#1
|
||||
|
||||
Detect VirtualPC or VMWARE [ASM]
[NASM compiler]
VirtualPC: push ebp mov ecx, offset @@exception_handler mov ebp, esp push ebx push ecx push dword ptr fs:[0] mov dword ptr fs:[0], esp mov ebx, 0 ; flag mov eax, 1 ; VPC function number ; call VPC db 00Fh, 03Fh, 007h, 00Bh mov eax, dword ptr ss:[esp] mov dword ptr fs:[0], eax add esp, 8 test ebx, ebx setz al lea esp, dword ptr ss:[ebp-4] mov ebx, dword ptr ss:[esp] mov ebp, dword ptr ss:[esp+4] add esp, 8 jmp @@ret @@exception_handler: mov ecx, [esp+0Ch] mov dword ptr [ecx+0A4h], -1 ; EBX = -1 -> not running, ebx = 0 -> running add dword ptr [ecx+0B8h], 4 ; -> skip past the detection code xor eax, eax ; exception is handled ret @@ret: VMWare: mov eax, 564D5868h mov ebx, 00000000h mov ecx, 0000000Ah mov edx, 00005658h in eax, dx cmp ebx, 564D5868h jne @@exit mov Result, True @@exit: |
#2
|
|||
|
|||
Quote:
isolation.tools.getVersion.disable = "TRUE" You will be surprised ;) |
#3
|
||||
|
||||
Hi! Nikita@Work:
VMware registry keys are HKLM\Software\VMware, Inc.\VMware for Windows NT -- real HKLM\Software\VMWare, Inc.\VMware Tools\ -- virtual VMware executables directory is C:\Program Files\VMware -- both real and virtual There can be many different methods to detect if you're under virtual OS, such as incorrectly emulated ports, predetermined hardware info, special drivers and other things. There's another code to know if we're under a VMM or under a real environment. int swallow_redpill () { unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3"; *((unsigned*)&rpill[3]) = (unsigned)m; ((void(*)())&rpill)(); return (m[5]>0xd0) ? 1 : 0; } The heart of this code is... hXXp://addict3d.org/index.php?page=viewarticle&type=security&ID=2594 Hardware info: Detecting VMware hardware even with Kostyra's modifications is to look at the IDE CD-Rom or Hard drive on the system. To do this, we can use hdparm with the -I argument: [root@localhost]# hdparm -I /dev/hda /dev/hda: ATAPI CD-ROM, with removable media Model Number: VMware Virtual IDE CDROM Drive Serial Number: 00000000000000000001 Firmware Revision: 00000001 Standards: Likely used CD-ROM ATAPI-1 Configuration: DRQ response: 50us. Packet size: 12 bytes Capabilities: LBA, IORDY(can be disabled) Buffer size: 32.0kB DMA: sdma0 sdma1 sdma2 mdma0 mdma1 mdma2 udma0 *udma1 udma2 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=120ns IORDY flow control=120ns Commands/features: Enabled Supported: * NOP cmd * DEVICE RESET cmd * PACKET command feature set * Power Management feature set Now, go look at the output on a regular cdrom drive running on your system. Lets go over the differences. Also, in this page you've all commands: hXXp://chitchat.at.infoseek.co.jp/vmware/backdoor.html#top You can use any of them that returns values to check VMWARE or not. Regards. |
#4
|
|||
|
|||
redpill uses sidt to detect relocated IDT table, i heard it doesnt work on newer VMWares, VirtualPC detection method sux, lock cmpxchg8b , from my observation it hangs up pentium cpu's and even SEH frame wont help you (hmm but not this one, it doesnt use cmpxchg8b... i must be not high enough)
Last edited by bart; 12-07-2004 at 09:07. |
#5
|
|||
|
|||
Quote:
|
#6
|
||||
|
||||
running code from the stack is not important there, it's just done so you could compile the program with many c compilers (no inline asm)
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Detect It Easy 2.0 | hors | Community Tools | 30 | 12-29-2023 05:32 |
Detect It Easy 0.73 | Dreamer | Community Tools | 85 | 11-03-2019 23:08 |