dcsimg
Results 1 to 20 of 20

Thread: VM Detection

  1. #1

    Thread Starter
    New Member
    Join Date
    Feb 2016
    Posts
    7

    VM Detection

    hi , i found a good cpp code that will help to detect vm
    it work good in all vm ( return 1 if app run in vm and 0 if real machine )
    just help me change it to vb6 if it is possible..
    thx

    Code:
    int swallow_redpill() {
    	unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
    	*((unsigned*)&rpill[3]) = (unsigned)m;
    	((void(*)())&rpill)();
    	return (m[5]>0xd0) ? 1 : 0;
    }

  2. #2

  3. #3
    Fanatic Member namrekka's Avatar
    Join Date
    Feb 2005
    Location
    Netherlands
    Posts
    639

    Re: VM Detection

    Hmmm.......

  4. #4

    Thread Starter
    New Member
    Join Date
    Feb 2016
    Posts
    7

    Re: VM Detection

    Quote Originally Posted by The trick View Post
    This is SIDT assembly instruction.
    You can use either a dynamic machine code or inline assembler.
    Just you should put the address of an 6-bytes array instead "\x00\x00\x00\x00".
    thank you a lot trick

    i am not too pro , so you mean that it can not be convert to vb6 code , right?
    i will not compile it as a dll by cpp compiler and call it from vb6 exe
    is there a other way to compile this function inside a vb6 exe file?

  5. #5
    Frenzied Member
    Join Date
    Feb 2015
    Posts
    1,584

    Re: VM Detection

    As i said you can use either a dynamic assembly code like this:
    Code:
    Option Explicit
    
    Private Declare Function VirtualAlloc _
                             Lib "kernel32" ( _
                             ByVal lpAddress As Long, _
                             ByVal dwSize As Long, _
                             ByVal flAllocationType As Long, _
                             ByVal flProtect As Long) As Long
    Private Declare Function VirtualFree _
                             Lib "kernel32" ( _
                             ByVal lpAddress As Long, _
                             ByVal dwSize As Long, _
                             ByVal dwFreeType As Long) As Long
    Private Declare Function GetMem8 _
                             Lib "msvbvm60" ( _
                             ByRef src As Any, _
                             ByRef dst As Any) As Long
    Private Declare Function DispCallFunc _
                             Lib "oleaut32" ( _
                             ByVal pvInstance As Any, _
                             ByVal oVft As Long, _
                             ByVal cc As Integer, _
                             ByVal vtReturn As Integer, _
                             ByVal cActuals As Long, _
                             ByRef prgvt As Any, _
                             ByRef prgpvarg As Any, _
                             ByRef pvargResult As Variant) As Long
                             
    Private Const MEM_COMMIT                As Long = &H1000&
    Private Const MEM_RESERVE               As Long = &H2000&
    Private Const MEM_RELEASE               As Long = &H8000&
    Private Const PAGE_EXECUTE_READWRITE    As Long = &H40&
    Private Const CC_STDCALL                As Long = 4
    
    Private Function swallow_redpill() As Boolean
        Dim lpCode  As Long
        Dim curCode As Currency
        Dim ret(5)  As Byte
        
        lpCode = VirtualAlloc(0, &H100, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
        If lpCode Then
            curCode = VarPtr(ret(0)) * 1677.7216@ - 439551323631275.1857@
            GetMem8 curCode, ByVal lpCode
            DispCallFunc ByVal 0&, lpCode, CC_STDCALL, vbEmpty, 0, ByVal 0&, ByVal 0&, Empty
            swallow_redpill = ret(5) > &HD0
            VirtualFree lpCode, 0, MEM_RELEASE
        End If
        
    End Function
    
    Private Sub Form_Load()
        swallow_redpill
    End Sub
    , or use inline assember and make the code there.

  6. #6

    Thread Starter
    New Member
    Join Date
    Feb 2016
    Posts
    7

    Re: VM Detection

    it is all thing that i want
    thank you a lot trick , you are my lord
    you are a grand programmer
    Last edited by javadkhaldar; Feb 13th, 2016 at 09:20 AM.

  7. #7
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    34,918

    Re: VM Detection

    I'm curious as to what this is useful for? Does it really matter whether the app is on physical or virtual all that much?
    My usual boring signature: Nothing

  8. #8
    PowerPoster
    Join Date
    Feb 2006
    Posts
    20,969

    Re: VM Detection

    In any case there is no one test that can determine whether you are running in a VM. Different VM technologies have different fingerprints.

  9. #9

    Thread Starter
    New Member
    Join Date
    Feb 2016
    Posts
    7

    Re: VM Detection

    Quote Originally Posted by Shaggy Hiker View Post
    I'm curious as to what this is useful for? Does it really matter whether the app is on physical or virtual all that much?
    this is useful for software developers , when thier software lock is hardware ID , as you know in vm all things are unreal and can be changed easily.

    In any case there is no one test that can determine whether you are running in a VM. Different VM technologies have different fingerprints
    i test it in all vm and worked , it is good technic

  10. #10
    PowerPoster
    Join Date
    Feb 2006
    Posts
    20,969

    Re: VM Detection

    Hmm....

    On the Cutting Edge: Thwarting Virtual Machine Detection

    Given the rising use of VMEs, computer attackers are very interested in detecting the presence of VMEs, both locally on a potential VME and across the network. Beyond simply their increased use, however, there are some specific uses of VME technology that are driving the computer underground toward deploying techniques for virtual machine detection. We’ll explore some of these uses in-depth in the next two slides.

    Because so many security researchers rely on VMEs to analyze malicious code, malware developers are actively trying to foil such analysis by detecting VMEs. If malicious code detects a VME, it can shut off some of its more powerful malicious functionality so that researchers cannot observe it and devise defenses. Given the malicious code’s altered functionality in light of a VME, some researchers may not notice its deeper and more insidious functionality.

    We are seeing an increasing number of malicious programs carrying code to detect the presence of virtual environments.

    In November 2004, a researcher named Joanna Rutkowska introduced code that implements this IDT-checking concept. Her code, called "The Red Pill", runs a single machine language instruction, called SIDT. This instruction stores the contents of the Interrupt Descriptor Table Register (the IDTR which points to the IDT) in a processor register, where it is analyzed.
    Virus Bulletin: Not old enough to be forgotten: the new chic of Visual Basic 6

    Visual Basic 6 has been the bane of analysts’ lives since the first pieces of VB6 malware reached epidemic levels at the beginning of the 2000s. Visual Basic is widely considered to produce the most hated binaries in the history of reverse engineering – indeed, on mentioning this topic to some reverse engineers, they didn’t know whether to laugh or to cry (and most of them did both).
    Somehow I'm pretty suspicious.

    I'm sure this site doesn't want the liability of harboring malware authors and allowing them to share techniques here.
    Last edited by dilettante; Feb 13th, 2016 at 05:06 PM.

  11. #11

  12. #12
    Frenzied Member some1uk03's Avatar
    Join Date
    Jun 2006
    Location
    London, UK
    Posts
    1,504

    Re: VM Detection

    2 weeks ago, I posted a similar Post: Detect-if-Running-in-a-Virtual-Machine

    This can be just another layer on top

    Although the swallow_redpill example above works on an empty VB project.

    However, It's showing my normal PC as a VM 9/10 Times!! with my existing project.

    Something doesn't seem solid-proof? What could be intersecting?
    _____________________________________________________________________

    ----If this post has helped you. Please take time to Rate it.
    ----If you've solved your problem, then please mark it as RESOLVED from Thread Tools.



  13. #13
    Super Moderator FunkyDexter's Avatar
    Join Date
    Apr 2005
    Location
    An obscure body in the SK system. The inhabitants call it Earth
    Posts
    7,531

    Re: VM Detection

    this is useful for software developers , when thier software lock is hardware ID , as you know in vm all things are unreal and can be changed easily
    That sounds like bad practice to me. Why would you want different behaviour in a VB to a real machine? Why not just have it run consistently wherever it's deployed?

    If you're concerned about protecting your assets there are better ways than turning an entire class of customer away. Especially given that, As Dil's article points out, this is a trick that VM developers are explicitly trying to lock down so you can pretty much guarantee it won't work in the future.
    Last edited by FunkyDexter; Feb 15th, 2016 at 09:04 AM.
    You can depend upon the Americans to do the right thing. But only after they have exhausted every other possibility - Winston Churchill

    Hadoop actually sounds more like the way they greet each other in Yorkshire - Inferrd

  14. #14

    Thread Starter
    New Member
    Join Date
    Feb 2016
    Posts
    7

    Re: VM Detection

    Quote Originally Posted by FunkyDexter View Post
    there are better ways than turning an entire class of customer away
    which way?

  15. #15
    PowerPoster
    Join Date
    Jun 2015
    Posts
    2,224

    Re: VM Detection

    Quote Originally Posted by javadkhaldar View Post
    which way?
    Which way? The way is to not treat VM's any differently. That would be the best way.

  16. #16
    Super Moderator FunkyDexter's Avatar
    Join Date
    Apr 2005
    Location
    An obscure body in the SK system. The inhabitants call it Earth
    Posts
    7,531

    Re: VM Detection

    Well that wasn't the most helpful answer.

    There is no simple answer to the question. a lot of it depends on your licencing model, the nature of your product, your intended user base. Here are a few good articles though:-
    https://zenlicensemanager.com/how-to...your-software/
    http://stackoverflow.com/questions/5...que-do-you-use
    http://stackoverflow.com/questions/3...va-application

    Personally my preferred solution would be to stand up a validation server.
    You can depend upon the Americans to do the right thing. But only after they have exhausted every other possibility - Winston Churchill

    Hadoop actually sounds more like the way they greet each other in Yorkshire - Inferrd

  17. #17
    Fanatic Member
    Join Date
    Apr 2015
    Location
    Finland
    Posts
    672

    Re: VM Detection

    Quote Originally Posted by dilettante View Post
    Hmm....
    Yes, hmmm - indeed. There is absolutely no need to detect VM 'just' for the hardware lock purpose. Technically non viable method, to disquish a machine from other and simple XOR renders this method useless.

    Cockroaches uses these techniques to defeat debugging/reversing packed/encrypted code - nothing more.
    Last edited by Tech99; Feb 18th, 2016 at 08:05 PM.

  18. #18
    Frenzied Member gibra's Avatar
    Join Date
    Oct 2009
    Location
    ITALY
    Posts
    1,694

    Re: VM Detection

    I agree with Dilettante, Tech99, ...


    However, just for information, there is an environment variable that 'could help' you understand whether the environment in which you run is a real or a virtual machine.
    But certainly it can not be trusted for the hardware lock purpose.

    I use this variable only to discovery when code is run on Virtual Machine/Terminal server session just to reduce some graphics effects that would have a bad impact on the user interface.
    But nothing else.


    This variable it's called SESSIONNAME.

    In real machine the value of SESSIONNAME is "Console"
    In virtual machine, the SESSIONNAME variable is missing.

    You can use the Environ() function to get this value:
    Code:
    Dim bVirtualMachine As Boolean 
    If (Environ ("SESSIONNAME") = "Console" Then
        bVirtualMachine = False
    Else
        bVirtualMachine = True
    End If

    Also, I'm not sure that this method always work well.
    Although I must say that until now I had no problems.

  19. #19
    PowerPoster
    Join Date
    Jun 2015
    Posts
    2,224

    Re: VM Detection

    Quote Originally Posted by Tech99 View Post
    Yes, hmmm - indeed. There is absolutely no need to detect VM 'just' for the hardware lock purpose. Technically non viable method, to disquish a machine from other and simple XOR renders this method useless.

    Cockroaches uses these techniques to defeat debugging/reversing packed/encrypted code - nothing more.
    Agreed. While I definitely appreciate the technical aptitude to discuss these techniques - putting them to use in legit software, does incite quite a bit of negativity on my part. I can't discourage this enough.

    @gibra - SESSIONNAME is set to Console on my Virtualbox VM.

  20. #20
    Frenzied Member gibra's Avatar
    Join Date
    Oct 2009
    Location
    ITALY
    Posts
    1,694

    Re: VM Detection

    Quote Originally Posted by DEXWERX View Post
    @gibra - SESSIONNAME is set to Console on my Virtualbox VM.
    I've just tried in VirtualBox: you are right!

    I remember that worked well once, in Terminal Server.
    Then forget my post.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Featured


Click Here to Expand Forum to Full Width