Masm32 SDK description, downloads and other helpful links

Main Menu

Assembler methods for Virtual Machine Detection

Started by Jovanna, July 10, 2019, 01:13:40 AM

Previous topic - Next topic


Dear Assembler Masters,

I created this topic mainly for sharing code/functions/methods&Ideas/approach how wisely&smartly to detect that your app is running on a virtual machine.

I understand detecting it is quite a difficult issue, as described by Stéphane Charette in article:
(my favorite article even if it seems quite hopeless)
Stéphane Charette was kind to provide a code-example
I pasted it in Code::Blocks, C Console App and there are some errors:
Line 40: Error: width of 'base' exceeds its type
Line 114: Error: unknown type name 'cpu_set_t'
Maybe the compiler GNU GCC is not the proper one? Would you please help?

Kind regards


linux specific code ?

fake include ?
#define __SLONGWORD_TYPE        long int
#define __ULONGWORD_TYPE        unsigned long int

/* X32 kernel interface is 64-bit.  */
#if defined __x86_64__ && defined __ILP32__


/* Size definition for CPU sets.  */
#define __CPU_SETSIZE        1024
#define __NCPUBITS        (8 * sizeof (__cpu_mask))


/* Type for array elements in 'cpu_set_t'.  */
typedef __CPU_MASK_TYPE __cpu_mask;

/* Data structure to describe CPU mask.  */
typedef struct
  __cpu_mask __bits[__CPU_SETSIZE / __NCPUBITS];
} cpu_set_t;
May the source be with you


This method will tell you which VM you are in (or not in).
Of course, kernel mode malware can subvert it, and in general can subvert any other method.

Edit: I removed the attachment because it contains a bug. It will be fixed later.


There was a small bug in the code, which is now fixed.
It was also tested in VBox in addition to VMWare. I don't expect problems on other Virtual Machines, but I have no current installs of them to confirm.


Dear All,
Thank you for your help.

TimoVJL: thanks for code. I included it. Also downloaded and installed compiler MinGW64 in Code::Blocks, but there is still an error: line 83: width of 'base' exceeds its type.
Line 83 is:    unsigned long   base  : 64;
Here is the code:
May be something that I miss..

I tried to install MASM, Microsoft Macro Assembler, which required  to install in addition Microsoft Visual C++ 2005 Express Edition, but strange – this program seems don't want to  install.

Fearless: thanks for site information, really good one. I experimentally have found "Scsi Port 2" . I've knew about  "Scsi Port 0" in the address, but didn't know there is an another option: "Scsi Port 1"
Really a lot of code in  al-khaser's GitHub. Thanks.

AW: many thanks for code provided. I started the exe to test it on a virtual machine but console quickly closes without possibilities to read what's on it written. How could do something like Console.ReadKey() in Assembler?

Would you please give me some advices what IDE to install to compile and create exe from Assembler code?  I'll copy there your code and will learn step by step, I really need this.

Thanks a lot, Assembler Masters!

Kind regards & Be Happy!!


is this any better ?typedef struct
#if defined __x86_64__ && defined __ILP32__
    unsigned short limit;
    unsigned long long base;
    unsigned short limit;
    unsigned long base;
} __attribute__((packed)) dt;
check this too:
May the source be with you



I understand, it is difficult for an human eye to capture the information provided by the program in such a short time interval.
You have 2 alternatives:
1) Open a command prompt in the console, navigate to the folder where the program is and launch it from there.
2) Make a batch file like the following, save it in the folder where the program is and double click on it to launch:


To change the program itself to wait for input, you may, for example, use one of the msvcrt functions that wait for keyboard input, like getchar or getch/_getch.
If you manage to install the Masm32 SDK, they have a cute macro for that called inkey (which produces a message and calls _getch in the end).

Finally, you can edit your ASM code in any plain text editor, including Notepad. Some people have more sophisticated preferences, but the editor is not fundamental to produce better code. Visual Studio is also a good alternative if you mostly produce ASM code to be integrated with other programming languages and, in addition, the VS integrated debugger is top notch.


I use this helper for explorer to open exe.
Open With cmd is inserted to context menu.
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\*\shell\Open With cmd\command]
@="\"cmd.exe\" \"/k \"%1\"\""
May the source be with you


Equations in Assembly: SmplMath


If you use qeditor, ctrl+D opens a command prompt in the sourece directory.


Quote from: sinsi on July 28, 2019, 11:07:45 AM
If you use qeditor, ctrl+D opens a command prompt in the sourece directory.
That is the  usual way, but using the black window icon (because ctrl+D open  Olly in RadAsm ). :biggrin: :biggrin:
Equations in Assembly: SmplMath