10-18-2011، 03:43 AM
The virtual machine system VMware uses a “backdoor
communication port” to be able to pass data between the host
and the guest operating system. This communication port is
used to read and write clipboard information, drag and drop
between host and guest operating system, and allow file
sharing between the two running systems. Communication on
this port occurs by using two privileged x86 instructions, “IN”
and “OUT”. These two instructions cannot normally be run
from an unprivileged vantage point and would generate an
exception; however when running under VMware, the
emulation layer has implemented these particular instructions
differently allowing them to be executed from an unprivileged
vantage point. As such we can use these methods to detect if
we are in a VMware virtual environment.
In the inline assembly below we setup a call to the “IN”
instruction by pushing a number of static values onto the stack.
The first parameter of interest is the static string ‘VMXh’.
This string is the “magic” value that must be present for the
virtual machine to know that the request is legitimate. The
value 10 is the particular VMware backdoor function that we
wish to execute, while the value ‘VX’ is the default port that
the VMware backdoor IO listens for. Finally we execute the
“IN” call and analyze the return value. If the return value is
zero, and we have reached our exception handler, we know
that we are not running in a virtual session. If the return value
is non zero and we do not reach out exception handler we are
running inside of VMware
با سورس بالا میتونید از اجرا شدن برنامه در محیط vm جلوگیری کنید.
بر روی این نسخه هم تست شده و جواب داده
VM WARE 7.1.0
communication port” to be able to pass data between the host
and the guest operating system. This communication port is
used to read and write clipboard information, drag and drop
between host and guest operating system, and allow file
sharing between the two running systems. Communication on
this port occurs by using two privileged x86 instructions, “IN”
and “OUT”. These two instructions cannot normally be run
from an unprivileged vantage point and would generate an
exception; however when running under VMware, the
emulation layer has implemented these particular instructions
differently allowing them to be executed from an unprivileged
vantage point. As such we can use these methods to detect if
we are in a VMware virtual environment.
In the inline assembly below we setup a call to the “IN”
instruction by pushing a number of static values onto the stack.
The first parameter of interest is the static string ‘VMXh’.
This string is the “magic” value that must be present for the
virtual machine to know that the request is legitimate. The
value 10 is the particular VMware backdoor function that we
wish to execute, while the value ‘VX’ is the default port that
the VMware backdoor IO listens for. Finally we execute the
“IN” call and analyze the return value. If the return value is
zero, and we have reached our exception handler, we know
that we are not running in a virtual session. If the return value
is non zero and we do not reach out exception handler we are
running inside of VMware
کد:
Function AntiVMware():boolean;
begin
try
asm
push edx;
push ecx;
push ebx;
mov eax, 'VMXh';
mov ebx, 0; // This can be any value except MAGIC
mov ecx, 10; // "CODE" to get the VMware Version
mov edx, 'VX'; // Port Number
in eax, dx; // Read port
//On return EAX returns the VERSION
cmp ebx, 'VMXh'; // is it VMware
setz Result; //Set flag state
pop ebx;
pop ecx;
pop edx;
end;
except
Result:= False;
end;
end;
[code]
if AntiVMware then
MessageBox(0, 'VMware Instance Detected', 'VMware Detected', +MB_OK +MB_ICONINFORMATION)
else
MessageBox(0, 'No VMware Instance Detected', 'No VMware Detected', +MB_OK +MB_ICONINFORMATION);
با سورس بالا میتونید از اجرا شدن برنامه در محیط vm جلوگیری کنید.
بر روی این نسخه هم تست شده و جواب داده
VM WARE 7.1.0