Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Detect VirtualPC or VMWARE [ASM] (https://forum.exetools.com/showthread.php?t=5955)

taos 12-05-2004 23:48

Detect VirtualPC or VMWARE [ASM]
[NASM compiler]
push ebp
mov ecx, offset @@exception_handler
mov ebp, esp
push ebx
push ecx
push dword ptr fs:[0]
mov dword ptr fs:[0], esp
mov ebx, 0 ; flag
mov eax, 1 ; VPC function number
; call VPC
db 00Fh, 03Fh, 007h, 00Bh
mov eax, dword ptr ss:[esp]
mov dword ptr fs:[0], eax
add esp, 8
test ebx, ebx
setz al
lea esp, dword ptr ss:[ebp-4]
mov ebx, dword ptr ss:[esp]
mov ebp, dword ptr ss:[esp+4]
add esp, 8
jmp @@ret
mov ecx, [esp+0Ch]
mov dword ptr [ecx+0A4h], -1 ; EBX = -1 -> not running, ebx = 0 -> running
add dword ptr [ecx+0B8h], 4 ; -> skip past the detection code
xor eax, eax ; exception is handled

mov eax, 564D5868h
mov ebx, 00000000h
mov ecx, 0000000Ah
mov edx, 00005658h
in eax, dx
cmp ebx, 564D5868h
jne @@exit
mov Result, True

[email protected] 12-06-2004 01:35


Originally Posted by taos
mov eax, 564D5868h
mov ebx, 00000000h
mov ecx, 0000000Ah
mov edx, 00005658h
in eax, dx
cmp ebx, 564D5868h
jne @@exit
mov Result, True

Try to add following to VMX file

isolation.tools.getVersion.disable = "TRUE"

You will be surprised ;)

taos 12-06-2004 09:53

Hi! [email protected]:

VMware registry keys are
HKLM\Software\VMware, Inc.\VMware for Windows NT -- real
HKLM\Software\VMWare, Inc.\VMware Tools\ -- virtual
VMware executables directory is
C:\Program Files\VMware -- both real and virtual

There can be many different methods to detect if you're under virtual
OS, such as incorrectly emulated ports, predetermined hardware info,
special drivers and other things.

There's another code to know if we're under a VMM or under a real environment.
int swallow_redpill () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
return (m[5]>0xd0) ? 1 : 0;

The heart of this code is...

Hardware info:
Detecting VMware hardware even with Kostyra's modifications is to look at the IDE CD-Rom or Hard drive on the system. To do this, we can use hdparm with the -I argument:
[[email protected]]# hdparm -I /dev/hda
ATAPI CD-ROM, with removable media
Model Number: VMware Virtual IDE CDROM Drive
Serial Number: 00000000000000000001
Firmware Revision: 00000001
Likely used CD-ROM ATAPI-1
DRQ response: 50us.
Packet size: 12 bytes
LBA, IORDY(can be disabled)
Buffer size: 32.0kB
DMA: sdma0 sdma1 sdma2 mdma0 mdma1 mdma2 udma0 *udma1 udma2
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Enabled Supported:
* NOP cmd
* PACKET command feature set
* Power Management feature set
Now, go look at the output on a regular cdrom drive running on your
system. Lets go over the differences.

Also, in this page you've all commands:

You can use any of them that returns values to check VMWARE or not.


bart 12-07-2004 09:01

redpill uses sidt to detect relocated IDT table, i heard it doesnt work on newer VMWares, VirtualPC detection method sux, lock cmpxchg8b ;), from my observation it hangs up pentium cpu's and even SEH frame wont help you (hmm but not this one, it doesnt use cmpxchg8b... i must be not high enough)

Dr.Golova 12-07-2004 19:31


Originally Posted by bart
redpill uses sidt to detect relocated IDT table

Also redpill execute code on stack. This program will be immediately terminated under 64-bit enwironment by date execution prevention technology in Windows XP :(

upb 12-08-2004 07:29

running code from the stack is not important there, it's just done so you could compile the program with many c compilers (no inline asm)

All times are GMT +8. The time now is 22:14.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX