eax <---fixed
fffff8000038a8b1            jmp     0xfffff8000038a8b6
fffff8000038a8b6            js      0xfffff8000038ac1b

This will cause a failure load for some VMProtect packed drivers since high dword of rax might be non-zero. We have to return rax but eax in EmuNtQuerySystemInformation also, to fix this.

hzqst commented 5 years ago

Fixed.