AntiDebug Cleanup

Author: void-stack

VMUP/VMUnprotect.Core/Engine.cs

@@ -14,6 +14,10 @@ public Engine(Context context) {
         internal static Context Ctx { get; private set; } = null!;
         public static ILogger Logger { get; private set; } = new EmptyLogger();
 
+
+        /// <summary>
+        ///     Prepare assembly to launch
+        /// </summary>
         public void Start() {
             var fileEntryPoint = Ctx.VmpAssembly.EntryPoint;
             var moduleHandle = Ctx.VmpAssembly.ManifestModule.ModuleHandle;
@@ -34,15 +38,22 @@ public void Start() {
             Logger.Info("--- Invoking assembly.\n");
             fileEntryPoint.Invoke(null, parameters.Length == 0 ? null : new object[] {new[] {string.Empty}}); // parse arguments from commandlineoptions
         }
+
+        /// <summary>
+        ///     Apply Harmony Patches
+        /// </summary>
         private static void ApplyHooks() {
             try {
                 HooksManager.HooksApply(Ctx);
             }
             catch (Exception ex) {
-                Logger.Error("Failed to apply Harmony patches: {0}", ex.StackTrace);
+                Logger.Error("Failed to apply Harmony patches: {0}", ex);
             }
         }
 
+        /// <summary>
+        ///     Search for VMProtect Function Handler, etc...
+        /// </summary>
         private void AnalyzeStructure() {
             try {
                 VmAnalyzer.Run(Ctx);

VMUP/VMUnprotect.Core/Hooks/HooksManager.cs

@@ -1,6 +1,5 @@
 using HarmonyLib;
 using System;
-using System.Reflection;
 using VMUnprotect.Core.Abstraction;
 using VMUnprotect.Core.Hooks.Methods;
 
@@ -37,12 +36,18 @@ internal static void HooksApply(Context ctx) {
 
                     // Apply transpiler to the function handler (This is old method not recommended)
                     ctx.Harmony.Patch(resolvedVmpHandler, transpiler: new HarmonyMethod(transpiler));
-                }
-                    break;
+                } break;
                 case false: {
+                    var runtimeMethodInfoType = AccessTools.TypeByName("System.Reflection.RuntimeMethodInfo");
+
+                    if (runtimeMethodInfoType is null)
+                        throw new Exception("Failed to find System.Reflection.RuntimeMethodInfo");
+
                     // Get method for patch
-                    var invokeMethod = typeof(object).Assembly.GetType("System.Reflection.RuntimeMethodInfo")
-                        .GetMethod("UnsafeInvokeInternal", BindingFlags.NonPublic | BindingFlags.Instance);
+                    var invokeMethod = AccessTools.DeclaredMethod(runtimeMethodInfoType, "UnsafeInvokeInternal");
+
+                    if (invokeMethod is null)
+                        throw new Exception($"Failed to find {nameof(runtimeMethodInfoType)}.UnsafeInvokeInternal");
 
                     // Prepare prefix and postfix
                     var prefix = typeof(VmProtectDumperUnsafeInvoke).GetMethod(nameof(VmProtectDumperUnsafeInvoke.InvokePrefix));
@@ -51,8 +56,7 @@ internal static void HooksApply(Context ctx) {
                     // Patch
                     ctx.Harmony.Patch(invokeMethod, new HarmonyMethod(prefix));
                     ctx.Harmony.Patch(invokeMethod, postfix: new HarmonyMethod(postfix));
-                }
-                    break;
+                } break;
             }
         }
     }

VMUP/VMUnprotect.Core/Hooks/Methods/DebugIsAttachedPatch.cs

@@ -0,0 +1,26 @@
+using HarmonyLib;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Reflection.Emit;
+using VMUnprotect.Core.Abstraction;
+
+namespace VMUnprotect.Core.Hooks.Methods {
+    [HarmonyPatch(typeof(Debugger), "get_IsAttached")]
+    public class DebugIsAttachedPatch {
+        private static ILogger CtxLogger => Engine.Ctx.Logger;
+
+        /// <summary>
+        ///     Transpiler overwrites body so we can't just return
+        /// </summary>
+        public static IEnumerable<CodeInstruction> Transpiler(IEnumerable<CodeInstruction> instructions) {
+            var codes = new List<CodeInstruction>(instructions) {
+                new(OpCodes.Ldc_I4_0),
+                new(OpCodes.Ret)
+            };
+
+            //MessageBox.Show("IsAttached returned false", "IsAttached");
+            return codes.AsEnumerable();
+        }
+    }
+}

VMUP/VMUnprotect.Core/Hooks/Methods/DebugIsLoggingPatch.cs

@@ -0,0 +1,26 @@
+using HarmonyLib;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Reflection.Emit;
+using VMUnprotect.Core.Abstraction;
+
+namespace VMUnprotect.Core.Hooks.Methods {
+    [HarmonyPatch(typeof(Debugger), nameof(Debugger.IsLogging))]
+    public class DebugIsLoggingPatch {
+        private static ILogger CtxLogger => Engine.Ctx.Logger;
+
+        /// <summary>
+        ///     Transpiler overwrites body so we can't just return
+        /// </summary>
+        public static IEnumerable<CodeInstruction> Transpiler(IEnumerable<CodeInstruction> instructions) {
+            var codes = new List<CodeInstruction>(instructions) {
+                new(OpCodes.Ldc_I4_0),
+                new(OpCodes.Ret)
+            };
+
+            //MessageBox.Show("IsAttached returned false", "IsAttached");
+            return codes.AsEnumerable();
+        }
+    }
+}

VMUP/VMUnprotect.Core/Hooks/Methods/GetCallingAssemblyPatch.cs

@@ -0,0 +1,20 @@
+using HarmonyLib;
+using System.Reflection;
+using VMUnprotect.Core.Abstraction;
+
+namespace VMUnprotect.Core.Hooks.Methods {
+    /// <summary>
+    ///     Harmony Patch for GetCallingAssembly
+    /// </summary>
+    [HarmonyPatch(typeof(Assembly), nameof(Assembly.GetCallingAssembly))]
+    public class GetCallingAssemblyPatch {
+        private static ILogger CtxLogger => Engine.Ctx.Logger;
+        public static void Postfix(ref Assembly __result) {
+            if (__result != typeof(string).Assembly)
+                return;
+
+            //MessageBox.Show($"Swapped {__result.FullName} | GetCallingAssembly", "GetCallingAssembly");
+            __result = Engine.Ctx.VmpAssembly;
+        }
+    }
+}

VMUP/VMUnprotect.Core/Hooks/Methods/GetEntryAssemblyPatch.cs

@@ -0,0 +1,21 @@
+using HarmonyLib;
+using System.Reflection;
+using VMUnprotect.Core.Abstraction;
+
+namespace VMUnprotect.Core.Hooks.Methods {
+    /// <summary>
+    ///     Harmony Patch for GetEntryAssembly
+    /// </summary>
+    [HarmonyPatch(typeof(Assembly), nameof(Assembly.GetEntryAssembly))]
+    public class GetEntryAssemblyPatch {
+        private static ILogger CtxLogger => Engine.Ctx.Logger;
+
+        public static void Postfix(ref Assembly __result) {
+            if (__result != typeof(string).Assembly)
+                return;
+
+            //MessageBox.Show($"Swapped {__result.FullName} | GetEntryAssembly", "GetEntryAssembly");
+            __result = Engine.Ctx.VmpAssembly;
+        }
+    }
+}

VMUP/VMUnprotect.Core/Hooks/Methods/GetExecutingAssemblyPatch.cs

@@ -0,0 +1,21 @@
+using HarmonyLib;
+using System.Reflection;
+using VMUnprotect.Core.Abstraction;
+
+namespace VMUnprotect.Core.Hooks.Methods {
+    /// <summary>
+    ///     Harmony Patch for GetExecutingAssembly
+    /// </summary>
+    [HarmonyPatch(typeof(Assembly), nameof(Assembly.GetExecutingAssembly))]
+    public class GetExecutingAssemblyPatch {
+        private static ILogger CtxLogger => Engine.Ctx.Logger;
+
+        public static void Postfix(ref Assembly __result) {
+            if (__result != typeof(string).Assembly)
+                return;
+
+            //MessageBox.Show($"Swapped {__result.FullName} | GetExecutingAssembly", "GetExecutingAssembly");
+            __result = Engine.Ctx.VmpAssembly;
+        }
+    }
+}

VMUP/VMUnprotect.Core/Hooks/Methods/NtQueryInformationProcessPatch.cs

@@ -0,0 +1,38 @@
+using System;
+using System.Linq;
+
+namespace VMUnprotect.Core.Hooks.Methods {
+    public static class NtQueryInformationProcessPatch {
+        private static IntPtr _ntQueryInformationProcessPtr = new(0x0);
+        private static Delegate? NtQueryInformationProcessDelegate { get; set; }
+
+        public static void OverwriteProcessInformation(object obj, ref object[] arguments) {
+            if (!Engine.Ctx.Options.BypassAntiDebug)
+                return;
+
+            /*__kernel_entry NTSTATUS NtQueryInformationProcess(
+                [in]            HANDLE           ProcessHandle,
+                [in]            PROCESSINFOCLASS ProcessInformationClass,
+                [out]           PVOID            ProcessInformation,
+                [in]            ULONG            ProcessInformationLength,
+                [out, optional] PULONG           ReturnLength
+            );*/
+
+            if (obj is not null && obj.Equals(NtQueryInformationProcessDelegate))
+                arguments[2] = (IntPtr) 0x0; // [out] PVOID ProcessInformation = 0x0
+        }
+
+        public static void GetDelegateForFunctionPointer(object __result, object[] parameters) {
+            if (!Engine.Ctx.Options.BypassAntiDebug)
+                return;
+
+            // Steal IntPtr 
+            if (parameters.Any(x => x.Equals("NtQueryInformationProcess")))
+                _ntQueryInformationProcessPtr = (IntPtr) __result;
+
+            // Steal Delegate
+            if (parameters.Any(x => x.Equals(_ntQueryInformationProcessPtr)))
+                NtQueryInformationProcessDelegate = (Delegate) __result;
+        }
+    }
+}

VMUP/VMUnprotect.Core/Hooks/Methods/VmProtectBypassAntiDebug.cs

@@ -1,5 +1,4 @@
 using System.Diagnostics;
-using System.Reflection;
 using VMUnprotect.Core.Abstraction;
 using VMUnprotect.Core.MiddleMan;
 
@@ -22,18 +21,14 @@ public static bool InvokePrefix(ref object __result, ref object __instance, ref
             if (!isVmpFunction)
                 return true;
 
-            var methodInfo = (MethodInfo) __instance;
-
-            // Skip debugging functions
-            if (!VmProtectBypassAntiDebug.Filter(out __result, obj, arguments, methodInfo))
-                return false;
+            // Bypass NtQueryInformationProcess Anti Debug Feature
+            NtQueryInformationProcessPatch.OverwriteProcessInformation(obj, ref arguments);
 
             CtxLogger.Info("VmProtectDumperUnsafeInvoke Prefix:");
             CtxLogger.Warn("{");
             return UnsafeInvokeMiddleMan.Prefix(ref __result, ref __instance, ref obj, ref parameters, ref arguments);
         }
 
-
         /// <summary>
         ///     Postfix of UnsafeInvoke, this runs after.
         /// </summary>
@@ -45,8 +40,8 @@ public static void InvokePostfix(ref object __instance, ref object __result, ref
             if (!isVmpFunction)
                 return;
 
-            // Find NtQueryInformationProcessDelegate
-            VmProtectBypassAntiDebug.FindNtQueryInformationProcessDelegate(__result, parameters);
+            // Steal delegate for NtQueryInformationProcess
+            NtQueryInformationProcessPatch.GetDelegateForFunctionPointer(__result, parameters);
 
             // Log it
             CtxLogger.Info("VmProtectDumperUnsafeInvoke Result:");