vmpstatic

PE tool for vmprotect binaries that reads a windows executable as raw bytes, parses the PE headers and structures, extracts a limited set of static indicators and then emits a heuristic report

it doesn't load or execute the sample, emulate instructions, unpack sections, devirtualise VM handlers or reconstruct original cfg.

example:

file: samples/bigdick.exe
format: PE32
machine: 0x014c
timestamp: 0x65f1a2c9
image base: 0x00400000
entry point RVA: 0x00007120

sections:
  .text    rva=0x00001000 raw=0x00000400 size=0x00005c00 entropy=6.18
  .rdata   rva=0x00007000 raw=0x00006000 size=0x00001200 entropy=4.73
  .data    rva=0x00009000 raw=0x00007400 size=0x00000600 entropy=2.91
  .vmp0    rva=0x0000a000 raw=0x00007a00 size=0x00018800 entropy=7.86
  .rsrc    rva=0x00023000 raw=0x00020200 size=0x00001e00 entropy=5.12

imports:
  kernel32.dll
    VirtualAlloc
    VirtualProtect
    LoadLibraryA
    GetProcAddress
    IsDebuggerPresent
  user32.dll
    MessageBoxA

directories:
  resource: present
  basereloc: absent
  debug: absent
  TLS: present

TLS callbacks:
  0x0000a410

overlay:
  offset=0x00022000 size=0x00003480

score: 91
classification: likely VMProtect-protected

findings:
  info: entry point is in section '.vmp0'
  high: entry point is inside a VMProtect-named section
  high: section '.vmp0' matches VMProtect naming patterns
  medium: section '.vmp0' has high entropy (7.86)
  medium: TLS directory present with 1 callback(s)
  medium: overlay data present at file offset 0x00022000 (13440 bytes)
  medium: anti-debug import found: kernel32.dll!IsDebuggerPresent
  low: loader-related import found: kernel32.dll!VirtualProtect

strings:
  ascii   0x00008319 vmprotect  VMProtect
  ascii   0x00008402 loader-api VirtualAlloc
  utf16le 0x00009140 anti-debug IsDebuggerPresent