Microsoft has had a very recent and unpleasant encounter with kernel-mode rootkits, where there turned out to be a plethora of Microsoft signed rootkits out in the wild. A lot of these drivers were protected with a variety of modern software obfuscations, the most prominent one being VMProtect, which prompted an initiative against these advanced forms of protections and their use in malware.

Our research will underline, in full, how this specific protector works, which in turn will shed light onto how all of them work in principle. We will also showcase a novel way of defeating this protector that, to the best of our knowledge, hasn't been demonstrated publicly yet. We plan to demonstrate how to leverage certain interfaces to, in a very real sense, break the entirety of the protection. We also plan to release a tool that can comprehensively unpack all latest versions of the protection and hopefully bring more attention to software protection as a whole and shed some much needed light on the mystery that enshrouds it. As a bonus, we will showcase, using essentially the same mechanisms, how to break a component a certain vendor has dubbed as "unbreakable" by leveraging these same techniques.

Got a question about this presentation? During the live broadcast post your question in the #q-and-a channel on Discord or, to get in touch with the speakers later, find them on Discord under the nickname DART_GB#6730.