Skip to content

1ronman101/VMP_Hunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
VMP_Hunter.py
VMP_Hunter.py
 
 

Repository files navigation

🕵️ VMP_Hunter

A Frida-based dynamic instrumentation tool for Windows binaries — designed to intercept crypto operations, network traffic, and bypass anti-debug protections in VMProtect-packed or otherwise obfuscated executables.

📖 Overview

VMP_Hunter is a Python + Frida instrumentation framework that spawns a target Windows process and injects a comprehensive JavaScript hook engine at runtime. It is designed to aid in reverse engineering, malware analysis, and protocol research by intercepting encryption/decryption calls, network API calls, and dynamic DLL loading — all without needing to unpack or statically analyse the target.

✨ Features

🔐 Cryptography Interception

API Library What's Captured
BCryptEncrypt / BCryptDecrypt bcrypt.dll Plaintext, ciphertext, key size
BCryptGenerateSymmetricKey bcrypt.dll Raw key material
BCryptOpenAlgorithmProvider bcrypt.dll Algorithm name
BCryptHash bcrypt.dll Input data + hash output
CryptProtectData / CryptUnprotectData crypt32.dll DPAPI blobs, decrypted data
SystemFunction032 advapi32.dll / cryptbase.dll RC4 key + plaintext/ciphertext
CryptEncrypt / CryptDecrypt advapi32.dll Legacy CryptoAPI data

🌐 Network Interception

API What's Captured
send / recv Raw socket data (hex + ASCII)
WSASend / WSARecv Winsock2 async data
connect Target IP:port + success/failure
socket Socket family and type
getaddrinfo / gethostbyname DNS hostname resolution + resolved IPs
DnsQuery_A DNS query type and name
NtDeviceIoControlFile Low-level AFD_SEND / AFD_RECV / AFD_CONNECT
InternetConnectW WinINet / WinHTTP server + port

🛡️ Anti-Debug Bypass

  • Patches IsDebuggerPresent → always returns 0
  • Hooks NtQueryInformationProcess and nulls out debug port, debug object handle, and debug flags (classes 7, 30, 31)

📦 Dynamic DLL Hook Injection

  • Hooks LdrLoadDll to detect newly loaded modules at runtime
  • Automatically re-applies all hooks when a new DLL is loaded — ensuring nothing slips through late-loaded crypto or network libraries

👶 Child Process Gating

  • Automatically attaches to any child processes spawned by the target
  • Injects the full hook engine into each child — useful for packed binaries that unpack into a child

🗂️ Project Structure

VMP_Hunter.py
├── FRIDA_SCRIPT          # Embedded JS instrumentation engine
│   ├── hookBCrypt()      # Modern Windows crypto hooks
│   ├── hookLegacyCrypto()# DPAPI, RC4, CryptoAPI hooks
│   ├── hookNetworking()  # WS2_32, DNS, WinINet hooks
│   ├── hookDllLoader()   # LdrLoadDll dynamic hook injection
│   ├── bypassAntiDebug() # IsDebuggerPresent / NtQueryInformationProcess patches
│   └── applyAllHooks()   # Master initializer
└── RobustHunter (Python)
    ├── spawn + attach     # Process launch and Frida session management
    ├── on_child_added()   # Child process gating
    ├── on_message()       # Frida message + error handler
    └── cleanup()          # Session teardown

⚙️ Requirements

  • Python 3.7+
  • Frida Python bindings
pip install frida frida-tools

⚠️ Must be run with Administrator privileges on Windows for process injection.

🚀 Usage

python VMP_Hunter.py <target.exe>

Example:

python VMP_Hunter.py suspicious_packed_binary.exe

If no argument is provided, it defaults to YourFile.exe in the current directory.

📟 Sample Output

============================================================
  FRIDA INSTRUMENTATION ENGINE - Enhanced Edition
  Tracking: Encryption, Decryption, Network APIs
============================================================
[*] Spawning target.exe...
[*] Process spawned with PID: 4821
[12:34:01.042] [+] Hooked: bcrypt.dll!BCryptEncrypt @ 0x7ffb12340000
[12:34:01.043] [+] Hooked: ws2_32.dll!connect @ 0x7ffb09ab1234

[12:34:02.187] [NET-CONNECT] connect() -> 192.168.1.1:443 [SUCCESS]
    [STACK TRACE]:
      -> connect (ws2_32.dll)
      -> [SHELLCODE] 0x1a2b3c4d

[12:34:02.210] [BCRYPT-ENCRYPT] BCryptEncrypt called
    [Input Size]: 48 bytes
    [Plaintext Hex]: 48 65 6c 6c 6f ...
    [Plaintext ASCII]: Hello...

🔍 Use Cases

  • Malware analysis — Intercept C2 communications and decrypt traffic in-flight
  • Protocol reverse engineering — Capture plaintext before encryption and after decryption
  • VMProtect / packed binary analysis — Hook APIs that survive packing without needing to unpack first
  • CTF / crackme challenges — Observe crypto and network behaviour dynamically

⚠️ Disclaimer

This tool is intended for educational purposes, authorized security research, and malware analysis in isolated lab environments only. Do not use against software or systems you do not own or have explicit permission to test.

👤 Author

@1ronman101 — Python Engineer · Security Researcher · Reverse Engineering Enthusiast

About

Frida-based dynamic instrumentation tool for Windows binaries. Intercepts BCrypt/DPAPI/RC4 crypto operations, network APIs (WS2_32, DNS, WinHTTP), and bypasses common anti-debug techniques. Designed for malware analysis, protocol RE, and VMProtect-packed binary research.

Topics

python reverse-engineering frida pe-file windows-internals

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages