From 29b8ec40725bc6bc033e023f8a8244fd0af0945f Mon Sep 17 00:00:00 2001
From: thejanit0r <thejanit0r@localhost>
Date: Sun, 4 Jan 2026 09:33:54 +0100
Subject: [PATCH] Added additional vmp compatibility

---
 src/windows-emulator/memory_utils.hpp     |  4 +++
 src/windows-emulator/syscalls/object.cpp  |  4 ++-
 src/windows-emulator/syscalls/process.cpp | 31 ++++++++++++++++++++++-
 src/windows-emulator/syscalls/thread.cpp  |  2 ++
 4 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/windows-emulator/memory_utils.hpp b/src/windows-emulator/memory_utils.hpp
index 632979c6..0349806a 100644
--- a/src/windows-emulator/memory_utils.hpp
+++ b/src/windows-emulator/memory_utils.hpp
@@ -31,6 +31,10 @@ inline std::optional<nt_memory_permission> try_map_nt_to_emulator_protection(uin
         ext = memory_permission_ext::guard;
     }
 
+    // Remove the highest nibble since we are not currently handling those memory protection constants
+    // https://github.com/winsiderss/phnt/blob/master/ntmmapi.h#L26
+    nt_protection &= ~0xF0000000;
+
     memory_permission common = memory_permission::none;
     switch (nt_protection)
     {
diff --git a/src/windows-emulator/syscalls/object.cpp b/src/windows-emulator/syscalls/object.cpp
index 1d474ffe..afd1a53a 100644
--- a/src/windows-emulator/syscalls/object.cpp
+++ b/src/windows-emulator/syscalls/object.cpp
@@ -8,8 +8,10 @@ namespace syscalls
     {
         const auto value = h.value;
 
-        if (h.h == 0xDEADC0DE)
+        if (h.h == 0xDEADC0DE || h.h == 0xDEADBEEF)
         {
+            c.win_emu.callbacks.on_suspicious_activity("Anti-debug check with invalid handle");
+
             return STATUS_INVALID_HANDLE;
         }
 
diff --git a/src/windows-emulator/syscalls/process.cpp b/src/windows-emulator/syscalls/process.cpp
index 7f8c78bd..3c7a9bd2 100644
--- a/src/windows-emulator/syscalls/process.cpp
+++ b/src/windows-emulator/syscalls/process.cpp
@@ -15,6 +15,8 @@ namespace syscalls
             return STATUS_NOT_SUPPORTED;
         }
 
+        const auto return_length_info = c.win_emu.memory.get_region_info(return_length.value());
+
         switch (info_class)
         {
         case ProcessExecuteFlags:
@@ -62,6 +64,24 @@ namespace syscalls
             });
 
         case ProcessDebugObjectHandle:
+
+            c.win_emu.callbacks.on_suspicious_activity("Anti-debug check with ProcessDebugObjectHandle");
+
+            if ((process_information & 3) != 0)
+            {
+                return STATUS_DATATYPE_MISALIGNMENT;
+            }
+            
+            if (return_length.value() == 0)
+            {
+                return STATUS_PORT_NOT_SET;
+            }
+            
+            if (!return_length_info.is_reserved)
+            {
+                return STATUS_ACCESS_VIOLATION;
+            }
+
             return handle_query<handle>(c.emu, process_information, process_information_length, return_length, [](handle& h) {
                 h = NULL_HANDLE;
                 return STATUS_PORT_NOT_SET;
@@ -75,6 +95,13 @@ namespace syscalls
             });
 
         case ProcessDebugPort:
+            c.win_emu.callbacks.on_suspicious_activity("Anti-debug check with ProcessDebugPort");
+
+            return handle_query<EmulatorTraits<Emu64>::PVOID>(c.emu, process_information, process_information_length, return_length,
+                                                              [](EmulatorTraits<Emu64>::PVOID& ptr) {
+                                                                  ptr = 0; //
+                                                              });
+
         case ProcessDeviceMap:
             return handle_query<EmulatorTraits<Emu64>::PVOID>(c.emu, process_information, process_information_length, return_length,
                                                               [](EmulatorTraits<Emu64>::PVOID& ptr) {
@@ -202,7 +229,8 @@ namespace syscalls
             || info_class == ProcessDynamicFunctionTableInformation      //
             || info_class == ProcessPriorityBoost                        //
             || info_class == ProcessPriorityClassEx                      //
-            || info_class == ProcessPriorityClass)
+            || info_class == ProcessPriorityClass
+            || info_class == ProcessAffinityMask)
         {
             return STATUS_SUCCESS;
         }
@@ -333,6 +361,7 @@ namespace syscalls
             PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION info;
 
             c.emu.read_memory(process_information, &info, sizeof(PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION));
+            c.win_emu.callbacks.on_suspicious_activity("Setting ProcessInstrumentationCallback");
 
             c.proc.instrumentation_callback = info.Callback;
 
diff --git a/src/windows-emulator/syscalls/thread.cpp b/src/windows-emulator/syscalls/thread.cpp
index 81caa575..e53aaf29 100644
--- a/src/windows-emulator/syscalls/thread.cpp
+++ b/src/windows-emulator/syscalls/thread.cpp
@@ -309,6 +309,8 @@ namespace syscalls
             const emulator_object<BOOLEAN> info{c.emu, thread_information};
             info.write(cur_emulator_thread.debugger_hide);
 
+            c.win_emu.callbacks.on_suspicious_activity("Checking if the thread is hidden from the debugger");
+
             return STATUS_SUCCESS;
         }