VMPDump – A dynamic VMP dumper and import fixer, powered by VTIL.
A dynamic VMP dumper and import fixer, run by VTIL. Functions for VMProtect 3.X x64.
Before vs Immediately after
Utilization
VMPDump.exe
""
[-ep=<Entry Point RVA>]
[-disable-reloc]
Arguments:
: The ID of the concentrate on method, in decimal or hex form.
: The name of the module which should really be dumped and fixed. This can be an vacant string (“”) if the system image module is wanted.
[-ep=<Entry Point RVA>]
: An optionally-provided entry-level RVA, in hex form. VMPDump only overwrites the Entry Place in the optional header with this benefit.[-disable-reloc]
: An optional location to instruct VMPDump to mark that relocs have been stripped in the output impression, forcing the image to load at the dumped ImageBase. This is useful if runnable dumps are wanted.
VMProtect initialization and unpacking will have to be comprehensive in the concentrate on process prior to managing VMPDump. This means it ought to be at or previous the OEP (Authentic Entry Level). The dumped and mounted image will appear in the method picture module listing, less than the name .VMPDump.
.
How It Performs
VMProtect injects stubs for every single import simply call or jmp. These stubs solve the ‘obfuscated’ thunk in the .vmpX
segment and incorporate a fixed continuous to ‘deobfuscate’ it. The phone calls or jumps by themselves are then dispatched with a ret instruction.
VMPDump scans all executable sections for these stubs and lifts them to VTIL employing the VTIL x64 lifter. The analysis is then carried out on these stubs, in purchase to decide what kind of connect with need to be changed and what bytes should be overwritten.
At the time all phone calls have been retrieved, VMPDump then produces a new import desk and appends thunks to the current IAT. The phone calls to the VMP import stubs are changed with immediate calls to these thunks.
Take note that in mutated routines, there are predicaments when there are not ample bytes to swap the VMP import stub call with a direct thunk call, as the latter is 1 byte more substantial. In these instances, the section is prolonged and a stub that jumps to the import thunk is injected. The VMP import stub connect with is then replaced with a 5-byte relative simply call or jmp to explained injected stub.
Building
Setting up in VS is as uncomplicated as changing the include things like/library directories to VTIL-NativeLifers/VTIL-Core/Keystone/Capstone in the vcxproj.
The venture calls for C++20.
Problems and Limits
Thanks to the point that code sections are linearly scanned, specially in closely mutated and obfuscated code, some import stub phone calls can be skipped and thus not resolved. Even so, VMPDump contains workarounds for the greater part of VMProtect mutation inconsistencies, so it really should create respectable outcomes even in greatly mutated code.
If you come upon this, please make an situation with the suitable data and I will choose a search at it.
License
Certified below the GPL-3. License. No warranty is provided of any type.
https://github.com/0xnobody/vmpdump
The publish VMPDump – A dynamic VMP dumper and import fixer, powered by VTIL. appeared 1st on Hakin9 – IT Security Magazine.