yuno
@blackrine
2 posts

Bypassing VMProtect/Themida VM checks in VMware

If you have ever tried reverse-engineering a random malware sample or a game cheat, chances are you have worked with obfuscated binaries through VMProtect or Themida. Both of these tools offer anti-VM protections. However, these protections are not super complex and check only for basic things, like whether the hypervisor bit is set when CPUID is called and for SMBIOS strings. Both can be spoofed without the need to load anything in the guest OS, as the VmwareHardenedLoader project does, for example.

VMProtect

The main problem of traversing tread functions is manual traversal, i.e. traversal without automation. It slows down the analysis and you have to repeat many points. Im decided to write a small article because of this to remind you that some points can be easily bypassed + im amused that to bypass anti-debug for Ring-3 they use Ring-0, i.e. they try to run over a cockroach with a tank for some reason. Today we will look under the hood of VMP and write a bypass for SDK functions and VMP loader function(anti-debug,anti-vm, list import,spoof syscall_id and e.t.c).