How To Unpack VMProtect Malware - Part 1 (Patreon)

Overview of Unpacking vs. Devirtualization 

This is the first part in our three-part tutorial series on unpacking VMProtect malware. When approaching a VMProtect malware sample it is important to understand the concept of a packer vs. a virtualizer. VMProtect offers both the option to pack files, and the option to virtualize individual functions. Depending on what options are selected by the malware developer it may be possible to trivially recover the protected payload. 

Packing

The VMProtect packing functionality simply protects that payload at rest. When the packed sample is executed the payload is unpacked into memory and executed. The concept behind this is similar to other, more well understood, packers like UPX -- though with some added protections that make unpacking more difficult. 

Virtualization

The VMProtect virtualization protection is applied at the function level within the payload and transforms the function code into a series of virtual instructions that can only be interpreted by the VMProtect virtual machine. To attack this protection the virtualized instructions must be devirtualized using custom translation software like the suite of tools build around VTIL including a fully working VMProtect 3 devirtualizer: NoVmp.

** Removing VMProtect virtualization is beyond the scope of this tutorial. We will only focus on unpacking.

Attacking Malware Developer Mistakes

Though we won't attempt to remove VMProtect virtualization there are two common mistakes that malware developers continuously make which may allow us to recover the full malware payload, even when virtualization has been "enabled".

Some malware developers lack a fundamental understanding of how VMProtect works and only use the packing functionality of VMProtect. This leaves all of the functions unprotected and allows us to simply dump the payload at runtime.

Other malware developers may attempt to protect their payload using VMProtect virtualization but misunderstand the VMProtect interface and succeed in only virtualizing their entry point. This leaves the rest of the functions unprotected and is the most common mistake we have observed when analyzing VMProtect malware samples. 

Our tutorial series focuses on exploiting these mistakes to unpack VMProtect malware.

Self Study Examples

We cannot redistribute VMProtect or samples protected with the VMProtect Demo but you can re-create our lab examples in your own analysis environment. Attached to this post is the HelloWorld binary from our examples. A free demo version of VMProtect can be downloaded from the VMProtect website.

• Download the HelloWorld sample
• Download and install VMProtect in your lab virtual machine
• Load HellowWorld in VMProtect and pack the payload 
• Familiarize yourself with the packed payload in IDA Pro and x64dbg
• Load HellowWorld in VMProtect and virtualize the entry point 
• Familiarize yourself with the virtualized  payload in IDA Pro and x64dbg