waliedassar

VirtualBox CPUID-SEP Trick

Nov 5th, 2012
663
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //CPUID detects a supported SYSENTER/SYSEXIT even if they are not. This can be used to detect VirtualBox if Intel-VTx/AMD-V is disabled.
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7.  
  8. struct OSVERSIONINFOEx_
  9. {
  10.   unsigned long dwOSVersionInfoSize;
  11.   unsigned long dwMajorVersion;
  12.   unsigned long dwMinorVersion;
  13.   unsigned long dwBuildNumber;
  14.   unsigned long dwPlatformId;
  15.   unsigned char szCSDVersion[128];
  16.   unsigned short wServicePackMajor;
  17.   unsigned short wServicePackMinor;
  18.   unsigned short  wSuiteMask;
  19.   unsigned char  wProductType;
  20.   unsigned char  wReserved;
  21. };
  22. //-----------------------------------------------
  23.  
  24. bool IsCPUID_Supported()
  25. {
  26.     unsigned long x=0;
  27.     __asm
  28.     {
  29.         pushad
  30.         pushfd
  31.         pop eax
  32.         or eax,0x00200000
  33.         push eax
  34.         popfd
  35.         pushfd
  36.         pop eax
  37.         and eax,0x00200000
  38.         jz CPUID_NOT_SUPPORTED ;Are you still alive?
  39.         mov x,1
  40.         jmp bye
  41. CPUID_NOT_SUPPORTED:
  42.         mov x,0
  43. bye:
  44.         popad
  45.     }
  46.     return(x?true:false);
  47. }
  48. bool CPUID_Sep()
  49. {
  50.     bool sep=false;
  51.     if(IsCPUID_Supported())
  52.     {
  53.         __asm
  54.         {
  55.             xor eax,eax
  56.             inc eax
  57.             cpuid
  58.             test edx,0x800
  59.             jz No_Sysenter
  60.             mov sep,1
  61.             jmp end
  62. No_Sysenter:
  63.             mov sep,0
  64. end:
  65.             nop
  66.         }
  67.     }
  68.     return sep;
  69. }
  70.  
  71. int __cdecl Handler(EXCEPTION_RECORD* pRec,void*,unsigned char* pContext,void*)
  72. {
  73.     if(pRec->ExceptionCode==0xC000001D) //Illegal instruction
  74.     {
  75.         if(CPUID_Sep())
  76.         {
  77.                MessageBox(0,"VirtualBox detected!","waliedassar",0);
  78.                ExitProcess(0);
  79.         }
  80.     }
  81.     (*(unsigned long*)(pContext+0xB8))+=2;
  82.     return ExceptionContinueExecution;
  83. }
  84.  
  85. void Test()
  86. {
  87.     __asm
  88.     {
  89.         push offset Handler
  90.         push dword ptr fs:[0x0]
  91.         mov dword ptr fs:[0x0],esp
  92.         push 0
  93.         push 0
  94.         push esp
  95.         push 0
  96.         call A
  97.         jmp end
  98. A:
  99.         mov eax,0x3B
  100.         call here
  101.         jmp end
  102. here:
  103.         mov edx,esp
  104.         __emit 0x0F
  105.         __emit 0x34
  106. end:
  107.     }
  108.     MessageBox(0,"Expected behavior","waliedassar",0);
  109.     ExitProcess(0);
  110. }
  111.  
  112.  
  113. int main(int argc, char* argv[])
  114. {
  115.  
  116.     OSVERSIONINFOEx_ OSI={sizeof(OSI)};
  117.     GetVersionEx((LPOSVERSIONINFO)&OSI);
  118.     if(OSI.dwMajorVersion==0x5 && OSI.dwMinorVersion==0x1)
  119.     {
  120.         if(OSI.wServicePackMajor==0x2 || OSI.wServicePackMajor==0x3) //SP2 or SP3
  121.             Test();
  122.     }
  123.     return 0;
  124. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×