Suggest VMProtect Heaven's Gate syscall Bypass trick.

[miketestz]

Test Environment: Windows 1022H2 (19045.3324) x64

VMP Version: 3.8.4 Build 1754

Description

VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.

VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.

An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.

Exception Handler Functions:

1. check that the exception location that occurred is the "sysenter" opcode.

2. Check which Zw** APIs are called (checked in the eax register)

3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)

4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.

Through the above process, I was able to bypass the VMP Anti-Debug!

bandicam.2023-08-30.23-52-29-912.mp4

fork url : master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

[mrexodia]

A pull request would be good, I cannot really work on this project right now.

[sunbeam906]

Can confirm the trick works nicely. But just so everyone understands: this is for x86 VMP targets only :)

ScyllaHideX64DBGPlugin.dp32.zip