ScyllaHide icon indicating copy to clipboard operation
ScyllaHide copied to clipboard

Published 20 hours ago verified publisher icon x64dbg

Suggest VMProtect Heaven's Gate syscall Bypass trick.

Open miketestz opened this issue 1 year ago • 2 comments

Test Environment: Windows 1022H2 (19045.3324) x64

VMP Version: 3.8.4 Build 1754

Description

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.

VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.

An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.

Exception Handler Functions:

  1. check that the exception location that occurred is the "sysenter" opcode.

  2. Check which Zw** APIs are called (checked in the eax register)

  3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)

  4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.

Through the above process, I was able to bypass the VMP Anti-Debug!

https://github.com/x64dbg/ScyllaHide/assets/39300593/24d01c66-eb3d-42ac-a3fb-cd4cf6d4e448

fork url : https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

miketestz avatar Aug 30 '23 14:08 miketestz

A pull request would be good, I cannot really work on this project right now.

mrexodia avatar Sep 21 '23 22:09 mrexodia

Can confirm the trick works nicely. But just so everyone understands: this is for x86 VMP targets only :)

ScyllaHideX64DBGPlugin.dp32.zip

sunbeam906 avatar Apr 13 '24 22:04 sunbeam906