Detect It Easy Identification Problem

Issues related to VMProtect
Post Reply
fuzzing
Posts: 19
Joined: Fri Aug 07, 2020 2:33 am

Detect It Easy Identification Problem

Post by fuzzing »

This software can detect VMProtected files with this method:

kernel32.dll
PE.getImportFunctionName(x,x)=="GetSystemTimeAsFileTime"

user32.dll
PE.getImportFunctionName(x,x)=="CharUpperBuffW"

kernel32.dll
PE.getImportFunctionName(x,x)=="LocalAlloc"
PE.getImportFunctionName(x,x)=="LocalFree"
PE.getImportFunctionName(x,x)=="GetModuleFileNameW"
PE.getImportFunctionName(x,x)=="ExitProcess"
PE.getImportFunctionName(x,x)=="LoadLibraryA"
PE.getImportFunctionName(x,x)=="GetModuleHandleA"
PE.getImportFunctionName(x,x)=="GetProcAddress"

Can i suggest a implementation of GetProcAddress & LoadLibrary? So VMP can hide the IAT that lefts on the file after protecting it! :D
Post Reply