waliedassar

VirtualBox CPUID-SEP Trick

Nov 5th, 2012
684
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //CPUID detects a supported SYSENTER/SYSEXIT even if they are not. This can be used to detect VirtualBox if Intel-VTx/AMD-V is disabled.
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7.  
  8. struct OSVERSIONINFOEx_
  9. {
  10.   unsigned long dwOSVersionInfoSize;
  11.   unsigned long dwMajorVersion;
  12.   unsigned long dwMinorVersion;
  13.   unsigned long dwBuildNumber;
  14.   unsigned long dwPlatformId;
  15.   unsigned char szCSDVersion[128];
  16.   unsigned short wServicePackMajor;
  17.   unsigned short wServicePackMinor;
  18.   unsigned short  wSuiteMask;
  19.   unsigned char  wProductType;
  20.   unsigned char  wReserved;
  21. };
  22. //-----------------------------------------------
  23.  
  24. bool IsCPUID_Supported()
  25. {
  26.     unsigned long x=0;
  27.     __asm
  28.     {
  29.         pushad
  30.         pushfd
  31.         pop eax
  32.         or eax,0x00200000
  33.         push eax
  34.         popfd
  35.         pushfd
  36.         pop eax
  37.         and eax,0x00200000
  38.         jz CPUID_NOT_SUPPORTED ;Are you still alive?
  39.         mov x,1
  40.         jmp bye
  41. CPUID_NOT_SUPPORTED:
  42.         mov x,0
  43. bye:
  44.         popad
  45.     }
  46.     return(x?true:false);
  47. }
  48. bool CPUID_Sep()
  49. {
  50.     bool sep=false;
  51.     if(IsCPUID_Supported())
  52.     {
  53.         __asm
  54.         {
  55.             xor eax,eax
  56.             inc eax
  57.             cpuid
  58.             test edx,0x800
  59.             jz No_Sysenter
  60.             mov sep,1
  61.             jmp end
  62. No_Sysenter:
  63.             mov sep,0
  64. end:
  65.             nop
  66.         }
  67.     }
  68.     return sep;
  69. }
  70.  
  71. int __cdecl Handler(EXCEPTION_RECORD* pRec,void*,unsigned char* pContext,void*)
  72. {
  73.     if(pRec->ExceptionCode==0xC000001D) //Illegal instruction
  74.     {
  75.         if(CPUID_Sep())
  76.         {
  77.                MessageBox(0,"VirtualBox detected!","waliedassar",0);
  78.                ExitProcess(0);
  79.         }
  80.     }
  81.     (*(unsigned long*)(pContext+0xB8))+=2;
  82.     return ExceptionContinueExecution;
  83. }
  84.  
  85. void Test()
  86. {
  87.     __asm
  88.     {
  89.         push offset Handler
  90.         push dword ptr fs:[0x0]
  91.         mov dword ptr fs:[0x0],esp
  92.         push 0
  93.         push 0
  94.         push esp
  95.         push 0
  96.         call A
  97.         jmp end
  98. A:
  99.         mov eax,0x3B
  100.         call here
  101.         jmp end
  102. here:
  103.         mov edx,esp
  104.         __emit 0x0F
  105.         __emit 0x34
  106. end:
  107.     }
  108.     MessageBox(0,"Expected behavior","waliedassar",0);
  109.     ExitProcess(0);
  110. }
  111.  
  112.  
  113. int main(int argc, char* argv[])
  114. {
  115.  
  116.     OSVERSIONINFOEx_ OSI={sizeof(OSI)};
  117.     GetVersionEx((LPOSVERSIONINFO)&OSI);
  118.     if(OSI.dwMajorVersion==0x5 && OSI.dwMinorVersion==0x1)
  119.     {
  120.         if(OSI.wServicePackMajor==0x2 || OSI.wServicePackMajor==0x3) //SP2 or SP3
  121.             Test();
  122.     }
  123.     return 0;
  124. }
RAW Paste Data