tiny_tracer icon indicating copy to clipboard operation
tiny_tracer copied to clipboard

Published 20 hours ago verified publisher icon hasherezade

VMProtect-AntiVM Issue

Open 0x000007B opened this issue 2 years ago • 3 comments

image_No_VM image

image VMPTest.vmp.zip - Test executable. With the AntiVM preset enabled. VMP Demo 3.7.3, you will need to compile the source on your PC since the demo has HWID-Lock.

VMPTest.vmp.exe.tag.zip - Trace of the protected test executable, with the AntiVM preset.

VMPTest.zip - Plain EXE (No Protection)

TinyTracer.ini ↓

ENABLE_SHORT_LOGGING=True
USE_DEBUG_SYMBOLS=False
FOLLOW_SHELLCODES=1
;FOLLOW_SHELLCODES:
; 0 : trace only the main target module
; 1 : follow only the first shellcode called from the main module
; 2 : follow also the shellcodes called recursively from the the original shellcode
; 3 : follow any shellcodes
TRACE_RDTSC=False
TRACE_INT=False
TRACE_SYSCALL=False
LOG_SECTIONS_TRANSITIONS=True
LOG_SHELLCODES_TRANSITIONS=True
HEXDUMP_SIZE=8
HOOK_SLEEP=False
SLEEP_TIME=10
; ANTIDEBUG: (Windows only)
; 0 : Disabled
; 1 : Standard
; 2 : Deep (may lead to some false positives)
ANTIDEBUG=1
ANTIVM=0

There is an issue with a tiny tracer currently related to VMProtect. The issue is that when AntiVM is enabled and under the tiny tracer, VMProtect throws an error that says "Sorry this application cannot run under a Virtual Machine.", I'm not on a VM. So I don't know why it's throwing that error while running under a tiny tracer. I suppose the newest tiny tracer update has something to do with this happening. Based on the "Trap Flag". But I'm not so sure.

Regards Dynamic.

0x000007B avatar Aug 26 '23 18:08 0x000007B

hi @0x000007B ! Thanks for reporting, I will check it soon (not at home right now). But the first thing that I noticed is that you are not using the latest TinyTracer (which is 2.7). Can you try first with the latest one?

hasherezade avatar Aug 26 '23 19:08 hasherezade

Also noticed that the case without "Virtualization tools" runs ok. And the recently implemented bypass was for "Usermode + kernelmode debugger" - so this works fine. There is nothing wrong with the "Trap Flag" bypass.

Just the bypass for the mode with "Virtualization tools" is not implemented yet. I will see what exactly it checks for and implement this bypass in the further release. Probably it is about the presence of the injected DLL, or maybe the altered RDTSC.

hasherezade avatar Aug 26 '23 19:08 hasherezade

Hey, @hasherezade !, thanks for the quick reply. Yes my theory was wrong, I thought the "Trap Flag" played in this error. But I was wrong sorry. I now understand, Thanks!

0x000007B avatar Aug 26 '23 19:08 0x000007B