Added VMProtect Anti Debug Bypass

Author: void-stack

README.md

@@ -19,23 +19,24 @@
 VMUnprotect.exe 
   -f, --file             Required. Path to file.
   --usetranspiler        (Default: false) Use an older method that makes use of Transpiler (not recommended).
-  --enableharmonylogs    (Default: true) Enable logs from Harmony.
+  --enableharmonylogs    (Default: false) Disable or Enable logs from Harmony.
+  --bypassantidebug      (Default: false) Bypass VMProtect Anti Debug.
   --help                 Display this help screen.
   --version              Display version information.
 ```
 
 # Supported Protections
 Note: ***All Supported Protections are working combined***
 
-Protection Name | Is supported | 
-------------- | :----: 
-Memory Protection | Yes 
-Import Protection | Yes 
-Resource Protection | Yes 
-Debugger Detection | Yes 
-Virtualization Tools | Yes 
-Strip Debug Information | Yes 
-Pack the Output File | No
+Protection Name         | Is supported 
+------------------------|-------------- 
+Memory Protection       | ✓  
+Import Protection       | ✓  
+Resource Protection     | ✓  
+Debugger Detection      | ✓  
+Virtualization Tools    | ✓ 
+Strip Debug Information | ✓  
+Pack the Output File    | ✓ 
 
 # Usage can be found in ```MiddleMan```
 ```csharp
@@ -91,11 +92,13 @@ namespace VMUnprotect.Core.MiddleMan {
 ## Current Features
 - Tracing invokes in virtualized methods.
 - Manipulating parameters and return values.
+- Bypass NtQueryInformationProcess, IsLogging, get_IsAttached
+
 
 ## Todo
 - Change this to support more VM's
 - VMP Stack tracing
-- Bypass VMP Debugger Detection
+- Bypass VMP Debugger Detection ✓
 - Bypass VMP CRC Check
 - Nice WPF GUI
 

VMUP/VMUnprotect.Core/CommandLineOptions.cs

@@ -8,7 +8,10 @@ public class CommandLineOptions {
         [Option(Default = false, HelpText = "Use an older method that makes use of Transpiler (not recommended).", Required = false)]
         public bool UseTranspiler { get; set; }
 
-        [Option(Default = true, HelpText = "Enable logs from Harmony.", Required = false)]
+        [Option(Default = false, HelpText = "Disable or Enable logs from Harmony.", Required = false)]
         public bool EnableHarmonyLogs { get; set; }
+
+        [Option(Default = false, HelpText = "Bypass VMProtect Anti Debug.", Required = false)]
+        public bool BypassAntiDebug { get; set; }
     }
 }

VMUP/VMUnprotect.Core/Context.cs

@@ -9,7 +9,7 @@ namespace VMUnprotect.Core {
     public class Context {
         public Context(ILogger logger, string vmpAssembly, CommandLineOptions options) {
             Harmony.DEBUG = options.EnableHarmonyLogs;
-            
+
             Logger = logger ?? throw new ArgumentNullException(nameof(logger));
             Options = options ?? throw new ArgumentNullException(nameof(options));
 

VMUP/VMUnprotect.Core/Engine.cs

@@ -11,17 +11,8 @@ public Engine(Context context) {
             Ctx = context;
             Logger = context.Logger;
         }
-        internal static Context Ctx
-            {
-                get;
-                private set;
-            } = null!;
-
-        public static ILogger Logger
-            {
-                get;
-                private set;
-            } = new EmptyLogger();
+        internal static Context Ctx { get; private set; } = null!;
+        public static ILogger Logger { get; private set; } = new EmptyLogger();
 
         public void Start() {
             var fileEntryPoint = Ctx.VmpAssembly.EntryPoint;
@@ -41,7 +32,7 @@ public void Start() {
             RuntimeHelpers.RunModuleConstructor(moduleHandle);
 
             Logger.Info("--- Invoking assembly.\n");
-            fileEntryPoint.Invoke(null, parameters.Length == 0 ? null : new object[] {null!});
+            fileEntryPoint.Invoke(null, parameters.Length == 0 ? null : new object[] {new[] {string.Empty}}); // parse arguments from commandlineoptions
         }
         private static void ApplyHooks() {
             try {

VMUP/VMUnprotect.Core/Helpers/Formatter.cs

@@ -13,7 +13,7 @@ public static string FormatObject(object obj) {
                     null                   => "null",
                     string x               => $"\"{x}\"",
                     IEnumerable enumerable => $"{obj.GetType().Name} {{{string.Join(", ", enumerable.Cast<object>().Select(FormatObject))}}}",
-                    _                      => obj.ToString()
+                    var _                  => obj.ToString()
                 };
             }
             catch (Exception) {

VMUP/VMUnprotect.Core/Hooks/Methods/GetCallingAssemblyPatch.cs

@@ -0,0 +1,79 @@
+using HarmonyLib;
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Reflection;
+
+namespace VMUnprotect.Core.Hooks.Methods {
+    /// <summary>
+    ///     Honestly, I Don't know about this, need better Idea
+    /// </summary>
+    public static class VmProtectBypassAntiDebug {
+        public static bool Filter(out object __result, object obj, IList<object> arguments, MethodInfo? methodInfo) {
+            if (!Engine.Ctx.Options.BypassAntiDebug) {
+                __result = true; // dont skip original function
+                return true;
+            }
+
+            // GetExecutingAssembly.Get_Location() check 
+            if (methodInfo == GetExecutingAssembly) {
+                __result = Engine.Ctx.VmpAssembly;
+                return false;
+            }
+
+            // Bypass IsLogging
+            if (methodInfo == IsLogging) {
+                __result = false;
+                return false; // skip function and set __result to false
+            }
+
+            // Bypass GetIsAttached
+            if (methodInfo == GetIsAttached) {
+                __result = false;
+                return false; // skip function and set __result to false
+            }
+
+            // Bypass NtQueryInformationProcess
+            /*__kernel_entry NTSTATUS NtQueryInformationProcess(
+                [in]            HANDLE           ProcessHandle,
+                [in]            PROCESSINFOCLASS ProcessInformationClass,
+                [out]           PVOID            ProcessInformation,
+                [in]            ULONG            ProcessInformationLength,
+                [out, optional] PULONG           ReturnLength
+            );*/
+
+            // ReSharper disable once ConditionIsAlwaysTrueOrFalse
+            if (obj is not null && obj.Equals(NtQueryInformationProcessDelegate))
+                arguments[2] = (IntPtr) 0x0; // [out] PVOID ProcessInformation = 0x0
+
+            __result = true; // dont skip original function
+            return true;
+        }
+
+        /// <summary>
+        ///     There's a function that takes "NtQueryInformationProcess" and converts it into IntPtr for
+        ///     GetDelegateForFunctionPointer.
+        /// </summary>
+        public static void FindNtQueryInformationProcessDelegate(object __result, object[] parameters) {
+            if (!Engine.Ctx.Options.BypassAntiDebug)
+                return;
+
+            // Steal IntPtr
+            if (parameters.Any(x => x.Equals("NtQueryInformationProcess")))
+                _ntQueryInformationProcessPtr = (IntPtr) __result;
+
+            // Steal Delegate
+            if (parameters.Any(x => x.Equals(_ntQueryInformationProcessPtr)))
+                NtQueryInformationProcessDelegate = (Delegate) __result;
+        }
+
+        #region VMP_ANTIDEBUG_FUNCTIONS
+        private static IntPtr _ntQueryInformationProcessPtr = new(0x0);
+        private static Delegate? NtQueryInformationProcessDelegate { get; set; }
+        private static MethodInfo? GetExecutingAssembly => AccessTools.Method(typeof(Assembly), nameof(Assembly.GetExecutingAssembly));
+        private static MethodInfo? GetIsAttached => AccessTools.Method(typeof(Debugger), "get_IsAttached");
+        private static MethodInfo? IsLogging => AccessTools.Method(typeof(Debugger), "IsLogging");
+        #endregion
+    }
+}

VMUP/VMUnprotect.Core/Hooks/Methods/GetEntryAssemblyPatch.cs

@@ -12,7 +12,6 @@ namespace VMUnprotect.Core.Hooks.Methods {
     internal class Targets {
         private static readonly ILogger Logger = Engine.Logger;
 
-
         /// <summary>
         ///     This function is used by current VMProtect version.
         /// </summary>
@@ -114,7 +113,6 @@ public object HookedInvokeOld(object obj, object[] parameters, MethodBase method
     public static class VmProtectDumperTranspiler {
         private static readonly ILogger Logger = Engine.Logger;
 
-
         /// <summary>A transpiler that replaces all occurrences of a given method with another with additional Ldarg_1 instruction</summary>
         /// <param name="instructions">The enumeration of <see cref="T:HarmonyLib.CodeInstruction" /> to act on</param>
         /// <param name="from">Method to search for</param>

VMUP/VMUnprotect.Core/Hooks/Methods/VmProtectBypassAntiDebug.cs

@@ -1,4 +1,5 @@
 using System.Diagnostics;
+using System.Reflection;
 using VMUnprotect.Core.Abstraction;
 using VMUnprotect.Core.MiddleMan;
 
@@ -13,20 +14,26 @@ public static class VmProtectDumperUnsafeInvoke {
         /// <summary>
         ///     Prefix of UnsafeInvoke, this runs before.
         /// </summary>
-        public static void InvokePrefix(ref object __instance, ref object obj, ref object[] parameters, ref object[] arguments) {
+        public static bool InvokePrefix(ref object __result, ref object __instance, ref object obj, ref object[] parameters, ref object[] arguments) {
             // Check if this invoke is coming from VMP Handler
             var isVmpFunction = Engine.Ctx.RuntimeStructure?.FunctionHandler != null
                                 && Engine.Ctx.RuntimeStructure != null
                                 && new StackTrace().GetFrame(3).GetMethod().MetadataToken == Engine.Ctx.RuntimeStructure.FunctionHandler.MDToken.ToInt32();
-
             if (!isVmpFunction)
-                return;
+                return true;
+
+            var methodInfo = (MethodInfo) __instance;
+
+            // Skip debugging functions
+            if (!VmProtectBypassAntiDebug.Filter(out __result, obj, arguments, methodInfo))
+                return false;
 
             CtxLogger.Info("VmProtectDumperUnsafeInvoke Prefix:");
             CtxLogger.Warn("{");
-            UnsafeInvokeMiddleMan.Prefix(ref __instance, ref obj, ref parameters, ref arguments);
+            return UnsafeInvokeMiddleMan.Prefix(ref __result, ref __instance, ref obj, ref parameters, ref arguments);
         }
 
+
         /// <summary>
         ///     Postfix of UnsafeInvoke, this runs after.
         /// </summary>
@@ -35,10 +42,12 @@ public static void InvokePostfix(ref object __instance, ref object __result, ref
             var isVmpFunction = Engine.Ctx.RuntimeStructure?.FunctionHandler != null
                                 && Engine.Ctx.RuntimeStructure != null
                                 && new StackTrace().GetFrame(3).GetMethod().MetadataToken == Engine.Ctx.RuntimeStructure.FunctionHandler.MDToken.ToInt32();
-
             if (!isVmpFunction)
                 return;
 
+            // Find NtQueryInformationProcessDelegate
+            VmProtectBypassAntiDebug.FindNtQueryInformationProcessDelegate(__result, parameters);
+
             // Log it
             CtxLogger.Info("VmProtectDumperUnsafeInvoke Result:");
             UnsafeInvokeMiddleMan.Postfix(ref __instance, ref __result, ref obj, ref parameters, ref arguments);