Detect It Easy Identification Problem
Posted: Thu Feb 09, 2023 11:53 pm
This software can detect VMProtected files with this method:
kernel32.dll
PE.getImportFunctionName(x,x)=="GetSystemTimeAsFileTime"
user32.dll
PE.getImportFunctionName(x,x)=="CharUpperBuffW"
kernel32.dll
PE.getImportFunctionName(x,x)=="LocalAlloc"
PE.getImportFunctionName(x,x)=="LocalFree"
PE.getImportFunctionName(x,x)=="GetModuleFileNameW"
PE.getImportFunctionName(x,x)=="ExitProcess"
PE.getImportFunctionName(x,x)=="LoadLibraryA"
PE.getImportFunctionName(x,x)=="GetModuleHandleA"
PE.getImportFunctionName(x,x)=="GetProcAddress"
Can i suggest a implementation of GetProcAddress & LoadLibrary? So VMP can hide the IAT that lefts on the file after protecting it!
kernel32.dll
PE.getImportFunctionName(x,x)=="GetSystemTimeAsFileTime"
user32.dll
PE.getImportFunctionName(x,x)=="CharUpperBuffW"
kernel32.dll
PE.getImportFunctionName(x,x)=="LocalAlloc"
PE.getImportFunctionName(x,x)=="LocalFree"
PE.getImportFunctionName(x,x)=="GetModuleFileNameW"
PE.getImportFunctionName(x,x)=="ExitProcess"
PE.getImportFunctionName(x,x)=="LoadLibraryA"
PE.getImportFunctionName(x,x)=="GetModuleHandleA"
PE.getImportFunctionName(x,x)=="GetProcAddress"
Can i suggest a implementation of GetProcAddress & LoadLibrary? So VMP can hide the IAT that lefts on the file after protecting it!