How to detect virtualization in 64bit?

[togikan]

Hi,

I'm working on a small project that checks this program runs on VMWare or not. Plenty of solutions can be found using inline assembler. However, these solutions work only for 32 bit because in 64 bit inline assembly is no more available. When I asked before, best way for me is to seperate inline assembler function into another cpp file and compile it into assembler. I tried that but it didn't work for me too. I got "error A2085:instruction or register not accepted in current CPU mode" error for every line. Any idea how can that code work for 64bit architecture.

Code Select Expand

bool IsVMWare()
{
  unsigned long _EBX;
  __try
  {
    __asm
    {
      // Execute the magic code sequence
      push ebx
      mov eax, 0x564D5868
      mov ebx, 0x8685D465 // Ensure 0x564D5868 isn't in EBX :)
      mov ecx, 10         // The command for obtaining VMWare version information
      mov dx, 0x5658
      in eax, dx
      mov _EBX, ebx
      pop ebx
    };
  }
  __except(1)
  {
    // An exception occured, we ain't in VMWare
    return false;
  }

  // The code was executed successfuly, check for the magic value
  return _EBX == 0x564D5868;
}

[hutch--]

The code you posted is 32 bit, it may not work correctly in 64 bit, was this attempt to built done with VC 64 bit ?

[togikan]

No this code works for 32 bit but i need to convert or modify it in to 64 bit structure.

[Ghandi]

Once you convert the registers and such over to 64 bit, assemble the code separately as an asm file with ML64 or GoAsm, then use a batch file to compile your C/C++ program and include the obj/lib file you made. The Intel compiler still offers inline assembler for 64 bit afik. Have you confirmed whether or not the 'magic' code is still valid for 64 bit VMWare? Finally, why are you trying to detect virtualization? It is for a legitimate reason and not some skiddie rubbish isn't it?

HR,
Ghandi

[Geryon]

http://invisiblethings.org/papers/redpill.html

[ecube]

SEH is a lot different in 64bit, C++ compilers compile in the necessary stuff fine, but for ASM it's a lot harder, i've included a x64bit GoASM version I just wrote up that has a, exe, static lib and source. It uses vectorexceptions which is called before SEH's are, but only works on xp+. It also passes on any exceptions that aren't caused by the vmware test code on to other SEH or whatever handlers. If you're using this for malicious purposes do the forum a favor and just leave.

[japheth]

Hello,

the Win64 SEH in assembly should look somewhat like this:

Code Select Expand


.code

;--- proc3: proc with FRAME:exception_handler

exc_proc proc pRecord:ptr, ulframe:qword, pContext:ptr, x4:ptr

;--- adjust RIP (assumed at offset 31*8 in CONTEXT)

mov rax, pContext
add qword ptr [rax+31*8], 1 ;size of "in EAX, DX" opcode

mov eax, 0 ;0=continue execution?
ret
exc_proc endp

proc3 proc FRAME:exc_proc
    push rbx
    .pushreg rbx
    .endprolog

    mov eax, 0564D5868h
    mov ebx, 08685D465h
    mov ecx, 10
    mov dx, 05658h
    in eax, dx
    cmp ebx, 564D5868h
    setz al
    movzx eax,al

    pop rbx
    ret
proc3 endp

    END


Please note that I don't have a Win64 OS available. So this code wasn't tested, especially the offset of register Rip in the 64-bit CONTEXT structure might be wrong. Also, I'm not quite sure if the parameters of the exception handler proc are correct, you'll have to verify this.

[togikan]

Thanks all for these information, especially japheth,

Now my project has a cpp, header and asm file. When compiled that code i got errors but I'm not sure I compiled it correctly. Chose Masm to compile, chose x64 as platform but masm's path seems "ml.exe" not "ml64.exe"(but there is no ml64 for intel i guess in visual studio, i found ml64.exe in the "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\amd64" directory) here asm file's property pages.


I got these errors when I compile with that properties. I guess it originates because not to compile with ml64 because in 64bit .model isn't relevant any more as I know.

[ecube]

japheth gave you a assembler specific(jwasm) 64bit example using SEH.  I gave you a language neutral example thats easier than SEH, more efficient and a static lib that you can just link with your C++ project. So especially thank japheth, that's fine.

[japheth]

japheth gave you a assembler specific(jwasm) 64bit example using SEH. 

No. The code sample is accepted by both ML64 and JWasm.

So especially thank japheth, that's fine.

You're welcome, my friend.

concerning the VC errors: you must add a ".rules" file for ML64 to your VC sub-directory "VCProjectDefaults". Then you can assign ML64 to your assembly source.


Btw, the code sample which I posted has a bug:

Code Select Expand


  mov rax, pContext
  add qword ptr [rax+31*8], 1 ;size of "in EAX, DX" opcode


This should be changed to:

Code Select Expand


  add qword ptr [r8+31*8], 1 ;size of "in EAX, DX" opcode


because in the Win64 calling convention, the procedure's parameter symbols are NOT the true parameters.

[togikan]

If you're using this for malicious purposes do the forum a favor and just leave.

lol i see it now  :bg  I'm using this just for good purposes, just want to create this solution for our project.



Thanks all of you for these informations.

[asmfan]

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458

[dedndave]

"Is something unknown: no"

well, i like your attitude, but we have to leave room for exploration
otherwise, us R&D guys would be out of work   :P