News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Assembler methods for Virtual Machine Detection

Started by Jovanna, July 10, 2019, 01:13:40 AM

Previous topic - Next topic

Jovanna

Dear Assembler Masters,

I created this topic mainly for sharing code/functions/methods&Ideas/approach how wisely&smartly to detect that your app is running on a virtual machine.

I understand detecting it is quite a difficult issue, as described by Stéphane Charette in article:
http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/index.html
(my favorite article even if it seems quite hopeless)
Stéphane Charette was kind to provide a code-example
http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/2009-12-30_Virtualization.c
I pasted it in Code::Blocks, C Console App and there are some errors:
Line 40: Error: width of 'base' exceeds its type
Line 114: Error: unknown type name 'cpu_set_t'
Maybe the compiler GNU GCC is not the proper one? Would you please help?
Thanks.

Kind regards

TimoVJL

linux specific code ?

fake include ?
#define __SLONGWORD_TYPE        long int
#define __ULONGWORD_TYPE        unsigned long int

/* X32 kernel interface is 64-bit.  */
#if defined __x86_64__ && defined __ILP32__
# define __SYSCALL_SLONG_TYPE        __SQUAD_TYPE
# define __SYSCALL_ULONG_TYPE        __UQUAD_TYPE
#else
# define __SYSCALL_SLONG_TYPE        __SLONGWORD_TYPE
# define __SYSCALL_ULONG_TYPE        __ULONGWORD_TYPE
#endif

//cpu-set.h

/* Size definition for CPU sets.  */
#define __CPU_SETSIZE        1024
#define __NCPUBITS        (8 * sizeof (__cpu_mask))

#define __CPU_MASK_TYPE         __SYSCALL_ULONG_TYPE

/* Type for array elements in 'cpu_set_t'.  */
typedef __CPU_MASK_TYPE __cpu_mask;

/* Data structure to describe CPU mask.  */
typedef struct
{
  __cpu_mask __bits[__CPU_SETSIZE / __NCPUBITS];
} cpu_set_t;
May the source be with you

fearless

https://github.com/LordNoteworthy/al-khaser
has a lot of info on detecting vm's

aw27

This method will tell you which VM you are in (or not in).
Of course, kernel mode malware can subvert it, and in general can subvert any other method.

Edit: I removed the attachment because it contains a bug. It will be fixed later.

aw27

There was a small bug in the code, which is now fixed.
It was also tested in VBox in addition to VMWare. I don't expect problems on other Virtual Machines, but I have no current installs of them to confirm.


Jovanna

Dear All,
Thank you for your help.

TimoVJL: thanks for code. I included it. Also downloaded and installed compiler MinGW64 in Code::Blocks, but there is still an error: line 83: width of 'base' exceeds its type.
Line 83 is:    unsigned long   base  : 64;
Here is the code: https://pastebin.com/aHedC1GJ
May be something that I miss..

I tried to install MASM, Microsoft Macro Assembler, which required  to install in addition Microsoft Visual C++ 2005 Express Edition, but strange – this program seems don't want to  install.

Fearless: thanks for site information, really good one. I experimentally have found "Scsi Port 2" . I've knew about  "Scsi Port 0" in the address, but didn't know there is an another option: "Scsi Port 1"
Really a lot of code in  al-khaser's GitHub. Thanks.

AW: many thanks for code provided. I started the exe to test it on a virtual machine but console quickly closes without possibilities to read what's on it written. How could do something like Console.ReadKey() in Assembler?

Would you please give me some advices what IDE to install to compile and create exe from Assembler code?  I'll copy there your code and will learn step by step, I really need this.

Thanks a lot, Assembler Masters!

Kind regards & Be Happy!!

TimoVJL

is this any better ?typedef struct
{
#if defined __x86_64__ && defined __ILP32__
    unsigned short limit;
    unsigned long long base;
#else
    unsigned short limit;
    unsigned long base;
#endif
} __attribute__((packed)) dt;
check this too:
https://docs.oracle.com/cd/E19620-01/805-3024/lp64-1/index.html
May the source be with you

aw27

Jovanna,

I understand, it is difficult for an human eye to capture the information provided by the program in such a short time interval.
You have 2 alternatives:
1) Open a command prompt in the console, navigate to the folder where the program is and launch it from there.
2) Make a batch file like the following, save it in the folder where the program is and double click on it to launch:

isvm.exe
pause


To change the program itself to wait for input, you may, for example, use one of the msvcrt functions that wait for keyboard input, like getchar or getch/_getch.
If you manage to install the Masm32 SDK, they have a cute macro for that called inkey (which produces a message and calls _getch in the end).

Finally, you can edit your ASM code in any plain text editor, including Notepad. Some people have more sophisticated preferences, but the editor is not fundamental to produce better code. Visual Studio is also a good alternative if you mostly produce ASM code to be integrated with other programming languages and, in addition, the VS integrated debugger is top notch.


TimoVJL

I use this helper for explorer to open exe.
Open With cmd is inserted to context menu.
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\*\shell\Open With cmd\command]
@="\"cmd.exe\" \"/k \"%1\"\""
May the source be with you

HSE

Equations in Assembly: SmplMath

sinsi

If you use qeditor, ctrl+D opens a command prompt in the sourece directory.
😁

HSE

Quote from: sinsi on July 28, 2019, 11:07:45 AM
If you use qeditor, ctrl+D opens a command prompt in the sourece directory.
That is the  usual way, but using the black window icon (because ctrl+D open  Olly in RadAsm ). :biggrin: :biggrin:
Equations in Assembly: SmplMath