VMProtect Software » Forum

Posted: **Sun Feb 12, 2023 7:51 am**

After protect a file (.EXE on this case), .EXE calls MessageBoxA and that API can be hooked to log or alter his params.
If there any chance to make on VMProtect a API Wrapper to avoid calling the original hooked API?

Posted: **Sun Feb 12, 2023 1:10 pm**

For MessageBox you can use the same trick as VMProtect.
A simple example:

Code: Select all

#include <windows.h>
#include <winternl.h>

#pragma comment(lib, "ntdll.lib")

extern "C" NTSTATUS NTAPI ZwRaiseHardError(LONG ErrorStatus, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask,
    PULONG_PTR Parameters, ULONG ValidResponseOptions, PULONG Response);

int main()
{
    UNICODE_STRING msgBody;
    UNICODE_STRING msgCaption;

    ULONG ErrorResponse;

   const wchar_t cBody[] = L"Some message";
    msgBody.Length = sizeof(cBody) - sizeof(wchar_t);
    msgBody.MaximumLength = msgBody.Length;
    msgBody.Buffer = (wchar_t*)cBody;

   const wchar_t cCaption[] = L"Caption";
    msgCaption.Length = sizeof(cCaption) - sizeof(wchar_t);
    msgCaption.MaximumLength = msgCaption.Length;
    msgCaption.Buffer = (wchar_t*)cCaption;

    const ULONG_PTR msgParams[] = {
        (ULONG_PTR)&msgBody,
        (ULONG_PTR)&msgCaption,
        (ULONG_PTR)(MB_OK | MB_ICONWARNING)
    };

    ZwRaiseHardError(0x50000018L, 0x00000003L, 3, (PULONG_PTR)msgParams, NULL, &ErrorResponse);
    return 0;
}

Under certain conditions this trick does not work correctly, but these conditions are so rare that you can ignore it.

Posted: **Sun Feb 12, 2023 1:13 pm**

This example can be improved by performing a manual map for ntdll

Posted: **Sun Feb 12, 2023 3:27 pm**

Catharsis wrote: Under certain conditions this trick does not work correctly, but these conditions are so rare that you can ignore it.

Because your msgParams have wrong structure. They must have 4 parameters (the latest parameter specifies the timeout and usually it equals INFINITE):

const ULONG_PTR msgParams[] = {
(ULONG_PTR)&msgBody,
(ULONG_PTR)&msgCaption,
(ULONG_PTR)(MB_OK | MB_ICONWARNING),
INFINITE
};
ZwRaiseHardError(0x50000018L, 4, 3, (PULONG_PTR)msgParams, NULL, &ErrorResponse); // 0x50000018L = STATUS_SERVICE_NOTIFICATION | HARDERROR_OVERRIDE_ERRORMODE

Posted: **Sun Feb 12, 2023 4:49 pm**

Возможно с количеством параметров Вы правы, так как код не мой, а был взят с одного из форумов, но с 3 параметрами тоже работает (видимо из-за счастливого стечения обстоятельств).
Под редким условием я подразумевал настройку ACL для процесса. Окно отображается, но оно пустое (без нужного текста).
При надобности я могу зарепортить в отдельной теме с демкой для воспроизведения проблемы

Posted: **Sun Feb 12, 2023 5:08 pm**

Без нужного текста - это скорее всего проблемы с инициализацией UNICODE_STRING, либо с массивом аргументов (например сам массив не выровнен на границу 4/8 байт).

Code: Select all

__forceinline void InitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
{
	if (SourceString)
		DestinationString->MaximumLength = (DestinationString->Length = (USHORT)(wcslen(SourceString) * sizeof(WCHAR))) + sizeof(UNICODE_NULL);
	else
		DestinationString->MaximumLength = DestinationString->Length = 0;

	DestinationString->Buffer = (PWCH)SourceString;
}

Posted: **Sun Feb 12, 2023 9:19 pm**

MessageBox was just a example, what we can do with anothers APIs ?
Can VMP add a API Wrapping?

Posted: **Mon Feb 13, 2023 10:23 am**

Admin wrote:Без нужного текста - это скорее всего проблемы с инициализацией UNICODE_STRING, либо с массивом аргументов (например сам массив не выровнен на границу 4/8 байт).

Для реализации в VMP эта проблема тоже актуальна. Отправил репорт на info@vmpsoft.com с описанием и файлами для демонстрации (Subject письма: "ZwRaiseHardError bug")

Posted: **Wed Feb 15, 2023 4:26 am**

Any news or plans?

Posted: **Wed Feb 15, 2023 1:15 pm**

VMProtect doesn't protect system DLLs against hooks.

Posted: **Thu Feb 16, 2023 11:15 am**

Admin wrote:VMProtect doesn't protect system DLLs against hooks.

Its there any chance to add a API Wrapper ?

Posted: **Thu Feb 16, 2023 11:23 am**

fuzzing wrote: Its there any chance to add a API Wrapper ?

What prevents you from implementing a check for the most common hooks yourself?

Posted: **Sat Feb 18, 2023 12:08 pm**

Catharsis wrote:
fuzzing wrote: Its there any chance to add a API Wrapper ?
What prevents you from implementing a check for the most common hooks yourself?

Because there are too many ways of hook a APi.
Checking for 0xE9 or things like that can be bypassed just changing the instruction hooking method.

Posted: **Sun Feb 19, 2023 2:36 pm**

fuzzing wrote:Because there are too many ways of hook a APi.

You have now answered your own question

Posted: **Sun Feb 19, 2023 9:59 pm**

Catharsis wrote:
fuzzing wrote:Because there are too many ways of hook a APi.
You have now answered your own question

Nope, patching the first bytes of a API can be avoided by making somewhat type of API Wrapper like Themida does, but honestly i don't like Themida, i don't use it and i will not use it, im on the VMProtect way, and will be nice if it can add somewhat of API Wrapper too!

VMProtect Software » Forum

Calling API Hookeds Problem

Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem

Re: Calling API Hookeds Problem