This PDF 1.5 document has been generated by LaTeX with Beamer class version 3.27 / pdfTeX-1.40.14, and has been sent on pdf-archive.com on 21/04/2018 at 09:08, from IP address 24.251.x.x.
The current document download page has been viewed 730 times.
File size: 523.98 KB (57 pages).
Privacy: public file
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion
Inside VMProtect
Samuel Chevet
16 January 2015
Samuel Chevet
Agenda
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion
Describe what VMProtect is
Introduce code virtualization in software protection
Methods for circumvention
VM logic
Samuel Chevet
Warning
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion
Some assumptions are made in this presentation
Only few binaries have been studied
Mostly 64 bits target
Samuel Chevet
Plan
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion
1
Samuel Chevet
Introduction
Software-based protection
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion
Content of the executable’s sections is encrypted
and/or compressed
Append new code for decrypting/decompressing the
sections
Add all kinds of anti-debug, anti-vm, . . .
Executable’s entrypoint is redirected into this new
code
Execution is transferred back to the original
entrypoint after decrypt/decomp
Samuel Chevet
VMProtect
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion
Memory protection
Allows protection of the file image in memory from
any changes
Integrity is checked before giving execution to the
original entry point
Samuel Chevet
VMProtect
Inside VMProtect
Introduction
Internal
Import protection
VM Logic
All entries used by the original binary are removed
from Import Table
Conclusion
Append code redirection for API call
Analysis
Replace CALL DWORD PTR[@IAT] / CALL
QWORD PTR[@IAT] (Encoded on 6 bytes)
By CALL VMProtect.section (Encode on 5 bytes)
1 byte left: two variations
Before: Fake push (Stack will be readjusted during
redirection)
After: Dead code (Increment the return address
during redirection)
Samuel Chevet
VMProtect
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion
Samuel Chevet
VMProtect
Inside VMProtect
Introduction
Internal
Analysis
VM Logic
Conclusion
Resource protection
Encrypt resources: except icons, manifest and some
other system types
Hook:
LoadStringA/W
LdrFindResource_U
LdrAccessResource
License manager
Track your sales online and manage serial numbers
I have never worked on it
Samuel Chevet
Samuel Chevet - SecurityDay2015 - Inside VMProtect.pdf (PDF, 523.98 KB)
Use the permanent link to the download page to share your document on Facebook, Twitter, LinkedIn, or directly with a contact by e-Mail, Messenger, Whatsapp, Line..
Use the short link to share your document on Twitter or by text message (SMS)
Copy the following HTML code to share your document on a Website or Blog