Add compatibility for VMProtect 3.6+

[heck-gd]

This PR does the following changes in order to hide from VMProtect 3.6+:

• PEB OsBuildNumber changed from increment (which breaks on recent Win 10 builds such as 19043/19044) to FAKE_VERSION define.
• Consistency between what is set in PEB and what is written to NTDLL version resource.
• Extract NTDLL resource patching logic to separate file.
• Rewrite resource patching logic to NT API since it's required in HookLibrary.
• Also patch the other 3 versions in the resource and not just FileVersion.
• Add hooks to NtOpenFile/NtCreateSection/NtMapViewOfSection so we can patch the NTDLL image that VMProtect brings in from disk.

These measures successfully hide x32dbg on Windows 7 32-bit (newer 32-bit OSes should work as well). I tried to implement an x64 code path as well, but I didn't have a x64 sample to test with.

[mrexodia]

Thanks a lot!

[vmpsoft]

Thank you for new bugs :))

1.
dll = CreateFile("ntdll.dll");
CloseHandle(dll);
if (CreateFileMapping(dll) != INVALID_HANDLE_VALUE)
  printf("ScyllaHide detected");

2.
WORD *ptr = (WORD *)GetProcAddress(copy_ntdll, "NtSetInformationProcess");
if (*ptr == 0x0B0F) // NtSetInformationProcess usually begins with UD2 on computers in "G DATA Advanced Analytics"
  printf("ScyllaHide detected");

[mrexodia]

Great times, will take a look after my vacation… 😴

[heck-gd]

@vmpsoft

1. Yeah feel free to implement that into your packer, that's not how the hooks work. Original API is always called first, and if you close the handle it will get an unsuccessful status.
2. Sure, we can continue this cat and mouse game ad infinitum.

[vmpsoft]

Sure, we can continue this cat and mouse game ad infinitum.

It seems you still don't understand the purpose of my comment. I just showed to mrexodia the "quality" of your code. My PoCs (and more other variants with DuplicateHandle, etc. ) can be used for easy detection of ScyllaHide. Anyway, I don't care about your commits in the future because you have already lost this game like ScylaHide many years ago.

[AxDSan]

Wonderful article on VMProtect defense mechanisms on malware! It's a shame that even though Ivan's software main purpose is to "protect" intellectual property, we can surely agree all in the statement that possibly 80% of its revenue comes from malicious actors and that the integrity of the software, unfortunately, has been truly compromised for malicious activities more than anything else, and even though our race seems to be against malware itself, his point of view while trying to defend the main purpose of his software is rather a bit, in colloquial English, "salty" and unwelcoming, rather than one that is compliant with the actual research made by reversers.

On topic, thanks for submitting to PR the hard work on your research!