VM Detection

[javadkhaldar]

hi , i found a good cpp code that will help to detect vm
it work good in all vm ( return 1 if app run in vm and 0 if real machine )
just help me change it to vb6 if it is possible..
thx

Code:

int swallow_redpill() {
	unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
	*((unsigned*)&rpill[3]) = (unsigned)m;
	((void(*)())&rpill)();
	return (m[5]>0xd0) ? 1 : 0;
}

[The trick]

This is SIDT assembly instruction.
You can use either a dynamic machine code or inline assembler.
Just you should put the address of an 6-bytes array instead "\x00\x00\x00\x00".

[namrekka]

Hmmm.......

[javadkhaldar]

This is SIDT assembly instruction.
You can use either a dynamic machine code or inline assembler.
Just you should put the address of an 6-bytes array instead "\x00\x00\x00\x00".

thank you a lot trick

i am not too pro , so you mean that it can not be convert to vb6 code , right?
i will not compile it as a dll by cpp compiler and call it from vb6 exe
is there a other way to compile this function inside a vb6 exe file?

[The trick]

As i said you can use either a dynamic assembly code like this:

Code:

Option Explicit

Private Declare Function VirtualAlloc _
                         Lib "kernel32" ( _
                         ByVal lpAddress As Long, _
                         ByVal dwSize As Long, _
                         ByVal flAllocationType As Long, _
                         ByVal flProtect As Long) As Long
Private Declare Function VirtualFree _
                         Lib "kernel32" ( _
                         ByVal lpAddress As Long, _
                         ByVal dwSize As Long, _
                         ByVal dwFreeType As Long) As Long
Private Declare Function GetMem8 _
                         Lib "msvbvm60" ( _
                         ByRef src As Any, _
                         ByRef dst As Any) As Long
Private Declare Function DispCallFunc _
                         Lib "oleaut32" ( _
                         ByVal pvInstance As Any, _
                         ByVal oVft As Long, _
                         ByVal cc As Integer, _
                         ByVal vtReturn As Integer, _
                         ByVal cActuals As Long, _
                         ByRef prgvt As Any, _
                         ByRef prgpvarg As Any, _
                         ByRef pvargResult As Variant) As Long
                         
Private Const MEM_COMMIT                As Long = &H1000&
Private Const MEM_RESERVE               As Long = &H2000&
Private Const MEM_RELEASE               As Long = &H8000&
Private Const PAGE_EXECUTE_READWRITE    As Long = &H40&
Private Const CC_STDCALL                As Long = 4

Private Function swallow_redpill() As Boolean
    Dim lpCode  As Long
    Dim curCode As Currency
    Dim ret(5)  As Byte
    
    lpCode = VirtualAlloc(0, &H100, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
    If lpCode Then
        curCode = VarPtr(ret(0)) * 1677.7216@ - 439551323631275.1857@
        GetMem8 curCode, ByVal lpCode
        DispCallFunc ByVal 0&, lpCode, CC_STDCALL, vbEmpty, 0, ByVal 0&, ByVal 0&, Empty
        swallow_redpill = ret(5) > &HD0
        VirtualFree lpCode, 0, MEM_RELEASE
    End If
    
End Function

Private Sub Form_Load()
    swallow_redpill
End Sub

, or use inline assember and make the code there.

[javadkhaldar]

it is all thing that i want
thank you a lot trick , you are my lord
you are a grand programmer

[Shaggy Hiker]

I'm curious as to what this is useful for? Does it really matter whether the app is on physical or virtual all that much?

[dilettante]

In any case there is no one test that can determine whether you are running in a VM. Different VM technologies have different fingerprints.

[javadkhaldar]

I'm curious as to what this is useful for? Does it really matter whether the app is on physical or virtual all that much?

this is useful for software developers , when thier software lock is hardware ID , as you know in vm all things are unreal and can be changed easily.

In any case there is no one test that can determine whether you are running in a VM. Different VM technologies have different fingerprints

i test it in all vm and worked , it is good technic

[dilettante]

Hmm....

On the Cutting Edge: Thwarting Virtual Machine Detection

Given the rising use of VMEs, computer attackers are very interested in detecting the presence of VMEs, both locally on a potential VME and across the network. Beyond simply their increased use, however, there are some specific uses of VME technology that are driving the computer underground toward deploying techniques for virtual machine detection. We’ll explore some of these uses in-depth in the next two slides.

Because so many security researchers rely on VMEs to analyze malicious code, malware developers are actively trying to foil such analysis by detecting VMEs. If malicious code detects a VME, it can shut off some of its more powerful malicious functionality so that researchers cannot observe it and devise defenses. Given the malicious code’s altered functionality in light of a VME, some researchers may not notice its deeper and more insidious functionality.

We are seeing an increasing number of malicious programs carrying code to detect the presence of virtual environments.

In November 2004, a researcher named Joanna Rutkowska introduced code that implements this IDT-checking concept. Her code, called "The Red Pill", runs a single machine language instruction, called SIDT. This instruction stores the contents of the Interrupt Descriptor Table Register (the IDTR which points to the IDT) in a processor register, where it is analyzed.

Virus Bulletin: Not old enough to be forgotten: the new chic of Visual Basic 6

Visual Basic 6 has been the bane of analysts’ lives since the first pieces of VB6 malware reached epidemic levels at the beginning of the 2000s. Visual Basic is widely considered to produce the most hated binaries in the history of reverse engineering – indeed, on mentioning this topic to some reverse engineers, they didn’t know whether to laugh or to cry (and most of them did both).

Somehow I'm pretty suspicious.

I'm sure this site doesn't want the liability of harboring malware authors and allowing them to share techniques here.

[dilettante]

Secretary Napolitano Announces Expansion of "If You See Something, Say Something" Campaign and New Information Sharing Partnership in Tennessee

Obama: "If you see something suspicious, speak up"

[some1uk03]

2 weeks ago, I posted a similar Post: Detect-if-Running-in-a-Virtual-Machine

This can be just another layer on top

Although the swallow_redpill example above works on an empty VB project.

However, It's showing my normal PC as a VM 9/10 Times!! with my existing project.

Something doesn't seem solid-proof? What could be intersecting?

[FunkyDexter]

this is useful for software developers , when thier software lock is hardware ID , as you know in vm all things are unreal and can be changed easily

That sounds like bad practice to me. Why would you want different behaviour in a VB to a real machine? Why not just have it run consistently wherever it's deployed?

If you're concerned about protecting your assets there are better ways than turning an entire class of customer away. Especially given that, As Dil's article points out, this is a trick that VM developers are explicitly trying to lock down so you can pretty much guarantee it won't work in the future.

[javadkhaldar]

there are better ways than turning an entire class of customer away

which way?

[DEXWERX]

which way?

Which way? The way is to not treat VM's any differently. That would be the best way.

[FunkyDexter]

Well that wasn't the most helpful answer.

There is no simple answer to the question. a lot of it depends on your licencing model, the nature of your product, your intended user base. Here are a few good articles though:-
https://zenlicensemanager.com/how-to...your-software/
http://stackoverflow.com/questions/5...que-do-you-use
http://stackoverflow.com/questions/3...va-application

Personally my preferred solution would be to stand up a validation server.

[Tech99]

Hmm....

Yes, hmmm - indeed. There is absolutely no need to detect VM 'just' for the hardware lock purpose. Technically non viable method, to disquish a machine from other and simple XOR renders this method useless.

Cockroaches uses these techniques to defeat debugging/reversing packed/encrypted code - nothing more.

[gibra]

I agree with Dilettante, Tech99, ...


However, just for information, there is an environment variable that 'could help' you understand whether the environment in which you run is a real or a virtual machine.
But certainly it can not be trusted for the hardware lock purpose.

I use this variable only to discovery when code is run on Virtual Machine/Terminal server session just to reduce some graphics effects that would have a bad impact on the user interface.
But nothing else.


This variable it's called SESSIONNAME.

In real machine the value of SESSIONNAME is "Console"
In virtual machine, the SESSIONNAME variable is missing.

You can use the Environ() function to get this value:

Code:

Dim bVirtualMachine As Boolean 
If (Environ ("SESSIONNAME") = "Console" Then
    bVirtualMachine = False
Else
    bVirtualMachine = True
End If

Also, I'm not sure that this method always work well.
Although I must say that until now I had no problems.

[DEXWERX]

Yes, hmmm - indeed. There is absolutely no need to detect VM 'just' for the hardware lock purpose. Technically non viable method, to disquish a machine from other and simple XOR renders this method useless.

Cockroaches uses these techniques to defeat debugging/reversing packed/encrypted code - nothing more.

Agreed. While I definitely appreciate the technical aptitude to discuss these techniques - putting them to use in legit software, does incite quite a bit of negativity on my part. I can't discourage this enough.

@gibra - SESSIONNAME is set to Console on my Virtualbox VM.

[gibra]

@gibra - SESSIONNAME is set to Console on my Virtualbox VM.

I've just tried in VirtualBox: you are right!

I remember that worked well once, in Terminal Server.
Then forget my post.

[VanGoghGaming]

Code:

Private Function swallow_redpill() As Boolean
    Dim lpCode  As Long
    Dim curCode As Currency
    Dim ret(5)  As Byte
    lpCode = VirtualAlloc(0, &H100, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
    If lpCode Then
        curCode = VarPtr(ret(0)) * 1677.7216@ - 439551323631275.1857@
        GetMem8 curCode, ByVal lpCode
        DispCallFunc ByVal 0&, lpCode, CC_STDCALL, vbEmpty, 0, ByVal 0&, ByVal 0&, Empty
        swallow_redpill = ret(5) > &HD0
        VirtualFree lpCode, 0, MEM_RELEASE
    End If
End Function

I gotta say, TheTrick, your code writing style is rather unique. Why would you write code like this: "curCode = VarPtr(ret(0)) * 1677.7216@ - 439551323631275.1857@"?
Is it for obfuscation purposes? I am ashamed to say, it took me half an hour to understand what was going on in there!

Also, I have to ask, is the "VirtualAlloc" function really needed here? I rewrote the function for easier understanding and this code seems to produce identical results without "VirtualAlloc":

Code:

Private Function swallow_redpill() As Boolean
    Dim baCode(0 To 7) As Byte, ret(0 To 5) As Byte
    baCode(0) = &HF: baCode(1) = &H1: baCode(2) = &HD: baCode(7) = &HC3
    CopyMemory baCode(3), VarPtr(ret(0)), 4
    DispCallFunc 0&, VarPtr(baCode(0)), CC_STDCALL, vbEmpty, 0&, ByVal 0&, ByVal 0&, Empty
    swallow_redpill = ret(5) > &HD0
End Function

Either way, although this method may have worked at one time, it doesn't seem to be the case anymore. The "swallow_redpill" function returns "False" both in a VMWare virtual machine and on a real PC.
The value of "ret(5)" is "111" in both cases.

I wrote another function that seems to do the job correctly for the time being:

Code:

Private Function IsVirtualEnvironment() As Boolean
    IsVirtualEnvironment = GetObject("winmgmts:").InstancesOf("Win32_TemperatureProbe").Count = 0
End Function

[The trick]

I gotta say, TheTrick, your code writing style is rather unique. Why would you write code like this: "curCode = VarPtr(ret(0)) * 1677.7216@ - 439551323631275.1857@"?
Is it for obfuscation purposes? I am ashamed to say, it took me half an hour to understand what was going on in there!

This is smaller and faster. Multiplication to 1677.7216 is actually offset to 24 bits and then -439551323631275.1857 is actually OR'ing to the result which gives the result 0xC3XXXXXXXX0D010F, where XXXXXXXX is VarPtr(ret(0)).

Also, I have to ask, is the "VirtualAlloc" function really needed here? I rewrote the function for easier understanding and this code seems to produce identical results without "VirtualAlloc":

This is required because you'll get the crash 0xc0000005 in systems with DEP enabled.

[VanGoghGaming]

This is smaller and faster.

This is highly debatable but now I understand why you don't like to use "Split" and "Join", hahaha! Like Dilettante said, when is it "Good Enough"?

Multiplication to 1677.7216 is actually offset to 24 bits and then -439551323631275.1857 is actually OR'ing to the result which gives the result 0xC3XXXXXXXX0D010F, where XXXXXXXX is VarPtr(ret(0)).

Yes, the first part is pretty straight forward, 2^24=16777216 so that's a shift-left by 24 bits. However I am still not clear how do you figure the subtraction of 439551323631275.1857 is actually OR'ing???
439551323631275.1857 is "F1 FE F2 FF FF FF FF 3C" in hex. How do you "OR" those bytes to get the final result? It's very confusing...

This is required because you'll get the crash 0xc0000005 in systems with DEP enabled.

Yes, I suspected it might have been related to the Data Execution Prevention. I always thought it was enabled by default since Windows XP or so.



Apparently it's enabled only for essential Windows programs... I doubt anyone would change that setting though, haha!

[The trick]

This is highly debatable

It's faster and smaller when produced in binary code.

However I am still not clear how do you figure the subtraction of 439551323631275.1857 is actually OR'ing???

Subtraction of 439551323631275.1857 is actually addition of -439551323631275.1857. -439551323631275.1857 decimal is 0xC3000000000D010F in hexadecimal. So adding to zero bytes is the same as OR'in.

Apparently it's enabled only for essential Windows programs... I doubt anyone would change that setting though, haha!

This option is enabled on my PC.

[VanGoghGaming]

It's faster and smaller when produced in binary code.

Yes mate I understand, I was just joking about these micro-optimizations taken to the extreme. I'm sure you can see the humor!

For me it's much clearer to write "CopyMemory baCode(3), VarPtr(ret(0)), 4" because this doesn't require an additional comment so that I understand what I wrote when I revisit the code after a few months...

Subtraction of 439551323631275.1857 is actually addition of -439551323631275.1857. -439551323631275.1857 decimal is 0xC3000000000D010F in hexadecimal. So adding to zero bytes is the same as OR'in.

Now it finally makes sense! Thanks for the detailed explanation, I really appreciate it.

This option is enabled on my PC.

Probably you manually enabled DEP for all programs yourself. I'm pretty sure this has a negative performance effect when running applications, otherwise it would have been enabled by default.

On the bright side, you are now safe from the "Buffer Overflow" exploit:



I like the way this guy explains stuff so everyone can understand!

[VanGoghGaming]

Also while we are on the topic of "VirtualAlloc", why did you allocate 256 bytes of memory when only 8 bytes were necessary? Is there a minimum amount required?

[The trick]

Also while we are on the topic of "VirtualAlloc", why did you allocate 256 bytes of memory when only 8 bytes were necessary? Is there a minimum amount required?

Just reserve more, anyway it allocates 4096 bytes.