Hi,
I'm working on a small project that checks this program runs on VMWare or not. Plenty of solutions can be found using inline assembler. However, these solutions work only for 32 bit because in 64 bit inline assembly is no more available. When I asked before, best way for me is to seperate inline assembler function into another cpp file and compile it into assembler. I tried that but it didn't work for me too. I got "error A2085:instruction or register not accepted in current CPU mode" error for every line. Any idea how can that code work for 64bit architecture.
bool IsVMWare()
{
unsigned long _EBX;
__try
{
__asm
{
// Execute the magic code sequence
push ebx
mov eax, 0x564D5868
mov ebx, 0x8685D465 // Ensure 0x564D5868 isn't in EBX :)
mov ecx, 10 // The command for obtaining VMWare version information
mov dx, 0x5658
in eax, dx
mov _EBX, ebx
pop ebx
};
}
__except(1)
{
// An exception occured, we ain't in VMWare
return false;
}
// The code was executed successfuly, check for the magic value
return _EBX == 0x564D5868;
}
The code you posted is 32 bit, it may not work correctly in 64 bit, was this attempt to built done with VC 64 bit ?
No this code works for 32 bit but i need to convert or modify it in to 64 bit structure.
Once you convert the registers and such over to 64 bit, assemble the code separately as an asm file with ML64 or GoAsm, then use a batch file to compile your C/C++ program and include the obj/lib file you made. The Intel compiler still offers inline assembler for 64 bit afik. Have you confirmed whether or not the 'magic' code is still valid for 64 bit VMWare? Finally, why are you trying to detect virtualization? It is for a legitimate reason and not some skiddie rubbish isn't it?
HR,
Ghandi
http://invisiblethings.org/papers/redpill.html
SEH is a lot different in 64bit, C++ compilers compile in the necessary stuff fine, but for ASM it's a lot harder, i've included a x64bit GoASM version I just wrote up that has a, exe, static lib and source. It uses vectorexceptions which is called before SEH's are, but only works on xp+. It also passes on any exceptions that aren't caused by the vmware test code on to other SEH or whatever handlers. If you're using this for malicious purposes do the forum a favor and just leave.
Hello,
the Win64 SEH in assembly should look somewhat like this:
.code
;--- proc3: proc with FRAME:exception_handler
exc_proc proc pRecord:ptr, ulframe:qword, pContext:ptr, x4:ptr
;--- adjust RIP (assumed at offset 31*8 in CONTEXT)
mov rax, pContext
add qword ptr [rax+31*8], 1 ;size of "in EAX, DX" opcode
mov eax, 0 ;0=continue execution?
ret
exc_proc endp
proc3 proc FRAME:exc_proc
push rbx
.pushreg rbx
.endprolog
mov eax, 0564D5868h
mov ebx, 08685D465h
mov ecx, 10
mov dx, 05658h
in eax, dx
cmp ebx, 564D5868h
setz al
movzx eax,al
pop rbx
ret
proc3 endp
END
Please note that I don't have a Win64 OS available. So this code wasn't tested, especially the offset of register Rip in the 64-bit CONTEXT structure might be wrong. Also, I'm not quite sure if the parameters of the exception handler proc are correct, you'll have to verify this.
Thanks all for these information, especially japheth,
Now my project has a cpp, header and asm file. When compiled that code i got errors but I'm not sure I compiled it correctly. Chose Masm to compile, chose x64 as platform but masm's path seems "ml.exe" not "ml64.exe"(but there is no ml64 for intel i guess in visual studio, i found ml64.exe in the "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\amd64" directory) here asm file's property pages.
(http://img37.imageshack.us/img37/184/hostdetmasmforum.jpg)
I got these errors when I compile with that properties. I guess it originates because not to compile with ml64 because in 64bit .model isn't relevant any more as I know.
(http://img22.imageshack.us/img22/6645/hostdeterror1.jpg)
japheth gave you a assembler specific(jwasm) 64bit example using SEH. I gave you a language neutral example thats easier than SEH, more efficient and a static lib that you can just link with your C++ project. So especially thank japheth, that's fine.
Quote from: E^cube on August 04, 2010, 09:57:45 AM
japheth gave you a assembler specific(jwasm) 64bit example using SEH.
No. The code sample is accepted by both ML64 and JWasm.
Quote
So especially thank japheth, that's fine.
You're welcome, my friend.
concerning the VC errors: you must add a ".rules" file for ML64 to your VC sub-directory "VCProjectDefaults". Then you can assign ML64 to your assembly source.
Btw, the code sample which I posted has a bug:
mov rax, pContext
add qword ptr [rax+31*8], 1 ;size of "in EAX, DX" opcode
This should be changed to:
add qword ptr [r8+31*8], 1 ;size of "in EAX, DX" opcode
because in the Win64 calling convention, the procedure's parameter symbols are NOT the true parameters.
Quote from: E^cube on August 02, 2010, 03:24:14 PM
If you're using this for malicious purposes do the forum a favor and just leave.
lol i see it now :bg I'm using this just for good purposes, just want to create this solution for our project.
(http://img594.imageshack.us/img594/9312/asdfbvb.jpg)
Thanks all of you for these informations.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458
"Is something unknown: no"
well, i like your attitude, but we have to leave room for exploration
otherwise, us R&D guys would be out of work :P