VMPImportFixer is a tool aimed to resolve import calls in a VMProtect'd (3.x) binary.

Overview

VMPImportFixer

VMPImportFixer is a tool aimed to resolve import calls in a VMProtect'd (3.x) binary.

Information

VMPImportFixer attempts to resolve all obfuscated API calls in a VMProtect'd binary. A binary which has VMProtect's "Import Protection" option enabled will have all it's CALL NEAR instructions replaced with near relative call instructions (see ImportCallObfuscator for a similar method of obfuscating imports).

VMProtect usually has two different variations of import calls which seem to be chosen at random once the binary is protected. The first, being push reg; call func, and the other being call func; ret/int3.

call/int3 push/call

Following these calls lead into the VMProtect section, which, by default is named .vmp0. Each stub can vary in complexity and size, however the concept is generally the same. Through a series of arithmetic which is used to calculate the real import address, the final operation usually sets [rsp]/[esp] to the import address before the final RET instruction.

Based on the variant of the call (push reg; call func or call func; int3/ret), the stub may increment the return address. This use of the extra byte and return address incrementing is used to break various decompilers from properly analyzing a function due to the decompiler not recognizing that the byte will be skipped over in runtime.

With this information combined, I decided to write a tool over the day that solves these calls. I was not happy with public implementations due to various reasons. One was closed-source, and seemed to be limited to a debugger, and the other lifts these stubs into a IL which seems impractical. I decided to go the emulation route as this trivially tackles the problem and supports both X86 and X86-64 flawlessly.

VMPImportFixer is an all-in-one tool; it will support X86 processes regardless of being in a X64 context. This means that there is no need for architecture dependent versions of the binary.

Usage

Usage:  VMPImportFixer
  -p            (required) process name/process id
  -mod:         (optional) name of module to dump.
  -section:     (optional) VMP section name to use if changed from default (VMP allows custom names)

Examples

Images
  • Before b1

  • After a1

  • Before b2

  • After a2

TODO

  • Add support for loading binaries off the disk into a state where it can be monitored at specific stages (such as unpacking) then fixed.
  • Add relocation handling on X86 binaries.
  • Kernel support.

Dependencies

Credits

mrexodia for his contribution to HookHunter regarding ReadMemory inside the Process class.

Issues
  • Multiple sections?

    Multiple sections?

    I'm looking at a packed .DLL (not a packed .exe)

    image

    [info] Using base address: 7FFBA6FE0000
    [info] Found .text section at virtual address 1000
    [info] Found .Rdf2 section at virtual address A11000
    [info] Found call to .Rdf2 in .text @ 7FFBA6FE1042 (call to 7FFBA7B0D92F)
    [info] Found call to .Rdf2 in .text @ 7FFBA6FEA1B0 (call to 7FFBA8462ABA)
    [info] Found call to .Rdf2 in .text @ 7FFBA6FF3068 (call to 7FFBA7DCB27C)
    [info] Found call to .Rdf2 in .text @ 7FFBA6FF48AE (call to 7FFBA7A6CAC2)
    [info] Found call to .Rdf2 in .text @ 7FFBA6FF4A82 (call to 7FFBA7E6CC96)
    [info] Found call to .Rdf2 in .text @ 7FFBA70061D3 (call to 7FFBA7A0E5E7)
    [info] Found call to .Rdf2 in .text @ 7FFBA7006DFF (call to 7FFBA800F213)
    [info] Found call to .Rdf2 in .text @ 7FFBA700B78D (call to 7FFBA84944DA)
    [info] Found call to .Rdf2 in .text @ 7FFBA700CF02 (call to 7FFBA7D0D226)
    [info] Found call to .Rdf2 in .text @ 7FFBA700CF23 (call to 7FFBA7D0D247)
    [error] Emulation failed with error: 6
    [error] Emulation failed with error: 10
    [error] Emulation failed with error: 6
    [error] Emulation failed with error: 10
    [error] Emulation failed with error: 10
    [error] Emulation failed with error: 6
    [error] Emulation failed with error: 10
    [error] Emulation failed with error: 6
    [error] Emulation failed with error: 10
    [error] Emulation failed with error: 6
    [info] Finished, writing to dumps/HaspEmul.dll.fixed
    
    opened by brandonros 0
  • [critical] Unable to find .text section!

    [critical] Unable to find .text section!

    Tried to dump a vmprotected exe with the command: VMPImportFixer.exe -p 41772 -section .UPX0 .UPX1 .UPX2 (they renamed the sections)

    The output of this command is:

    [info] Pushing module J:\GSA Proxy Scraper 3_53\{app}\Proxy_Scraper2.exe located @ 0x400000
    [info] Pushing module C:\WINDOWS\SYSTEM32\ntdll.dll located @ 0x77230000
    [critical] Unable to read memory at 75A41000
    [critical] Unable to read memory at 75AB6000
    [critical] Unable to read memory at 75AEB000
    [critical] Unable to read memory at 75AF1000
    [critical] Unable to read memory at 75B01000
    [critical] Unable to read memory at 75B11000
    [critical] Unable to read memory at 75B25000
    [info] Pushing module C:\WINDOWS\System32\KERNEL32.DLL located @ 0x75A40000
    [info] Pushing module C:\WINDOWS\System32\KERNELBASE.dll located @ 0x76880000
    [info] Pushing module C:\WINDOWS\System32\user32.dll located @ 0x755A0000
    [info] Pushing module C:\WINDOWS\System32\win32u.dll located @ 0x75B40000
    [info] Pushing module C:\WINDOWS\System32\GDI32.dll located @ 0x76740000
    [info] Pushing module C:\WINDOWS\System32\gdi32full.dll located @ 0x76520000
    [info] Pushing module C:\WINDOWS\System32\msvcp_win.dll located @ 0x752C0000
    [info] Pushing module C:\WINDOWS\System32\ucrtbase.dll located @ 0x75400000
    [info] Pushing module C:\WINDOWS\System32\advapi32.dll located @ 0x75520000
    [info] Pushing module C:\WINDOWS\System32\msvcrt.dll located @ 0x750C0000
    [info] Pushing module C:\WINDOWS\System32\sechost.dll located @ 0x75040000
    [info] Pushing module C:\WINDOWS\System32\RPCRT4.dll located @ 0x75340000
    [info] Pushing module C:\WINDOWS\System32\oleaut32.dll located @ 0x75990000
    [info] Pushing module C:\WINDOWS\System32\combase.dll located @ 0x75CD0000
    [info] Pushing module C:\WINDOWS\System32\wintrust.dll located @ 0x75260000
    [info] Pushing module C:\WINDOWS\System32\ole32.dll located @ 0x757B0000
    [info] Pushing module C:\WINDOWS\SYSTEM32\version.dll located @ 0x73560000
    [info] Pushing module C:\WINDOWS\System32\shell32.dll located @ 0x76C10000
    [info] Pushing module C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.22000.1_none_6ec7c6847ea94424\comctl32.dll located @ 0x697F0000
    [info] Pushing module C:\WINDOWS\System32\comdlg32.dll located @ 0x76B50000
    [info] Pushing module C:\WINDOWS\System32\shcore.dll located @ 0x75190000
    [info] Pushing module C:\WINDOWS\System32\SHLWAPI.dll located @ 0x76830000
    [info] Pushing module C:\WINDOWS\SYSTEM32\winspool.drv located @ 0x72F00000
    [info] Pushing module C:\WINDOWS\SYSTEM32\wsock32.dll located @ 0x64BF0000
    [info] Pushing module C:\WINDOWS\SYSTEM32\winmm.dll located @ 0x74F80000
    [info] Pushing module C:\WINDOWS\SYSTEM32\WS2_32.dll located @ 0x739A0000
    [info] Pushing module C:\WINDOWS\System32\IMM32.DLL located @ 0x76770000
    [info] Pushing module C:\WINDOWS\System32\CRYPT32.dll located @ 0x763A0000
    [info] Pushing module C:\WINDOWS\SYSTEM32\MSASN1.dll located @ 0x75030000
    [info] Pushing module C:\WINDOWS\system32\uxtheme.dll located @ 0x734B0000
    [info] Pushing module C:\WINDOWS\SYSTEM32\FaultRep.dll located @ 0x79570000
    [info] Pushing module C:\WINDOWS\SYSTEM32\ntmarta.dll located @ 0x75000000
    [info] Pushing module C:\WINDOWS\System32\MSCTF.dll located @ 0x76660000
    [info] Pushing module C:\WINDOWS\SYSTEM32\olepro32.dll located @ 0x53050000
    [info] Pushing module C:\WINDOWS\SYSTEM32\libcrypto-1_1.dll located @ 0x7B210000
    [info] Pushing module C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll located @ 0x690B0000
    [info] Pushing module C:\WINDOWS\SYSTEM32\libssl-1_1.dll located @ 0x7B480000
    [info] Pushing module C:\WINDOWS\SYSTEM32\CRYPTSP.dll located @ 0x74B60000
    [info] Pushing module C:\WINDOWS\system32\rsaenh.dll located @ 0x74B30000
    [info] Pushing module C:\WINDOWS\SYSTEM32\CRYPTBASE.dll located @ 0x74B20000
    [info] Pushing module C:\WINDOWS\System32\bcryptPrimitives.dll located @ 0x76AE0000
    [info] Pushing module C:\WINDOWS\SYSTEM32\iphlpapi.dll located @ 0x73920000
    [info] Pushing module C:\WINDOWS\SYSTEM32\SspiCli.dll located @ 0x73810000
    [info] Pushing module C:\WINDOWS\SYSTEM32\kernel.appcore.dll located @ 0x74FE0000
    [info] Pushing module C:\WINDOWS\SYSTEM32\TextShaping.dll located @ 0x66F60000
    [info] Pushing module C:\WINDOWS\SYSTEM32\windows.storage.dll located @ 0x73D80000
    [info] Pushing module C:\WINDOWS\SYSTEM32\wintypes.dll located @ 0x73C90000
    [info] Pushing module C:\WINDOWS\SYSTEM32\CFGMGR32.dll located @ 0x74790000
    [info] Pushing module C:\WINDOWS\System32\clbcatq.dll located @ 0x75900000
    [info] Pushing module C:\WINDOWS\system32\propsys.dll located @ 0x6B800000
    [info] Pushing module C:\WINDOWS\SYSTEM32\profapi.dll located @ 0x74D70000
    [info] Pushing module C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_e541a94fcce8ed6d\comctl32.DLL located @ 0x744B0000
    [info] Pushing module C:\WINDOWS\SYSTEM32\WindowsCodecs.dll located @ 0x52AA0000
    [info] Pushing module C:\WINDOWS\system32\dataexchange.dll located @ 0x52E00000
    [info] Pushing module C:\WINDOWS\system32\twinapi.appcore.dll located @ 0x52C00000
    [info] Pushing module C:\WINDOWS\System32\PSAPI.dll located @ 0x75A30000
    [info] Pushing module C:\WINDOWS\SYSTEM32\textinputframework.dll located @ 0x55ED0000
    [info] Pushing module C:\WINDOWS\SYSTEM32\DWMAPI.DLL located @ 0x72ED0000
    [info] Pushing module C:\WINDOWS\System32\mswsock.dll located @ 0x73950000
    [info] Pushing module C:\WINDOWS\SYSTEM32\DNSAPI.dll located @ 0x73760000
    [info] Pushing module C:\WINDOWS\System32\NSI.dll located @ 0x75B30000
    [info] Pushing module C:\WINDOWS\System32\fwpuclnt.dll located @ 0x62BC0000
    [info] Pushing module C:\Windows\System32\rasadhlp.dll located @ 0x73750000
    [info] Pushing module C:\WINDOWS\SYSTEM32\ntdll.dll located @ 0x7FFB494C0000
    [info] Pushing module C:\WINDOWS\System32\wow64.dll located @ 0x7FFB475D0000
    [info] Pushing module C:\WINDOWS\System32\wow64base.dll located @ 0x7FFB48F00000
    [info] Pushing module C:\WINDOWS\System32\wow64win.dll located @ 0x7FFB484D0000
    [info] Pushing module C:\WINDOWS\System32\wow64con.dll located @ 0x7FFB48160000
    [info] Pushing module C:\WINDOWS\System32\wow64cpu.dll located @ 0x77220000
    [info] Using base address: 400000
    [critical] Unable to find .text section!
    

    Is there any way to fix this? I don't think you can add your own sections since vmprotect can detect if it is modified.

    opened by Aholicknight 0
Owner
Mike
null
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.

FindObjects-BOF A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process

Outflank B.V. 236 Jun 15, 2022
A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.

WdToggle A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Creden

Outflank B.V. 192 Jun 16, 2022
Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux

Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux. Its main purpose is to help developers visualize the execution flow of a complex application.

Google 2.6k Jun 30, 2022
A combined suite of utilities for manipulating binary data files.

BinaryTools A combined suite of utilities for manipulating binary data files. It was developed for use on Windows but might compile on other systems.

David Walters 3 Sep 29, 2021
The most powerful and customizable binary pattern scanner written on modern C++

Sig The most powerful and customizable binary pattern scanner written on modern C++ ✔ Capabilities: Support for all common pattern formats: Pattern +

Александр 134 Jul 1, 2022
Translates binary information (images, fonts, shaders) into C++ source code.

Binary bakery ?? Translates binary files (images, fonts etc.) into C++ source code and gives access to that data at compile- or runtime. There are dif

Sebastian Werhausen 126 May 28, 2022
A tool for use with clang to analyze #includes in C and C++ source files

Include What You Use For more in-depth documentation, see docs. Instructions for Users "Include what you use" means this: for every symbol (type, func

null 2.9k Jul 2, 2022
C-shellcode to hex converter, handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydbg, x64dbg, immunity debugger & 010 editor

shellex WARNING: the ugliest code in the world C-shellcode to hex converter. Handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydb

David Reguera Garcia aka Dreg 79 Jun 20, 2022
A tool to edit Cyberpunk 2077 sav.dat files

This is a holidays project and will probably not reach the user-friendly GUI state that a save editor is expected to have.

null 259 Jun 9, 2022
GSmartControl - Hard disk drive and SSD health inspection tool

GSmartControl Hard disk drive and SSD health inspection tool GSmartControl is a graphical user interface for smartctl (from smartmontools package), wh

Alexander Shaduri 172 Jun 29, 2022
Windows user-land hooks manipulation tool.

MineSweeper Windows user-land hooks manipulation tool. Highlights Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)

Arsenii Pustovit 126 Jun 15, 2022
WinMerge is an Open Source differencing and merging tool for Windows.

WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.

null 3k Jun 26, 2022
BlowBeef is a tool for analyzing WMI data.

Blowbeef BlowBeef is a tool for analyzing WMI data. Usage BlowBeef is a tool for analyzing WMI data.

倾旋 17 Jun 17, 2022
Simple yet fancy CPU architecture fetching tool

Simple yet fancy CPU architecture fetching tool

null 1.5k Jul 4, 2022
Another system information tool written in C++

Sysfex Another neofetch-like system information fetching tool for linux-based systems written in C++. This is a hobby project, so bugs are to be expec

Mehedi Rahman Mahi 101 Jun 15, 2022
A tool for Pikmin 1 model files

MODConv A Pikmin 1 model format converter Functionality NOTE: these are not command-line parameters, the program has a built-in input parser load (inp

null 4 Oct 20, 2021
KeyScan is a C++ open source explanation tool targeting windows operating system.

KeyScan is a C++ open source explanation tool targeting windows operating system. it allows you to send keyboard events, mouse events and capture keystrokes (keylogger).!

null 9 Jun 12, 2022
A windows tool for changing the start button logo

WinLogo About This project is used to modify the start button logo of windows 10 computers. The logos are precompiled into the binary, but the UI supp

null 14 Apr 16, 2022
A tool for generating build scripts for C++20 projects that use modules.

cpp_module_parser [cmop] A tool for generating build scripts for C++20 projects that use modules. The intent is to provide a backend for premake, for

Alexander Christensen 2 Nov 23, 2021