al-khaser icon indicating copy to clipboard operation
al-khaser copied to clipboard

Published 20 hours ago verified publisher icon LordNoteworthy

Anti-VM: in instruction (VMWare)

Open recvfrom opened this issue 4 years ago • 2 comments

Reference: https://shasaurabh.blogspot.com/2017/07/virtual-machine-detection-techniques.html Example: https://github.com/lyzsea/WPM/blob/421f82372e71feb8690b45cd59e33fb4467aa75d/NewGdp/AntiVm/VMDetect.cpp#L80-L110

recvfrom avatar Mar 05 '21 20:03 recvfrom

Can you please try this on a VMWare VM and confirm that it works? The x86 IN instruction is privileged, so either VMWare overrides the IOPL check to allow its use from unprivileged ring3 code, or this check only works when performed from a kernel driver. I suspect from the source code you linked that it may well be performing the override, but I'd like to see it confirmed before including an implementation here.

gsuberland avatar Mar 05 '21 22:03 gsuberland

@gsuberland I confirmed that this works, using isVMWare from the github link above and VMWare Fusion 12.1.0:

#include <iostream>
#include <windows.h>

bool IsVMWare()
{
	bool res = true;

	__try {
		__asm
		{
			push   edx
			push   ecx
			push   ebx

			mov    eax, 'VMXh'
			mov    ebx, 0      // any value but not the MAGIC VALUE
			mov    ecx, 10     // get VMWare version
			mov    edx, 'VX'   // port number

			in     eax, dx     // read port
						 // on return EAX returns the VERSION
			cmp    ebx, 'VMXh' // is it a reply from VMWare?
			setz[res]       // set return value

			pop    ebx
			pop    ecx
			pop    edx
		}
	}
	__except (EXCEPTION_EXECUTE_HANDLER) {
		res = false;
	}

	return res;
}

int main()
{
	if (IsVMWare()) {
		std::cout << "VMWare detected\n";
	}
}

recvfrom avatar Mar 06 '21 17:03 recvfrom