vm extraction failed

[AeroOwl]

Hi, I found VM context switching of my tracefile is incomplete to perform vmextract.cpp.

As I observed into tracefile and the procedure of preprocess, peephole and vmextract, chkpush for 7 continuous push opcs always failed, at most 3 push opcs are written in tracefile.

I guess normalization and simplification should be applied before 'vmextract.bin', or the kernel boundary detection should be more flexible, am I right?

BTW, I have tested some binaries from lynx-project, obfuscated by same virtualization tools as VMHunt's. If some example snippets can be provided, that would be great!

[AeroOwl]

More concretely, 7 continuous push is unobfuscated context-switching, while I just see this chkpush(it, next(it, 7)) in vmextract.cpp, instead of any context-clustering operation. Context clustering/pairing is the key step, described in VMHunt paper. I wanna re-implement this step, but I'm confused about how to cluster based on a series of mov and sub instructions and jmpset, maybe I can attempt to add this heuristic into ctxsave and ctxstore to attain vmfile.

One more virtualization-related context switch heuristic is applied and the hints are collected in jmpset, but this seems not associated with other components of this repository.

[mrexodia]

I think the code has either been severely stripped or it was never working on anything in the first place. For example https://github.com/s3team/VMHunt/blob/master/vmextract.cpp#L151 doesn't actually work on anything real so I think the actually working code described in the paper has been scrubbed.

[s3team]

Thanks for your interest. Dongpeng will take a look after the semester ends and get back to you.

From: IST Plato ISTPLATO-L@lists.psu.edu On Behalf Of plato@IST.PSU.EDU Sent: Sunday, May 10, 2020 5:20 AM To: istplato-l istplato-l@lists.psu.edu Subject: [s3team/VMHunt] vm extraction failed (#2)

Hi, I found VM context switching of my tracefile is incomplete to perform vmextract.cpp.

As I observed into tracefile and the procedure of preprocess, peephole and vmextract, chkpush for 7 continuous push opcs always failed, at most 3 push opcs are written in tracefile.

I guess normalization and simplification should be applied before 'vmextract.bin', or the kernel boundary detection should be more flexible, am I right?

BTW, I have tested some binaries from lynx-projecthttps://www2.cs.arizona.edu/projects/lynx-project/, obfuscated by same virtualization tools as VMHunt's. If some example snippets can be provided, that would be great!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/s3team/VMHunt/issues/2, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADGL3GFL6JWI66CGFG7HOLLRQZWVLANCNFSM4M5FGV6Q.

[dongpengxu]

The heuristics in this demo are adjustable, e.g., you may change the number of ctx switch registers or specify certain register patterns. It gives flexibility to VMHunt while this part is not automated and may require some pre-knowledge of the virtualization. You should be able to change or implement more heuristics by modifying functions like chkpop and chkpush. The data dependency support is in slicer.cpp.

[AeroOwl]

The heuristics in this demo are adjustable, e.g., you may change the number of ctx switch registers or specify certain register patterns. It gives flexibility to VMHunt while this part is not automated and may require some pre-knowledge of the virtualization. You should be able to change or implement more heuristics by modifying functions like chkpop and chkpush. The data dependency support is in slicer.cpp.

I got it, the skipinst is the replacement of jmpset, and the data-dependency in slicer.cpp helps recovering some deterministic kinds of context in commercial obfuscation tools. Thanks.