Author Topic: Assembler methods for Virtual Machine Detection  (Read 637 times)

Jovanna

  • Regular Member
  • *
  • Posts: 16
Assembler methods for Virtual Machine Detection
« on: July 10, 2019, 01:13:40 AM »
Dear Assembler Masters,

I created this topic mainly for sharing code/functions/methods&Ideas/approach how wisely&smartly to detect that your app is running on a virtual machine.

I understand detecting it is quite a difficult issue, as described by Stéphane Charette in article:
 http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/index.html
(my favorite article even if it seems quite hopeless)
Stéphane Charette was kind to provide a code-example
http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/2009-12-30_Virtualization.c
I pasted it in Code::Blocks, C Console App and there are some errors:
Line 40: Error: width of ‘base’ exceeds its type
Line 114: Error: unknown type name ‘cpu_set_t’
Maybe the compiler GNU GCC is not the proper one? Would you please help?
Thanks.

Kind regards

TimoVJL

  • Member
  • ***
  • Posts: 413
Re: Assembler methods for Virtual Machine Detection
« Reply #1 on: July 10, 2019, 02:21:20 AM »
linux specific code ?

fake include ?
Code: [Select]
#define __SLONGWORD_TYPE        long int
#define __ULONGWORD_TYPE        unsigned long int

/* X32 kernel interface is 64-bit.  */
#if defined __x86_64__ && defined __ILP32__
# define __SYSCALL_SLONG_TYPE        __SQUAD_TYPE
# define __SYSCALL_ULONG_TYPE        __UQUAD_TYPE
#else
# define __SYSCALL_SLONG_TYPE        __SLONGWORD_TYPE
# define __SYSCALL_ULONG_TYPE        __ULONGWORD_TYPE
#endif

//cpu-set.h

/* Size definition for CPU sets.  */
#define __CPU_SETSIZE        1024
#define __NCPUBITS        (8 * sizeof (__cpu_mask))

#define __CPU_MASK_TYPE         __SYSCALL_ULONG_TYPE

/* Type for array elements in 'cpu_set_t'.  */
typedef __CPU_MASK_TYPE __cpu_mask;

/* Data structure to describe CPU mask.  */
typedef struct
{
  __cpu_mask __bits[__CPU_SETSIZE / __NCPUBITS];
} cpu_set_t;
May the source be with you

fearless

  • Member
  • ***
  • Posts: 458
    • LetTheLightIn
Re: Assembler methods for Virtual Machine Detection
« Reply #2 on: July 10, 2019, 02:22:42 AM »
https://github.com/LordNoteworthy/al-khaser
has a lot of info on detecting vm's
fearless

CM690II Case, HX1000 PSU, Asus Z97, Intel i7-4790K, Seidon 120v Cooler, 16GB DDR3, MSI GTX 980TI

My Github  Twitter

AW

  • Member
  • *****
  • Posts: 2243
  • Let's Make ASM Great Again!
Re: Assembler methods for Virtual Machine Detection
« Reply #3 on: July 10, 2019, 03:13:32 AM »
This method will tell you which VM you are in (or not in).
Of course, kernel mode malware can subvert it, and in general can subvert any other method.

Edit: I removed the attachment because it contains a bug. It will be fixed later.
« Last Edit: July 10, 2019, 03:06:54 PM by AW »

AW

  • Member
  • *****
  • Posts: 2243
  • Let's Make ASM Great Again!
Re: Assembler methods for Virtual Machine Detection
« Reply #4 on: July 11, 2019, 12:21:50 AM »
There was a small bug in the code, which is now fixed.
It was also tested in VBox in addition to VMWare. I don't expect problems on other Virtual Machines, but I have no current installs of them to confirm.


Jovanna

  • Regular Member
  • *
  • Posts: 16
Re: Assembler methods for Virtual Machine Detection
« Reply #5 on: July 26, 2019, 01:19:04 AM »
Dear All,
Thank you for your help.

TimoVJL: thanks for code. I included it. Also downloaded and installed compiler MinGW64 in Code::Blocks, but there is still an error: line 83: width of ‘base’ exceeds its type.
Line 83 is:    unsigned long   base  : 64;
Here is the code: https://pastebin.com/aHedC1GJ
May be something that I miss..

I tried to install MASM, Microsoft Macro Assembler, which required  to install in addition Microsoft Visual C++ 2005 Express Edition, but strange – this program seems don’t want to  install.

Fearless: thanks for site information, really good one. I experimentally have found “Scsi Port 2” . I’ve knew about  “Scsi Port 0” in the address, but didn’t know there is an another option: “Scsi Port 1”
Really a lot of code in  al-khaser’s GitHub. Thanks.

AW: many thanks for code provided. I started the exe to test it on a virtual machine but console quickly closes without possibilities to read what’s on it written. How could do something like Console.ReadKey() in Assembler?

Would you please give me some advices what IDE to install to compile and create exe from Assembler code?  I’ll copy there your code and will learn step by step, I really need this.

Thanks a lot, Assembler Masters!

Kind regards & Be Happy!!

TimoVJL

  • Member
  • ***
  • Posts: 413
Re: Assembler methods for Virtual Machine Detection
« Reply #6 on: July 26, 2019, 02:15:23 AM »
is this any better ?
Code: [Select]
typedef struct
{
#if defined __x86_64__ && defined __ILP32__
    unsigned short limit;
    unsigned long long base;
#else
    unsigned short limit;
    unsigned long base;
#endif
} __attribute__((packed)) dt;
check this too:
https://docs.oracle.com/cd/E19620-01/805-3024/lp64-1/index.html
May the source be with you

AW

  • Member
  • *****
  • Posts: 2243
  • Let's Make ASM Great Again!
Re: Assembler methods for Virtual Machine Detection
« Reply #7 on: July 26, 2019, 04:38:27 PM »
Jovanna,

I understand, it is difficult for an human eye to capture the information provided by the program in such a short time interval.
You have 2 alternatives:
1) Open a command prompt in the console, navigate to the folder where the program is and launch it from there.
2) Make a batch file like the following, save it in the folder where the program is and double click on it to launch:
Code: [Select]
isvm.exe
pause

To change the program itself to wait for input, you may, for example, use one of the msvcrt functions that wait for keyboard input, like getchar or getch/_getch.
If you manage to install the Masm32 SDK, they have a cute macro for that called inkey (which produces a message and calls _getch in the end).

Finally, you can edit your ASM code in any plain text editor, including Notepad. Some people have more sophisticated preferences, but the editor is not fundamental to produce better code. Visual Studio is also a good alternative if you mostly produce ASM code to be integrated with other programming languages and, in addition, the VS integrated debugger is top notch.


TimoVJL

  • Member
  • ***
  • Posts: 413
Re: Assembler methods for Virtual Machine Detection
« Reply #8 on: July 26, 2019, 04:59:10 PM »
I use this helper for explorer to open exe.
Open With cmd is inserted to context menu.
Code: [Select]
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\*\shell\Open With cmd\command]
@="\"cmd.exe\" \"/k \"%1\"\""
May the source be with you

HSE

  • Member
  • *****
  • Posts: 1081
  • <AMD>< 7-32>
Re: Assembler methods for Virtual Machine Detection
« Reply #9 on: July 28, 2019, 06:05:14 AM »

sinsi

  • Member
  • *****
  • Posts: 1177
Re: Assembler methods for Virtual Machine Detection
« Reply #10 on: July 28, 2019, 11:07:45 AM »
If you use qeditor, ctrl+D opens a command prompt in the sourece directory.
I can walk on water but stagger on beer bourbon.

HSE

  • Member
  • *****
  • Posts: 1081
  • <AMD>< 7-32>
Re: Assembler methods for Virtual Machine Detection
« Reply #11 on: July 28, 2019, 12:26:55 PM »
If you use qeditor, ctrl+D opens a command prompt in the sourece directory.
That is the  usual way, but using the black window icon (because ctrl+D open  Olly in RadAsm ). :biggrin: :biggrin: