News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Detect VMware

Started by Magnum, April 11, 2013, 08:33:50 AM

Previous topic - Next topic

Magnum

Can someone test this ?

Thanks.


;  Det_VmWare.asm   Detect if under specifically under VMware
;                   
;  SiegeWorks 2013 - Present A.P.K.

;
; by Prof4
;
include \masm32\include\masm32rt.inc   

.data

WaterMark   db  "SiegeWorks 2013 - Present ð__ð"
%Date       db  " &@Date " ; Compile date
%time       db  " &@Time"

.data?

.code

assume fs:nothing


start:

; Setting a new Structured Exception Handling

xor eax, eax              ; zero out eax register
push offset SEH_handler   ; put the stack pointer to the new handler
push dword ptr fs: [eax]  ; put the stack pointer to the old handler
mov fs: [eax], esp        ; register new SEH-handler

mov eax, 564d5868h ;'VMXh'mov ecx, 0ah ;get VMware version
mov dx, 5658h ;'VX'
in eax, dx
cmp ebx, 564d5868h ;'VMXh'
je detect
jmp short final

SEH_handler:

mov esi, [esp +0ch]; context pointer register

assume esi: PTR CONTEXT
mov [esi]. regEip, offset detect

jmp short final

detect:

invoke MessageBox, NULL, chr$("VMware detected !"), chr$(" "), MB_OK

final:

invoke ExitProcess,0

end     start

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Gunther

Hi Andy,

I've tested it, but no output. On the other hand, I haven't VMware installed, only VirtualPC by MS.

Gunther
You have to know the facts before you can distort them.

Magnum

As my comments in the code state, it specifically checks for VmWare.

An earlier post of mine should detect VirtualPC.

Andy
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Gunther

Andy,

Quote from: Magnum on April 12, 2013, 07:01:18 AM
As my comments in the code state, it specifically checks for VmWare.

An earlier post of mine should detect VirtualPC.

Andy

could you provide the link, please? Thank you.

Gunther
You have to know the facts before you can distort them.

Magnum

http://masm32.com/board/index.php?topic=1524.msg15758#msg15758
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

sinsi

Tested in Win2000 under VMware Player 5, no output

Magnum

I guess there are some differences in the versions.

Bad news for RE and malware authors.  :t

<Code is working on WMWare 8 by x64Core
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

sinsi

mov eax, 564d5868h ;'VMXh'mov ecx, 0ah ;get VMware version

mov eax, 564d5868h ;'VMXh'
mov ecx, 0ah ;get VMware version

Now it works.