判断程序的执行环境是VM

最新推荐文章于 2024-10-23 15:24:51 发布

原创最新推荐文章于 2024-10-23 15:24:51 发布 · 565 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#vmware #exception #output #function #虚拟机 #cmd

vcbcbdelphi的window编程同时被 2 个专栏收录

551 篇文章

订阅专栏

病毒汇编和调试逆向技术加脱壳

506 篇文章

订阅专栏

老V的代码很古老的
抗VM分析
mov ecx, 0Ah ; CX=function# (0Ah=get_version)
mov eax, 'VMXh' ; EAX=magic
mov dx, 'VX' ; DX=magic
in eax, dx ; specially processed io cmd
; output: EAX/EBX/ECX = data
cmp ebx, 'VMXh' ; also eax/ecx modified (maybe vmw/os ver?)
je under_VMware

bool IsInsideVMWare()
{
bool rc = true;

__try
{
__asm
{
push edx
push ecx
push ebx

mov eax, 'VMXh'
mov ebx, 0 // any value but not the MAGIC VALUE
mov ecx, 10 // get VMWare version
mov edx, 'VX' // port number

in eax, dx // read port
// on return EAX returns the VERSION
cmp ebx, 'VMXh' // is it a reply from VMWare?
setz [rc] // set return value

pop ebx
pop ecx
pop edx
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
rc = false;
}

return rc;
}

bool IsInsideVPC()
{
bool rc = false;

__try
{
_asm push ebx
_asm mov ebx, 0 // Flag
_asm mov eax, 1 // VPC function number

// call VPC
_asm __emit 0Fh
_asm __emit 3Fh
_asm __emit 07h
_asm __emit 0Bh

_asm test ebx, ebx
_asm setz [rc]
_asm pop ebx
}
// The except block shouldn't get triggered if VPC is running!!
__except(IsInsideVPC_exceptionFilter(GetExceptionInformation()))
{
}

return rc;
}

给个通用判断的方法，不管VMWare或VirtuaPC都有效

int DCVM ()
{
unsigned char m[2+4], rpill[] = "/x0f/x01/x0d/x00/x00/x00/x00/xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();

printf ("idt base: %#x/n", *((unsigned*)&m[2]));
if (m[5]>0xd0) printf ("虚拟机/r/n", m[5]);
else printf ("真实机器/r/n");
return 0;
}