Option Explicit
'---------------------------------------------------------------------------------------
' Module : mAntiVMWare
' Author : Karcrack
' Now$ : 020810
' Used for? : Known if being Virtualized inside VMWARE
' Original C source:
' bool IsVMWare()
' {
' unsigned long _EBX;
' __try
' {
' __asm
' {
' // Run the magic code sequence
' push ebx
' mov eax, 0x564D5868
' mov ebx, 0x8685D465 // Ensure EBX doesn't contain 0x564D5868 :)
' mov ecx, 10 // The command for obtaining VMWare version information
' mov dx, 0x5658
' in eax, dx
' mov _EBX, ebx
' pop ebx
' };
' }
' __except(1)
' {
' // An exception occured, we ain't in VMWare
' return false;
' }
' // The code was executed successfuly, check for the magic value
' return _EBX == 0x564D5868;
' }
'---------------------------------------------------------------------------------------
'KERNEL32
Private Declare Function SetUnhandledExceptionFilter Lib "KERNEL32" (ByVal lpTopLevelExceptionFilter As Long) As Long
'USER32
Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private m_bFlag As Boolean
Public Function IsVMWare() As Boolean
On Error Resume Next
Dim cCode(2) As Currency
Dim lOldSEH As Long
Dim lRet As Long
If App.LogMode = 0 Then MsgBox "Test only compiled": Exit Function
m_bFlag = True
lOldSEH = SetUnhandledExceptionFilter(AddressOf ExceptionHandler)
cCode(0) = 733054770867134.2675@
cCode(1) = 4606227.4004@
cCode(2) = 661819130486985.3798@
lRet = CallWindowProcW(VarPtr(cCode(0)), 0&, 0&, 0&, 0&)
Call SetUnhandledExceptionFilter(lOldSEH)
If m_bFlag = True Then IsVMWare = (lRet = &H564D5868)
End Function
Public Function ExceptionHandler(ByRef uException As Long) As Long
m_bFlag = False: ExceptionHandler = -1
' VB Will process our error :P
Call Mid$(vbNullString, 0)
End Function
This source can detect if our program is running in a VM by reading the BIOS data. Currently it supports only VirtualBox, but any other can be added by simply editing the ‘Select Case’.
'---------------------------------------------------------------------------------------
' Module : mSMBIOS_VMDetect
' DateTime : 10/26/2009 22:31
' Author : Cobein
' Mail : cobein27@hotmail.com
' WebPage : http://www.advancevb.com.ar
' Purpose : Simple BIOS VM dettection
' Usage : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
' applications, but you may not reproduce
' or publish this code on any web site,
' online service, or distribute as source
' on any media without express permission.
'
' Reference : http://msdn.microsoft.com/en-us/library/ms724259(VS.85).aspx
'
' Notes : The select case can be epanded to add more detections, read the
' documetation to make sure this API is available in your system otherwise
' you may want to use some OS version detection routine.
'
' History : 10/26/2009 First Cut....................................................
'---------------------------------------------------------------------------------------
Option Explicit
Private Declare Function GetSystemFirmwareTable Lib "kernel32" ( _
ByVal FirmwareTableProviderSignature As Long, _
ByVal FirmwareTableID As Long, _
ByVal pFirmwareTableBuffer As Long, _
ByVal BufferSize As Long) As Long
Public Function IsVMPresent() As Boolean
Dim lSize As Long
Dim bvTable() As Byte
Dim sData As String
lSize = GetSystemFirmwareTable(&H4649524D, &HC0000, 0, 0)
If lSize Then
ReDim bvTable(lSize - 1)
If GetSystemFirmwareTable(&H4649524D, &HC0000, VarPtr(bvTable(0)), lSize) Then
sData = UCase(StrConv(bvTable, vbUnicode))
'// This 'Select Case' can be expanded to detect different VM systems
Select Case True
Case sData Like "*VIRTUALBOX*": IsVMPresent = True
End Select
End If
End If
End Function
Works fine with Sandboxie and Anubis
Option Explicit
'NTDLL
Private Declare Function RtlGetCurrentPeb Lib "NTDLL" () As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal ProcessHandle As Long, ByVal BaseAddress As Long, ByVal pBuffer As Long, ByVal NumberOfBytesToWrite As Long, ByRef NumberOfBytesWritten As Long) As Long
'---------------------------------------------------------------------------------------
' Procedure : ImSandBoxed
' Author : Karcrack
' Date : 23/09/2009
' Purpose : Know if being SandBoxed... Anubis & Sandboxie
' Credits : Cobein, He made the 1st version...
'---------------------------------------------------------------------------------------
'
Public Function ImSandBoxed() As Boolean
Dim lUPP As Long 'RTL_USER_PROCESS_PARAMETERS
Dim lWndFlags As Long 'RTL_USER_PROCESS_PARAMETERS.WindowFlags
lUPP = GetMemLng(RtlGetCurrentPeb + (&H4 * 4))
lWndFlags = GetMemLng(lUPP + (&H4 * 26))
ImSandBoxed = (lWndFlags <= 1) 'WindowFlags;0 Anubis;1 Sandboxie
End Function
Private Function GetMemLng(ByVal lAddr As Long) As Long
Call NtWriteVirtualMemory(-1, VarPtr(GetMemLng), lAddr, &H4, ByVal 0&)
End Function
Based on Cobein’s Anti:
Private Function IsSandboxed() As Boolean
Dim lvData(16) As Long
Call GetStartupInfoW(lvData(0))
IsSandboxed = (lvData(11) <= 1) 'dwFlags '0 anubis '1 sandboxie
End Function
Option Explicit
'---------------------------------------------------------------------------------------
' Module : mVirtualized
' Author : Karcrack
' Date : 09/09/09
' Used for? : Detect Virtualized Machines... like VMWare/V.PC/QEmu...
' Tested On :
' - Virtual PC 2007, 1.0 (Tested by: KIASH!)
' - VMWare ,6.5.3.185404 (Tested by: SkyWeb!)
'
' Reference :
' :http://www.cs.nps.navy.mil/people/faculty/irvine/publications/2000/VMM-usenix00-0611.pdf
' :http://invisiblethings.org/papers/redpill.html
' :http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html
' :http://blog.assarbad.net/wp-content/uploads/2006/11/redpill_getting_colorless.pdf
'---------------------------------------------------------------------------------------
'USER32
Private Declare Function CallThunk8 Lib "USER32" Alias "CallWindowProcW" (ByRef cThunk As Currency, Optional ByVal Param1 As Long, Optional ByVal Param2 As Long, Optional ByVal Param3 As Long, Optional ByVal Param4 As Long) As Long
Public Function ImVirtualized() As Boolean
Dim tIDT(2 + 4) As Byte
' mov ecx, [esp+4]\
' sidt [ecx] |->; -439297879751758.3221@
' retn /
Call CallThunk8(-439297879751758.3221@, ByVal VarPtr(tIDT(0)))
ImVirtualized = (tIDT(5) > &HD0)
End Function
For more info about INTERRUPT_DESCRIPTOR_TABLE look the links of the commented section…
Option Explicit
'---------------------------------------------------------------------------------------
' Module : mAntiVirtualPC
' Author : Karcrack
' Now$ : 06/09/2009 17:35
' Used for? : Known if being Virtualized inside M$ Virtual PC
' Thanks : Kiash > He tested on Virtual PC
' Original C source:
' BOOL IsVirtualPC(void){
' __try{
' __asm{
' mov eax, 1
' _emit 0x0F
' _emit 0x3F
' _emit 0x07
' _emit 0x0B
' _emit 0xC7
' _emit 0x45
' _emit 0xFC
' _emit 0xFF
' _emit 0xFF
' _emit 0xFF
' _emit 0xFF
' }
' }__except(1){
' return FALSE;
' }
' return TRUE;
' }
'---------------------------------------------------------------------------------------
'KERNEL32
Private Declare Function SetUnhandledExceptionFilter Lib "KERNEL32" (ByVal lpTopLevelExceptionFilter As Long) As Long
'USER32
Private Declare Function CallWindowProc Lib "USER32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'MSVBVM60
Private Declare Sub PutMem8 Lib "MSVBVM60" (inDst As Any, ByVal inSrc As Currency)
Private Const THUNK_ANTI1 As Currency = -104917872100.9905@ 'db 0x0F, 0x3F,0x07,0x0B,0xC7,0x45,0xFC,0xFF
Private Const THUNK_ANTI2 As Currency = -802975918416356.9665@ 'db 0xFF,0xFF,0xFF + RET + NOP + NOP + NOP + NOP
Private m_bFlag As Boolean
Public Function IsVirtualPC() As Boolean
On Error Resume Next
Dim bvASM(&HF) As Byte
Dim lOldSEH As Long
m_bFlag = True
lOldSEH = SetUnhandledExceptionFilter(AddressOf ExceptionHandler)
Call PutMem8(ByVal VarPtr(bvASM(0)), THUNK_ANTI1)
Call PutMem8(ByVal VarPtr(bvASM(0)) + 8, THUNK_ANTI2)
Call CallWindowProc(VarPtr(bvASM(0)), 0&, 0&, 0&, 0&)
Call SetUnhandledExceptionFilter(lOldSEH)
IsVirtualPC = m_bFlag
End Function
Public Function ExceptionHandler(ByRef uException As Long) As Long
m_bFlag = False: ExceptionHandler = -1
' VB Will process our error :P
Call Mid$(vbNullString, 0)
End Function
'---------------------------------------------------------------------------------------
' Module : mBeingDebugged
' Author : Karcrack
' Now$ : 23/08/2009 18:42
' Used for? : Know if being debugged
' Reference :
' http://www.codeproject.com/KB/security/AntiReverseEngineering.aspx
' Tested On :
' - OllyDbg 1/2
'---------------------------------------------------------------------------------------
Option Explicit
'NTDLL
Private Declare Function NtQueryInformationProcess Lib "ntdll.dll" (ByVal hProcess As Long, ByVal ProcessInformationClass As Long, ProcessInformation As Any, ByVal ProcessInformationLength As Long, ReturnLength As Long) As Long
Public Function ImBeingDebugged() As Boolean
Call NtQueryInformationProcess(-1, &H1E, ImBeingDebugged, ByVal 4, ByVal 0&)
End Function
Enjoy it =D
I was reading an interesting book and decided to write one of the examples commented on the Self-Protection chapter, the trick is to set an exception hadler and then raise an exception to transfer the execution to the main part of our code, since debuggers (without plugin) and AV emulators cant handle this the execution will finalize without reaching our main function.
SEH Execution
Another debugger detection routine, this time using ASM to read cpu cycles and attempt to guess if we are being debugged. Due the kind of check we are doing we gonna get some false positives sometimes, mostly when running under VMs but, on a normal environment it should be pretty accurated.
Note: this code can be modified (adding a simple Sleep call) to detect AV emulators ;)
Timed Debug
This code is mainly based on an article of ReWolf that I found on rootkit.com
Article: http://www.rootkit.com/newsread.php?newsid=669
Part of the article.
; Int 2Dh debugger detection and code obfuscation – ReWolf^HTB
;
; Date: 14.III.2007
;
;
; I. BACKGROUND
;
; Possibly new method of debugger detection, and nice way for code
; obfuscation.
;
;
; II. DESCRIPTION
;
; Int 2Dh is used by ntoskrnl.exe to play with DebugServices (ref1),
; but we can use it also in ring3 mode. If we try to use it in normal
; (not debugged) application, we will get exception. However if we will
; attach debugger, there will be no exception.
The VB code was difficult to do and test since it produces a GPF when is not being debugged but after a few tests everything works perfect.
Int 2D
Virtual machine detection using registry, the trick of this code is to scan certain registry keys and try to find predefined patterns added by different VM software vendors, it supports VitualBox, VMWare and Virtual PC.
VM Detection
Recent Comments