原创判断程序的执行环境是VM收藏

本文链接：https://blog.csdn.net/StudyFromEveryOne/article/details/2623086

原创 判断程序的执行环境是VM收藏

老V的代码  很古老的

抗VM分析

  mov    ecx, 0Ah        ; CX=function# (0Ah=get_version)

      mov    eax, 'VMXh'  ; EAX=magic

      mov    dx, 'VX'          ; DX=magic

      in      eax, dx              ; specially processed io cmd

    ; output: EAX/EBX/ECX = data

      cmp    ebx, 'VMXh'  ; also eax/ecx modified (maybe vmw/os ver?)

      je      under_VMware

bool IsInsideVMWare()

{

  bool rc = true;



  __try

  {

    __asm

    {

      push  edx

      push  ecx

      push  ebx



      mov    eax, 'VMXh'

      mov    ebx, 0 // any value but not the MAGIC VALUE

      mov    ecx, 10 // get VMWare version

      mov    edx, 'VX' // port number



      in    eax, dx // read port

                    // on return EAX returns the VERSION

      cmp    ebx, 'VMXh' // is it a reply from VMWare?

      setz  [rc] // set return value



      pop    ebx

      pop    ecx

      pop    edx

    }

  }

  __except(EXCEPTION_EXECUTE_HANDLER)

  {

    rc = false;

  }



  return rc;

}





bool IsInsideVPC()

{

  bool rc = false;



  __try

  {

    _asm push ebx

    _asm mov  ebx, 0 // Flag

    _asm mov  eax, 1 // VPC function number



    // call VPC

    _asm __emit 0Fh

    _asm __emit 3Fh

    _asm __emit 07h

    _asm __emit 0Bh



    _asm test ebx, ebx

    _asm setz [rc]

    _asm pop ebx

  }

  // The except block shouldn't get triggered if VPC is running!!

  __except(IsInsideVPC_exceptionFilter(GetExceptionInformation()))

  {

  }



  return rc;

}

给个通用判断的方法，不管VMWare或VirtuaPC都有效



int  DCVM ()

{

  unsigned char m[2+4], rpill[] = "/x0f/x01/x0d/x00/x00/x00/x00/xc3";

  *((unsigned*)&rpill[3]) = (unsigned)m;

  ((void(*)())&rpill)();



  printf ("idt base: %#x/n", *((unsigned*)&m[2]));

  if (m[5]>0xd0) printf ("虚拟机/r/n", m[5]);

  else printf ("真实机器/r/n");

  return 0;

}