Hey thanks glad to hear you are enjoying the vids! So most of these VM detections are actually the work of a lot of researchers. When hypervisors were first becoming popular there was a gold rush to try and find detections like these. Probably the most famous is the "Red Pill" research from Joanna Rutkowska (a super interesting read) web.archive.org/web/20070911024318/invisiblethings.org/papers/redpill.html but over the years there have been many discoveries like these. Once the work is published the detections are quickly adopted my malware authors for use in their code.

Hey Jason, you raise a really good point, and probably something that a lot of folks have thought at some point or another while trying to take what we talk about on this channel then apply it in the wild to new malware samples. So unfortunately the tl;dr is that there is no simple solution, and certainly no generic approach that will work for all packed samples. But, the good news is we can get pretty far with what we show on the channel. We tend to break this down into three categories when thinking about unpacking. Basic packers: So the majority of malware we see day-to-day can be unpacked in a few seconds using the simple breakpoint techniques we show in our tutorials. No need to hide the VM and no need to even hide the debugger. We have been working a comprehensive course that covers all these techniques in a set of progressive steps to make the learning easier but, if you just want the raw techniques we have covered most of them already in our videos. Basic packers with anti-analysis: When you run into one of these, the approach we show in this tutorial may work, and it's less expensive than other approaches. In our experience there will just be one or two anti-analysis check functions that can be skipped over and then you can proceed with the unpacking. However, as you have noted, this isn't always the case. If the binary contain heavy evasion (especially what you have described, opaque predicates, call stack manipulation, etc.) this approach can quickly fail. Unfortunately though, this is also the limit of what we are comfortable demonstrating on KZbin. Advanced packers, obfuscation, virtual machines: This is the category of "packers" that I think you are describing, especially if you are talking about Themida etc. So, if you have the misfortune to encounter something like this you are now talking about the 1% of malware. Rarely will a generic approach help you in these situations. Usually there is a specific tailored solutions for each packer, and these take a lot of time and resources to develop. We aren't comfortable sharing these specific techniques publicly for two reasons. First, they are unique to the packer and thus the packer developers could simply alter their code and void a lot of our work. Second, most of the seriously difficult packers are dual-use for both commercial software and malware. You need only look at the comments on our videos to see how many people want an easy solution to breaking these protections so they can pirate software. We don't want to be a part of that. However, the special project we are working on may be able to help a bit with this... In the mean time if you ever run into something like this we are always happy to take a look if you post the sample to VT and send us the hash. I know this is probably not the answer you were looking for, but I hope I have explained the reasoning behind it. All the best, Sergei

​@@OALABS I appreciate the extremely thorough reply, Sergei! Would you ever consider putting out some ideas for how people (like yourself) have developed these custom solutions to unpacking the "very hard" packers? I'm not necessarily looking for something like "Well if your yara rules match abc, then go ahead and run this script from my github." I'm thinking more like "When I'm confronted with a VeryHardPacker as mentioned, I first hook APIs in a debugger, look for details, create a lot of individual x64dbg scripts to ultimately dump the core stuff to a file, and then blah blah." A super generic "high level approach" to how one builds a custom unpacker would be helpful. I just feel like that's where I will learn the most and improve the most in my reversing abilities. That said, I'm looking forward to the super secret project you've been working on!

For sure! This was sort of the idea behind developing our unpacking course ... providing a methodology for attacking some of the more difficult problems step-by-step. But as I noted in many cases this quickly turns into just full-on reverse engineering instead of a set of steps that you can follow. If you send us some samples (VT hashes only please) I can take a look and see if there is a good example to use to explain how I would approach this.

@@OALABS Awesome. Thanks Sergei! I tend to run into something like this every 2-3 months, and I might have a leftover VM of Shame from a failed attempt that I can find an older one and grab a VT hash of. Appreciate the help!

Sorry I forgot to provide a link to the patched sample that will run in the sandbox you can download it from Malshare here (you will need to register for a free account): malshare.com/sample.php?action=detail&hash=9c8e3500e013982a4cbe2ba6fea801f4 We didn't show running the sample after it is patched but you can try it yourself or check out the Hybrid Analysis here: www.hybrid-analysis.com/sample/589da12984e7d4a85ed714e74ff7ff86c4f7083966fd105d44ab15202beb1454?environmentId=100

We are working on something like that... it takes time though : )

OALabs we all are waiting for the same

Is a technique used by malware authors to hide their malware from being running under the virtualization machine