Tamper-Protection Bypass × Oreans Technologies Themida 3.x.x

A publicly-reported instance of Tamper-Protection Bypass bypassing Oreans Technologies Themida 3.x.x, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Oreans Technologies Themida 3.x.x

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-07-10

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-07-10 · original source · via exa

Reported as

Proof-of-Concept Bypass for Themida 3.x.x CRC Integrity Check via WinAPI Hooking

Mechanism

The PoC monitors VirtualAlloc calls with the .text section size to detect when Themida is about to calculate CRC. It then copies the original memory to the allocated block and sets it to read-only, causing an access violation during the 'repe movsb' instruction. A vectored exception handler modifies RIP to skip the copy, leaving the CRC check to compare against unmodified memory, thus bypassing integrity verification.

Detection & mitigation

Monitor for suspicious use of vectored exception handlers (AddVectoredExceptionHandler) and VirtualAlloc hooks in processes protected by Themida; deploy application whitelisting and integrity monitoring to detect unauthorized modifications to protected binaries.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.