-
Feb 12th, 2016, 12:01 PM
#1
Thread Starter
New Member
VM Detection
hi , i found a good cpp code that will help to detect vm
it work good in all vm ( return 1 if app run in vm and 0 if real machine )
just help me change it to vb6 if it is possible..
thx
Code:
int swallow_redpill() {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}
-
Feb 12th, 2016, 06:51 PM
#2
Re: VM Detection
This is SIDT assembly instruction.
You can use either a dynamic machine code or inline assembler.
Just you should put the address of an 6-bytes array instead "\x00\x00\x00\x00".
-
Feb 13th, 2016, 06:19 AM
#3
-
Feb 13th, 2016, 06:36 AM
#4
Thread Starter
New Member
Re: VM Detection
Originally Posted by The trick
This is SIDT assembly instruction.
You can use either a dynamic machine code or inline assembler.
Just you should put the address of an 6-bytes array instead "\x00\x00\x00\x00".
thank you a lot trick
i am not too pro , so you mean that it can not be convert to vb6 code , right?
i will not compile it as a dll by cpp compiler and call it from vb6 exe
is there a other way to compile this function inside a vb6 exe file?
-
Feb 13th, 2016, 07:50 AM
#5
Re: VM Detection
As i said you can use either a dynamic assembly code like this:
Code:
Option Explicit
Private Declare Function VirtualAlloc _
Lib "kernel32" ( _
ByVal lpAddress As Long, _
ByVal dwSize As Long, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long) As Long
Private Declare Function VirtualFree _
Lib "kernel32" ( _
ByVal lpAddress As Long, _
ByVal dwSize As Long, _
ByVal dwFreeType As Long) As Long
Private Declare Function GetMem8 _
Lib "msvbvm60" ( _
ByRef src As Any, _
ByRef dst As Any) As Long
Private Declare Function DispCallFunc _
Lib "oleaut32" ( _
ByVal pvInstance As Any, _
ByVal oVft As Long, _
ByVal cc As Integer, _
ByVal vtReturn As Integer, _
ByVal cActuals As Long, _
ByRef prgvt As Any, _
ByRef prgpvarg As Any, _
ByRef pvargResult As Variant) As Long
Private Const MEM_COMMIT As Long = &H1000&
Private Const MEM_RESERVE As Long = &H2000&
Private Const MEM_RELEASE As Long = &H8000&
Private Const PAGE_EXECUTE_READWRITE As Long = &H40&
Private Const CC_STDCALL As Long = 4
Private Function swallow_redpill() As Boolean
Dim lpCode As Long
Dim curCode As Currency
Dim ret(5) As Byte
lpCode = VirtualAlloc(0, &H100, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If lpCode Then
curCode = VarPtr(ret(0)) * 1677.7216@ - 439551323631275.1857@
GetMem8 curCode, ByVal lpCode
DispCallFunc ByVal 0&, lpCode, CC_STDCALL, vbEmpty, 0, ByVal 0&, ByVal 0&, Empty
swallow_redpill = ret(5) > &HD0
VirtualFree lpCode, 0, MEM_RELEASE
End If
End Function
Private Sub Form_Load()
swallow_redpill
End Sub
, or use inline assember and make the code there.
-
Feb 13th, 2016, 08:34 AM
#6
Thread Starter
New Member
Re: VM Detection
it is all thing that i want
thank you a lot trick , you are my lord
you are a grand programmer
Last edited by javadkhaldar; Feb 13th, 2016 at 09:20 AM.
-
Feb 13th, 2016, 11:57 AM
#7
Re: VM Detection
I'm curious as to what this is useful for? Does it really matter whether the app is on physical or virtual all that much?
My usual boring signature: Nothing
-
Feb 13th, 2016, 12:06 PM
#8
Re: VM Detection
In any case there is no one test that can determine whether you are running in a VM. Different VM technologies have different fingerprints.
-
Feb 13th, 2016, 03:03 PM
#9
Thread Starter
New Member
Re: VM Detection
Originally Posted by Shaggy Hiker
I'm curious as to what this is useful for? Does it really matter whether the app is on physical or virtual all that much?
this is useful for software developers , when thier software lock is hardware ID , as you know in vm all things are unreal and can be changed easily.
In any case there is no one test that can determine whether you are running in a VM. Different VM technologies have different fingerprints
i test it in all vm and worked , it is good technic
-
Feb 13th, 2016, 04:50 PM
#10
Re: VM Detection
Hmm....
On the Cutting Edge: Thwarting Virtual Machine Detection
Given the rising use of VMEs, computer attackers are very interested in detecting the presence of VMEs, both locally on a potential VME and across the network. Beyond simply their increased use, however, there are some specific uses of VME technology that are driving the computer underground toward deploying techniques for virtual machine detection. We’ll explore some of these uses in-depth in the next two slides.
Because so many security researchers rely on VMEs to analyze malicious code, malware developers are actively trying to foil such analysis by detecting VMEs. If malicious code detects a VME, it can shut off some of its more powerful malicious functionality so that researchers cannot observe it and devise defenses. Given the malicious code’s altered functionality in light of a VME, some researchers may not notice its deeper and more insidious functionality.
We are seeing an increasing number of malicious programs carrying code to detect the presence of virtual environments.
In November 2004, a researcher named Joanna Rutkowska introduced code that implements this IDT-checking concept. Her code, called "The Red Pill", runs a single machine language instruction, called SIDT. This instruction stores the contents of the Interrupt Descriptor Table Register (the IDTR which points to the IDT) in a processor register, where it is analyzed.
Virus Bulletin: Not old enough to be forgotten: the new chic of Visual Basic 6
Visual Basic 6 has been the bane of analysts’ lives since the first pieces of VB6 malware reached epidemic levels at the beginning of the 2000s. Visual Basic is widely considered to produce the most hated binaries in the history of reverse engineering – indeed, on mentioning this topic to some reverse engineers, they didn’t know whether to laugh or to cry (and most of them did both).
Somehow I'm pretty suspicious.
I'm sure this site doesn't want the liability of harboring malware authors and allowing them to share techniques here.
Last edited by dilettante; Feb 13th, 2016 at 05:06 PM.
-
Feb 13th, 2016, 04:56 PM
#11
-
Feb 14th, 2016, 06:51 AM
#12
Re: VM Detection
2 weeks ago, I posted a similar Post: Detect-if-Running-in-a-Virtual-Machine
This can be just another layer on top
Although the swallow_redpill example above works on an empty VB project.
However, It's showing my normal PC as a VM 9/10 Times!! with my existing project.
Something doesn't seem solid-proof? What could be intersecting?
_____________________________________________________________________
----If this post has helped you. Please take time to Rate it.
----If you've solved your problem, then please mark it as RESOLVED from Thread Tools.
-
Feb 15th, 2016, 08:27 AM
#13
Re: VM Detection
this is useful for software developers , when thier software lock is hardware ID , as you know in vm all things are unreal and can be changed easily
That sounds like bad practice to me. Why would you want different behaviour in a VB to a real machine? Why not just have it run consistently wherever it's deployed?
If you're concerned about protecting your assets there are better ways than turning an entire class of customer away. Especially given that, As Dil's article points out, this is a trick that VM developers are explicitly trying to lock down so you can pretty much guarantee it won't work in the future.
Last edited by FunkyDexter; Feb 15th, 2016 at 09:04 AM.
The best argument against democracy is a five minute conversation with the average voter - Winston Churchill
Hadoop actually sounds more like the way they greet each other in Yorkshire - Inferrd
-
Feb 17th, 2016, 04:31 AM
#14
Thread Starter
New Member
Re: VM Detection
Originally Posted by FunkyDexter
there are better ways than turning an entire class of customer away
which way?
-
Feb 17th, 2016, 09:45 AM
#15
Re: VM Detection
Originally Posted by javadkhaldar
which way?
Which way? The way is to not treat VM's any differently. That would be the best way.
-
Feb 17th, 2016, 11:25 AM
#16
Re: VM Detection
Well that wasn't the most helpful answer.
There is no simple answer to the question. a lot of it depends on your licencing model, the nature of your product, your intended user base. Here are a few good articles though:-
https://zenlicensemanager.com/how-to...your-software/
http://stackoverflow.com/questions/5...que-do-you-use
http://stackoverflow.com/questions/3...va-application
Personally my preferred solution would be to stand up a validation server.
The best argument against democracy is a five minute conversation with the average voter - Winston Churchill
Hadoop actually sounds more like the way they greet each other in Yorkshire - Inferrd
-
Feb 18th, 2016, 07:59 PM
#17
Fanatic Member
Re: VM Detection
Originally Posted by dilettante
Hmm....
Yes, hmmm - indeed. There is absolutely no need to detect VM 'just' for the hardware lock purpose. Technically non viable method, to disquish a machine from other and simple XOR renders this method useless.
Cockroaches uses these techniques to defeat debugging/reversing packed/encrypted code - nothing more.
Last edited by Tech99; Feb 18th, 2016 at 08:05 PM.
-
Feb 19th, 2016, 03:17 AM
#18
Re: VM Detection
I agree with Dilettante, Tech99, ...
However, just for information, there is an environment variable that 'could help' you understand whether the environment in which you run is a real or a virtual machine.
But certainly it can not be trusted for the hardware lock purpose.
I use this variable only to discovery when code is run on Virtual Machine/Terminal server session just to reduce some graphics effects that would have a bad impact on the user interface.
But nothing else.
This variable it's called SESSIONNAME.
In real machine the value of SESSIONNAME is "Console"
In virtual machine, the SESSIONNAME variable is missing.
You can use the Environ() function to get this value:
Code:
Dim bVirtualMachine As Boolean
If (Environ ("SESSIONNAME") = "Console" Then
bVirtualMachine = False
Else
bVirtualMachine = True
End If
Also, I'm not sure that this method always work well.
Although I must say that until now I had no problems.
-
Feb 19th, 2016, 08:49 AM
#19
Re: VM Detection
Originally Posted by Tech99
Yes, hmmm - indeed. There is absolutely no need to detect VM 'just' for the hardware lock purpose. Technically non viable method, to disquish a machine from other and simple XOR renders this method useless.
Cockroaches uses these techniques to defeat debugging/reversing packed/encrypted code - nothing more.
Agreed. While I definitely appreciate the technical aptitude to discuss these techniques - putting them to use in legit software, does incite quite a bit of negativity on my part. I can't discourage this enough.
@gibra - SESSIONNAME is set to Console on my Virtualbox VM.
-
Feb 19th, 2016, 10:16 AM
#20
Re: VM Detection
Originally Posted by DEXWERX
@gibra - SESSIONNAME is set to Console on my Virtualbox VM.
I've just tried in VirtualBox: you are right!
I remember that worked well once, in Terminal Server.
Then forget my post.
-
Sep 12th, 2023, 10:23 AM
#21
Re: VM Detection
Originally Posted by The trick
Code:
Private Function swallow_redpill() As Boolean
Dim lpCode As Long
Dim curCode As Currency
Dim ret(5) As Byte
lpCode = VirtualAlloc(0, &H100, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If lpCode Then
curCode = VarPtr(ret(0)) * 1677.7216@ - 439551323631275.1857@
GetMem8 curCode, ByVal lpCode
DispCallFunc ByVal 0&, lpCode, CC_STDCALL, vbEmpty, 0, ByVal 0&, ByVal 0&, Empty
swallow_redpill = ret(5) > &HD0
VirtualFree lpCode, 0, MEM_RELEASE
End If
End Function
I gotta say, TheTrick, your code writing style is rather unique. Why would you write code like this: "curCode = VarPtr(ret(0)) * 1677.7216@ - 439551323631275.1857@"?
Is it for obfuscation purposes? I am ashamed to say, it took me half an hour to understand what was going on in there!
Also, I have to ask, is the "VirtualAlloc" function really needed here? I rewrote the function for easier understanding and this code seems to produce identical results without "VirtualAlloc":
Code:
Private Function swallow_redpill() As Boolean
Dim baCode(0 To 7) As Byte, ret(0 To 5) As Byte
baCode(0) = &HF: baCode(1) = &H1: baCode(2) = &HD: baCode(7) = &HC3
CopyMemory baCode(3), VarPtr(ret(0)), 4
DispCallFunc 0&, VarPtr(baCode(0)), CC_STDCALL, vbEmpty, 0&, ByVal 0&, ByVal 0&, Empty
swallow_redpill = ret(5) > &HD0
End Function
Either way, although this method may have worked at one time, it doesn't seem to be the case anymore. The "swallow_redpill" function returns "False" both in a VMWare virtual machine and on a real PC.
The value of "ret(5)" is "111" in both cases.
I wrote another function that seems to do the job correctly for the time being:
Code:
Private Function IsVirtualEnvironment() As Boolean
IsVirtualEnvironment = GetObject("winmgmts:").InstancesOf("Win32_TemperatureProbe").Count = 0
End Function
Last edited by VanGoghGaming; Oct 13th, 2023 at 04:06 PM.
-
Sep 12th, 2023, 11:55 AM
#22
Re: VM Detection
Originally Posted by VanGoghGaming
I gotta say, TheTrick, your code writing style is rather unique. Why would you write code like this: "curCode = VarPtr(ret(0)) * 1677.7216@ - 439551323631275.1857@"?
Is it for obfuscation purposes? I am ashamed to say, it took me half an hour to understand what was going on in there!
This is smaller and faster. Multiplication to 1677.7216 is actually offset to 24 bits and then -439551323631275.1857 is actually OR'ing to the result which gives the result 0xC3XXXXXXXX0D010F, where XXXXXXXX is VarPtr(ret(0)).
Originally Posted by VanGoghGaming
Also, I have to ask, is the "VirtualAlloc" function really needed here? I rewrote the function for easier understanding and this code seems to produce identical results without "VirtualAlloc":
This is required because you'll get the crash 0xc0000005 in systems with DEP enabled.
-
Sep 12th, 2023, 02:27 PM
#23
Re: VM Detection
Originally Posted by The trick
This is smaller and faster.
This is highly debatable but now I understand why you don't like to use "Split" and "Join", hahaha! Like Dilettante said, when is it "Good Enough"?
Multiplication to 1677.7216 is actually offset to 24 bits and then -439551323631275.1857 is actually OR'ing to the result which gives the result 0xC3XXXXXXXX0D010F, where XXXXXXXX is VarPtr(ret(0)).
Yes, the first part is pretty straight forward, 2^24=16777216 so that's a shift-left by 24 bits. However I am still not clear how do you figure the subtraction of 439551323631275.1857 is actually OR'ing???
439551323631275.1857 is "F1 FE F2 FF FF FF FF 3C" in hex. How do you "OR" those bytes to get the final result? It's very confusing...
This is required because you'll get the crash 0xc0000005 in systems with DEP enabled.
Yes, I suspected it might have been related to the Data Execution Prevention. I always thought it was enabled by default since Windows XP or so.
Apparently it's enabled only for essential Windows programs... I doubt anyone would change that setting though, haha!
-
Sep 12th, 2023, 02:43 PM
#24
Re: VM Detection
Originally Posted by VanGoghGaming
This is highly debatable
It's faster and smaller when produced in binary code.
However I am still not clear how do you figure the subtraction of 439551323631275.1857 is actually OR'ing???
Subtraction of 439551323631275.1857 is actually addition of -439551323631275.1857. -439551323631275.1857 decimal is 0xC3000000000D010F in hexadecimal. So adding to zero bytes is the same as OR'in.
Apparently it's enabled only for essential Windows programs... I doubt anyone would change that setting though, haha!
This option is enabled on my PC.
-
Sep 12th, 2023, 04:05 PM
#25
Re: VM Detection
Originally Posted by The trick
It's faster and smaller when produced in binary code.
Yes mate I understand, I was just joking about these micro-optimizations taken to the extreme. I'm sure you can see the humor!
For me it's much clearer to write "CopyMemory baCode(3), VarPtr(ret(0)), 4" because this doesn't require an additional comment so that I understand what I wrote when I revisit the code after a few months...
Subtraction of 439551323631275.1857 is actually addition of -439551323631275.1857. -439551323631275.1857 decimal is 0xC3000000000D010F in hexadecimal. So adding to zero bytes is the same as OR'in.
Now it finally makes sense! Thanks for the detailed explanation, I really appreciate it.
This option is enabled on my PC.
Probably you manually enabled DEP for all programs yourself. I'm pretty sure this has a negative performance effect when running applications, otherwise it would have been enabled by default.
On the bright side, you are now safe from the "Buffer Overflow" exploit:
I like the way this guy explains stuff so everyone can understand!
-
Sep 12th, 2023, 05:04 PM
#26
Re: VM Detection
Also while we are on the topic of "VirtualAlloc", why did you allocate 256 bytes of memory when only 8 bytes were necessary? Is there a minimum amount required?
Last edited by VanGoghGaming; Oct 13th, 2023 at 04:08 PM.
-
Sep 13th, 2023, 12:30 PM
#27
Re: VM Detection
Originally Posted by VanGoghGaming
Also while we are on the topic of "VirtualAlloc", why did you allocate 256 bytes of memory when only 8 bytes were necessary? Is there a minimum amount required?
Just reserve more, anyway it allocates 4096 bytes.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|