I would like to understand the code virtualization concept.
While researching I found 2 use cases:
a) hide code and avoid knowledge extraction
b) avoid manipulation
Use case A is plausible, because a VM is a aggravating barrier.
My question goes towards use case B.
In my example the program shall not continue, if the virtualized IsUsageAllowed was negative.
[Virtualize]
bool IsUsageAllowed()
{
return .... ;
}
void Main()
{
if (!IsUsageAllowed()) //detour call
return;
// do something
}
In the case of external manipulation, IsUsageAllowed() would be a difficult target, because we would have to attack the VM of the function. But that's not neccessary, because we can hook functions. For that we detour the call of IsUsageAllowed by a jump instruction to something what always delivers true. = protection removed.
Is there a better way to use virtualized functions to avoid that ?
thank you in advance
To solve that problem, virtualize the whole chain:
[Virtualize]
bool IsUsageAllowed()
{
return .... ;
}
[Virtualize]
void Main()
{
if (!IsUsageAllowed()) //detour call
return;
// do something
}
In the case of a particular obfuscator, it may use a special mechanism (aka int-call) which specifically targets that scenario making the whole chain resistant to detouring.
Int-call is just a short nickname of a VM internal call. It allows to avoid the unnecessary transitions between CLR and VM domains.
Disclaimer: I work on Eazfuscator.NET obfuscator and it does support int-calls.