Some PE modification questions.

Issues related to VMProtect
Post Reply
bangaladore
Posts: 2
Joined: Sun Sep 11, 2016 11:00 pm

Some PE modification questions.

Post by bangaladore »

I am trying to make a dll very secure from attacks, either dumping it from memory or from stealing through transport.

I already have methods to do this, but it seems that vmprotect keeps getting in my way.


I have been using the ultimate demo for testing and will be buying the professional edition very soon.


Let me prefix this with I am not using the windows PE loader! I have made my own loader (mapper) than does the exact same as loadlibrary does. I have already tested and it does work on vmprotected dlls, they run and execute fine.

I would like to do a couple things, can I remove the PE Header of a vprotected file some how, without causing issues with anything, all I really need to be protected against patching is the .text + maybe .data sections. Because I am going to be mapping the dll on my own, I already know how to manually deal with imports and relocations, so this will be done before removing the pedata. I do not want the PEHeader to be anywhere near the client computer. It seems that vmprotect relies on the PEHeader, is there any way to fix this? When I mean PEHeader I want to remove the DOS Header, the MS-DOS Stub, the whole IMAGE_NT_HEADERS and all data inside the OPTIONAL_HEADER and I would like to remove all import data except the IAT, as that gets referenced on runtime.


I would like to remove as much import data as I can if I can not remove the stuff referenced in the above text. I would like to remove the Import Name Table, The Import Directory Table and The Import Hints/Names Table. As I will be manually resolving the IAT before hand so this shouldn't be an issue.

If you are not sure what I mean about these above tables, here is a picture of PEVIEW where I am looking at them.

https://gyazo.com/324d2fc1a58775627850203b8497649d






This is what I have tried :

Take test dll
Vmprotect test dll, not setting options for Import Protection and disabling memory protection on the RDATA Section.
When mapping the dll manually, I am removing the names after I resolve each import
After mapping the dll properly, I execute it and get the error : File Corrupted!

This doesn't make much sense to me, as the char* I am clearing should be stored in the .rdata section, I also excluded all segments from the memory protection with the same issue occurring.


Esentially, best case senario I would want to be able to erase the whole PE_Header + import data that is not needed if manually resolved.


But otherwise I would like to remove most unneeded import data that is not needed if manually resolved.




Thanks for your time.
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Some PE modification questions.

Post by Admin »

VMProtect always checks CRC of the PE header, so you must not modify it.
Post Reply