<Matti> I wonder what he does when he needs to debug a 64 bit program?
<Matti> maybe he just runs a 32 bit OS
<Matti> that would solve that issue
<TomieKawakami> I tried all vmp3 leaked on the internet for educational purposes..xD all of them beaten by Scylla. Kinda strange when vmprotect says u can do user mode or kernel mode or both when doing anti dbg.. how do they do kernel mode? Do they need their own sys for that? To happen. I don't know if usermode can detect kernel. Or maybe i miss understand what it means.
<Matti> what they mean by that is that they provide detection of both usermode and kernelmode debuggers
<Matti> which is true, and you can choose which (if any) you want to enable detection for
<Matti> but it's not really very useful because (A) most people don't debug programs with a kernel debugger, and (B) if you have a kernel debugger attached you control the entire system, so 'defeating' VMProtect at that point isn't really an achievement, just a bit tedious
<Matti> what they also do though, and as far as I know they are the only commercial protector to do this, is protect kernel mode drivers
<Matti> meaning a .sys and not .dll/.exe
<Matti> there is also an anti debug for that mode, and it's a bit harder to defeat because VMP is now also running in kernel mode
<Matti> but overall it is still pretty easy to bypass
<TomieKawakami> That's interesting
<Matti> oh yea
<Matti> forgot to answer this
<Matti> > To happen. I don't know if usermode can detect kernel.
<Matti> you can detect a kernel debugger from user mode via a few ways
<Matti> but the most commonly used by far is NtQuerySystemInformation(SystemKernelDebuggerInformation)
<Matti> which basically just tells you if a kernel debugger is attached
<Matti> but - if you're attached with a kernel debugger, you can just edit that function to return a value that says there's no debugger
<Matti> so you can see how it's sort of pointless to try this from user mode
<Matti> when VMP is running in kernel mode too, it has access to a lot more of the information the kernel exports that it can use to do debugger detection
<Matti> plus of course the normal extra privileges you get in kernel mode compared to user
<Matti> but it doesn't really do a lot of interesting stuff with that anti-debug wise
<Matti> hypervisor detection though... that's different