Dear Friends,
Thanks to Carlos Garcia and his publication, he provided this Assembler code (used to detect VMware virtual machine):
__asm
{
mov eax, 0x564D5868; ascii: VMXh
mov edx, 0x5658; ascii: VX(port)
in eax, dx; input from Port
cmp ebx, 0x564D5868; ascii: VMXh
setz ecx; if successful->flag = 0
mov vmflag, ecx
ret
}
I need to translate it to AT&T syntax, because Code::Blocks require it, and this is difficult to me. Would you please help correcting my try:
int RetInt1 ()
{
unsigned int vm_flag = 1;
try
{
asm volatile(
"movl $0x564d5868, %eax\n\t"
"cpuid\n\t"
"movl $0x5658, (%edx)\n\t"
"cpuid\n\t"
"in (%dx), %eax\n\t"
"cmp $0x564d5868, %ebx\n\t"
"setz %ecx\n\t"
"movl (%ecx), vm_flag\n\t"
);
if (vm_flag == 0)
{
asm ("movl $1, %eax\n\t");
}
else
{
asm ("movl $0, %eax\n\t");
}
}
catch (int e)
{
asm ("movl $0, %eax\n\t");
}
}
Thank you in advance.
Kind regards!!
I am rather inexperienced in asm, but I do from time to time write small inline asm procedures
the two codes look different to me, there's no Cupid in top snippet, also, the parentheses around the operands look wrong to me.
This is another egg of Columbus.
One way to do it is disassemble with GDB, cause by default its disassembly-flavor is att
Hi Jack,
thanks for the answer.
I am absolutely beginner in assembler but need to inline some asm functions in C++ code.
I needed the At&T syntax because Code::Blocks IDE requires it (it was one of my 73 app-versions before to discover the existence of The Great Microsoft Visual C++ 2015 Redistributable Update 3 RC, (thanks to AW and TimoVJL).. (see my topic here: http://masm32.com/board/index.php?topic=7854.15)
btw: dll-made by Code::Blocks was OK solution - it runs OK on a virtual machine (no need to add MSVS redistributables), but I needed VS for the dll too)
Anyway, I solved this problem with Visual Studio and I go on with the Intel-asm-syntaxis.
Kind regards
AW: interesting, but I don't have an idea how to do it...
Quote from: Jovanna on July 05, 2019, 07:43:45 PM
Hi Jack,
thanks for the answer.
I am absolutely beginner in assembler but need to inline some asm functions in C++ code.
I needed the At&T syntax because Code::Blocks IDE requires it (it was one of my 73 app-versions before to discover the existence of The Great Microsoft Visual C++ 2015 Redistributable Update 3 RC, (thanks to AW and TimoVJL).. (see my topic here: http://masm32.com/board/index.php?topic=7854.15)
btw: dll-made by Code::Blocks was OK solution - it runs OK on a virtual machine (no need to add MSVS redistributables), but I needed VS for the dll too)
Anyway, I solved this problem with Visual Studio and I go on with the Intel-asm-syntaxis.
Kind regards
Hi Jovanna,
maybe this technique will help you - https://stackoverflow.com/questions/199966/how-do-you-use-gcc-to-generate-assembly-code-in-intel-syntax (https://stackoverflow.com/questions/199966/how-do-you-use-gcc-to-generate-assembly-code-in-intel-syntax), for this you need to install the Msys2 package https://www.msys2.org/ (https://www.msys2.org/)
Using GDB is difficult, so if you have objdump in your Windows (may be installed with mingw), proceed like this:
1)
Assemble with MASM or with VS inline this :
(cortesy JWASM samples)
VMwareInstalled proc
mov eax, 0564D5868h
mov ebx, 08685D465h
mov ecx, 10
mov dx, 05658h
in eax, dx
cmp ebx, 564D5868h
setz al
movzx eax,al
ret
VMwareInstalled endp
2) Then run objdump -d test.exe
401000: b8 68 58 4d 56 mov $0x564d5868,%eax
401005: bb 65 d4 85 86 mov $0x8685d465,%ebx
40100a: b9 0a 00 00 00 mov $0xa,%ecx
40100f: 66 ba 58 56 mov $0x5658,%dx
401013: ed in (%dx),%eax
401014: 81 fb 68 58 4d 56 cmp $0x564d5868,%ebx
40101a: 0f 94 c0 sete %al
40101d: 0f b6 c0 movzbl %al,%eax
401020: c3 ret
That's it. :thumbsup:
As you noticed "carlos garcia" code is wrong, or incorrectly copied.
I did not like the output look, so I cooked a batch file to leave it better:
@echo off
"objdump.exe" -d test.exe > dumpin.txt
powershell -command "(Get-Content 'dumpin.txt') | Foreach-Object {$_ -replace '^\w.*','' -replace '^.*:\s*([0-9,a-f,A-F]{2}\s){1,9}\s{1,50}', ''} | Set-Content 'dumpout.txt'"
This is the end result:
mov $0x564d5868,%eax
mov $0x8685d465,%ebx
mov $0xa,%ecx
mov $0x5658,%dx
in (%dx),%eax
cmp $0x564d5868,%ebx
sete %al
movzbl %al,%eax
ret
As you can see, I could not figure out the way to remove the top blank lines in spite of various regex attempts. Any Regex expert here? :sad:
Intel2GAS (https://github.com/skywind3000/Intel2GAS)
EDIT: an old intel2gas.cc converted to C.
EDIT: It was for python 2, so some fixes for Python 3. Also masm to gas not supported.
Got it (it needed another pipe):
@echo off
"objdump.exe" -d test.exe > dumpin.txt
powershell -command "(Get-Content 'dumpin.txt') | Foreach-Object {$_ -replace '^\w.*','' -replace '^.*:\s*([0-9,a-f,A-F]{2}\s){1,9}\s{1,50}', '' | select-string -pattern '^\w.*'} | Set-Content 'dumpout.txt'"
Output:
mov $0x564d5868,%eax
mov $0x8685d465,%ebx
mov $0xa,%ecx
mov $0x5658,%dx
in (%dx),%eax
cmp $0x564d5868,%ebx
sete %al
movzbl %al,%eax
ret
Quote from: TimoVJL on July 06, 2019, 10:16:02 AM
Intel2GAS (https://github.com/skywind3000/Intel2GAS)
Will have a look. :thumbsup:
Dear AW, TimoVJL, LiaoMi and Jack,
Dear Friends,
Thanks a lot for your help!! I even haven't supposed there exist such converting-tools -Intel-GAS, awesome! :angelic:
Btw, here is the origin code of Carlos, I tried and it is working: https://brundlelab.wordpress.com/2012/10/21/detecting-vmware/ (https://brundlelab.wordpress.com/2012/10/21/detecting-vmware/)
But detecting VMWare only :sad:
I dream to be enough experienced in Assembler, to be able to write if-else-cascade-code and realize RedPill technique about a virtual machine detection, by Segmentation Faults with SIDT ("Red Pill") and SGDT ("No Pill")
(from the link below..: Red Pill and No Pill actually had one or both of the following problems:
The SIDT and SGDT CPU instructions expect to write some data into a memory location. A large amount of the sample code I found allocated 2 bytes on the stack, typically with char[2]. The problem is that at the very least, when running in i386, both of these CPU instructions require 6 bytes, not 2 bytes. The lower 2 bytes is the table limit, while the upper 4 is the base IDTR or GDTR address.
the SIDT and SGDT CPU instructions need 6 bytes in i386 mode, but in my case I'm running in AMD64. Looking up these instructions in AMD's documents [1, 2, pages 299-300] you'll note that in AMD64 you need 10 bytes of memory, not 6 bytes. So at the very least, your code will need some sort of #if statements to detect at compile-time how to allocation or interpret the results of SIDT and SGDT.)
http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/index.html (http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/index.html)
Because of article-mentioned-problems, I wonder if this is possible? Is it possible to be covered all CPU options by if-else and the corresponding array-length?
Thanks a lot again
& and have Nice Day!!