Can someone test this ?
Thanks.
; Det_VmWare.asm Detect if under specifically under VMware
;
; SiegeWorks 2013 - Present A.P.K.
;
;
; by Prof4
;
include \masm32\include\masm32rt.inc
.data
WaterMark db "SiegeWorks 2013 - Present ð__ð"
%Date db " &@Date " ; Compile date
%time db " &@Time"
.data?
.code
assume fs:nothing
start:
; Setting a new Structured Exception Handling
xor eax, eax ; zero out eax register
push offset SEH_handler ; put the stack pointer to the new handler
push dword ptr fs: [eax] ; put the stack pointer to the old handler
mov fs: [eax], esp ; register new SEH-handler
mov eax, 564d5868h ;'VMXh'mov ecx, 0ah ;get VMware version
mov dx, 5658h ;'VX'
in eax, dx
cmp ebx, 564d5868h ;'VMXh'
je detect
jmp short final
SEH_handler:
mov esi, [esp +0ch]; context pointer register
assume esi: PTR CONTEXT
mov [esi]. regEip, offset detect
jmp short final
detect:
invoke MessageBox, NULL, chr$("VMware detected !"), chr$(" "), MB_OK
final:
invoke ExitProcess,0
end start
Hi Andy,
I've tested it, but no output. On the other hand, I haven't VMware installed, only VirtualPC by MS.
Gunther
As my comments in the code state, it specifically checks for VmWare.
An earlier post of mine should detect VirtualPC.
Andy
Andy,
Quote from: Magnum on April 12, 2013, 07:01:18 AM
As my comments in the code state, it specifically checks for VmWare.
An earlier post of mine should detect VirtualPC.
Andy
could you provide the link, please? Thank you.
Gunther
http://masm32.com/board/index.php?topic=1524.msg15758#msg15758
Tested in Win2000 under VMware Player 5, no output
I guess there are some differences in the versions.
Bad news for RE and malware authors. :t
<Code is working on WMWare 8 by x64Core
mov eax, 564d5868h ;'VMXh'mov ecx, 0ah ;get VMware version
mov eax, 564d5868h ;'VMXh'
mov ecx, 0ah ;get VMware version
Now it works.