Does VMProtect support native progream?

[navystone]

we have a special code need to running under native mode, just like chkdsk.exe, in this mode, only ntdll.dll is available, no Win32.
So if I use VMProtect to protect the native program, it will import kernel32.dll, then it will caused the native program can not run.

Does anyone know how to solve this problem?

Thanks in advanced.

[Admin]

Could you send us a native application example? chkdsk.exe from my Windows7-x64 imports APIs from kernel32.dll

[navystone]

I have send the native program by mail.
BTW, the native program I say chkdsk is not exactly right, it should be autochk.

[Admin]

What features of VMProtect are you going to use for your application?

[navystone]

I want to protect some key codes, so Mutation or Virtualization both OK for me.

[Admin]

I meant additional options "Import/Memory protection", "Packing", etc.

[navystone]

In Option Setting, Level I will select "Maximum speed", No Memory /Import protection, no pack output file. Other setting I will keep default.

[Admin]

No Memory /Import protection, no pack output file

In this case VMProtect doesn't add any imports.

P.S. Anyway, VMProtect doesn't add kernel32.dll into imports because it detects your application as a driver

[navystone]

(1) I use VMProtectSDK.pas in my project, and I add VMProtectBeginMutation/VMProtectEnd.
(2) Compile with Delphi to generate the win32 exe, because Delphi can not directly compile the subsystem = native program.
(3) then I remove the other import block, only keep ntdll.dll and VMProtectSDK32.dll
(4) In this time, Open the exe(native) in VMProtect, the Mark I had add before can not be found.

Here is the new problem.

[Admin]

I already know that you use Delphi for your application ) For example I found unused ".rsrc" section. I strongly recommend don't modify PE format of your application because it can be incorrect after modifications.

(4) In this time, Open the exe(native) in VMProtect, the Mark I had add before can not be found.

It seems that VMProtect didn't find references on APIs from SDK. Possible import/relocation directories were corrupted.

[navystone]

I maybe found the problem now:
if I use VMProtectSDK.pas and it will import kernel32.dll, when I change the program to native by wipe off un-used Import Blocked, only keep ntdll/VMProtectSDK32, it will can not found the Mark I add by VMProtectBeginXXX/VMProtectEnd.

if I keep ntdll/VMProtectSDK32/Kernel32 Import Block, remove other unused Import Block, VMProtect will detect the Mark, BUT, after compile, VMProtect can not consider this native program as sub-system = native, and it import user32.dll and kernel32.dll, not hal and ksornel.

So the only way is I can not add the mark in my code? in this way, I can not extactly decide which code range will be protect. and I can not build the program in the script.

[Admin]

1. VMProtect checks the type of application at loading:
IMAGE_SUBSYSTEM_NATIVE - detects as a driver
IMAGE_SUBSYSTEM_WINDOWS_GUI, IMAGE_SUBSYSTEM_WINDOWS_CUI: detects as DLL(if characterictics has IMAGE_FILE_DLL), otherwise as EXE
2. If VMProtect detected application as a driver - VMProtect is looking for VMProtectSDK.sys as SDK, otherwise VMProtectSDK.dll
3. If you change application type to native you must also change SDK name from VMProtectSDK.dll to VMProtectSDK.sys
4. You can use MAP file instead of code markers. In this case you don't need to use SDK.

[navystone]

1. VMProtect checks the type of application at loading:
IMAGE_SUBSYSTEM_NATIVE - detects as a driver
IMAGE_SUBSYSTEM_WINDOWS_GUI, IMAGE_SUBSYSTEM_WINDOWS_CUI: detects as DLL(if characterictics has IMAGE_FILE_DLL), otherwise as EXE
2. If VMProtect detected application as a driver - VMProtect is looking for VMProtectSDK.sys as SDK, otherwise VMProtectSDK.dll
3. If you change application type to native you must also change SDK name from VMProtectSDK.dll to VMProtectSDK.sys
4. You can use MAP file instead of code markers. In this case you don't need to use SDK.

Thank you very much. I will try to test 3 first.
I have try the map file before, it's ok for protect one procedure, but if I want to protect part of code in procedure, such as I maybe only want to protect some if/else cause, it will need to add my own mark, and every time I need un-asm first my program.

[navystone]

I change the VMProtectSDK32.dll to VMProtectDDK32.sys, but it still can not detect the mark.

I think I can try another way, that is my program directly compile with obj of VMProtectDDK32?? but I need OMF format lib or obj files, because Delphi only can use OMF format.

is it Ok? can you send me OMF format DDK32/64 lib or objs?

[navystone]

I change VMProtectSDK32.pas as following:
const
{$IFDEF WIN64}
//VMProtectDLLName = 'VMProtectSDK64.dll';
VMProtectDLLName = 'VMProtectDDK64.sys';
{$ELSE}
//VMProtectDLLName = 'VMProtectSDK32.dll';
VMProtectDLLName = 'VMProtectDDK32.sys';
{$ENDIF}

then compile with Delphi, and it's running OK, then I remove the ununsed import block, only keep ntdll and VMProtectDDK32, change subsystem to native, then open in VMProtect, but Mark still can not be found.

/*
1. VMProtect checks the type of application at loading:
IMAGE_SUBSYSTEM_NATIVE - detects as a driver [OK]
2. If VMProtect detected application as a driver - VMProtect is looking for VMProtectSDK.sys as SDK, otherwise VMProtectSDK.dll [OK]
*/

can you tell me how to continue for testing?