Samuel Chevet SecurityDay2015 Inside VMProtect (PDF)




File information


Title: Inside VMProtect
Author: Samuel Chevet

This PDF 1.5 document has been generated by LaTeX with Beamer class version 3.27 / pdfTeX-1.40.14, and has been sent on pdf-archive.com on 21/04/2018 at 09:08, from IP address 24.251.x.x. The current document download page has been viewed 730 times.
File size: 523.98 KB (57 pages).
Privacy: public file
















File preview


Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Inside VMProtect
Samuel Chevet

16 January 2015

Samuel Chevet

Agenda
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Describe what VMProtect is
Introduce code virtualization in software protection
Methods for circumvention
VM logic

Samuel Chevet

Warning
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Some assumptions are made in this presentation
Only few binaries have been studied
Mostly 64 bits target

Samuel Chevet

Plan
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

1

Samuel Chevet

Introduction

Software-based protection
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Content of the executable’s sections is encrypted
and/or compressed
Append new code for decrypting/decompressing the
sections
Add all kinds of anti-debug, anti-vm, . . .
Executable’s entrypoint is redirected into this new
code
Execution is transferred back to the original
entrypoint after decrypt/decomp

Samuel Chevet

VMProtect
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Memory protection
Allows protection of the file image in memory from
any changes
Integrity is checked before giving execution to the
original entry point

Samuel Chevet

VMProtect
Inside VMProtect
Introduction
Internal

Import protection

VM Logic

All entries used by the original binary are removed
from Import Table

Conclusion

Append code redirection for API call

Analysis

Replace CALL DWORD PTR[@IAT] / CALL
QWORD PTR[@IAT] (Encoded on 6 bytes)
By CALL VMProtect.section (Encode on 5 bytes)

1 byte left: two variations
Before: Fake push (Stack will be readjusted during
redirection)
After: Dead code (Increment the return address
during redirection)
Samuel Chevet

VMProtect
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Samuel Chevet

VMProtect
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion

Resource protection
Encrypt resources: except icons, manifest and some
other system types
Hook:
LoadStringA/W
LdrFindResource_U
LdrAccessResource

License manager
Track your sales online and manage serial numbers
I have never worked on it

Samuel Chevet






Download Samuel Chevet - SecurityDay2015 - Inside VMProtect



Samuel Chevet - SecurityDay2015 - Inside VMProtect.pdf (PDF, 523.98 KB)


Download PDF







Share this file on social networks



     





Link to this page



Permanent link

Use the permanent link to the download page to share your document on Facebook, Twitter, LinkedIn, or directly with a contact by e-Mail, Messenger, Whatsapp, Line..




Short link

Use the short link to share your document on Twitter or by text message (SMS)




HTML Code

Copy the following HTML code to share your document on a Website or Blog




QR Code to this page


QR Code link to PDF file Samuel Chevet - SecurityDay2015 - Inside VMProtect.pdf






This file has been shared publicly by a user of PDF Archive.
Document ID: 0000759346.
Report illicit content