Samuel Chevet SecurityDay2015 Inside VMProtect .pdf

File information


Original filename: Samuel Chevet - SecurityDay2015 - Inside VMProtect.pdf
Title: Inside VMProtect
Author: Samuel Chevet

This PDF 1.5 document has been generated by LaTeX with Beamer class version 3.27 / pdfTeX-1.40.14, and has been sent on pdf-archive.com on 21/04/2018 at 09:08, from IP address 24.251.x.x. The current document download page has been viewed 655 times.
File size: 512 KB (57 pages).
Privacy: public file


Download original PDF file


Samuel Chevet - SecurityDay2015 - Inside VMProtect.pdf (PDF, 512 KB)


Share on social networks



Link to this file download page



Document preview


Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Inside VMProtect
Samuel Chevet

16 January 2015

Samuel Chevet

Agenda
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Describe what VMProtect is
Introduce code virtualization in software protection
Methods for circumvention
VM logic

Samuel Chevet

Warning
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Some assumptions are made in this presentation
Only few binaries have been studied
Mostly 64 bits target

Samuel Chevet

Plan
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

1

Samuel Chevet

Introduction

Software-based protection
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Content of the executable’s sections is encrypted
and/or compressed
Append new code for decrypting/decompressing the
sections
Add all kinds of anti-debug, anti-vm, . . .
Executable’s entrypoint is redirected into this new
code
Execution is transferred back to the original
entrypoint after decrypt/decomp

Samuel Chevet

VMProtect
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Memory protection
Allows protection of the file image in memory from
any changes
Integrity is checked before giving execution to the
original entry point

Samuel Chevet

VMProtect
Inside VMProtect
Introduction
Internal

Import protection

VM Logic

All entries used by the original binary are removed
from Import Table

Conclusion

Append code redirection for API call

Analysis

Replace CALL DWORD PTR[@IAT] / CALL
QWORD PTR[@IAT] (Encoded on 6 bytes)
By CALL VMProtect.section (Encode on 5 bytes)

1 byte left: two variations
Before: Fake push (Stack will be readjusted during
redirection)
After: Dead code (Increment the return address
during redirection)
Samuel Chevet

VMProtect
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Samuel Chevet

VMProtect
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Resource protection
Encrypt resources: except icons, manifest and some
other system types
Hook:
LoadStringA/W
LdrFindResource_U
LdrAccessResource

License manager
Track your sales online and manage serial numbers
I have never worked on it

Samuel Chevet


Related documents


samuel chevet securityday2015 inside vmprotect
15 p 254 priyagupta mar16
nosuchcon2013 re chall writeup v1 0
crpitv102nguyen
computer peripherals 01
darpa

Link to this page


Permanent link

Use the permanent link to the download page to share your document on Facebook, Twitter, LinkedIn, or directly with a contact by e-Mail, Messenger, Whatsapp, Line..

Short link

Use the short link to share your document on Twitter or by text message (SMS)

HTML Code

Copy the following HTML code to share your document on a Website or Blog

QR Code

QR Code link to PDF file Samuel Chevet - SecurityDay2015 - Inside VMProtect.pdf