waliedassar

Detect XP In VirtualPC 2007 (Resume Flag Trick)

Oct 21st, 2012
1,449
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Use this code to detect if Windows XP is running inside Virtual PC 2007
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7.  
  8. #define CONTEXT_ALL 0x1003F
  9.  
  10. int dummy(int);
  11. unsigned long gf=0;
  12. int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
  13. {
  14.     if(pRec->ExceptionCode==0xC0000096)  //Privileged instruction
  15.     {
  16.         //---------------------Installing the trick--------------------------------------
  17.         *(unsigned long*)(pContext)=CONTEXT_ALL;/*CONTEXT_DEBUG_REGISTERS|CONTEXT_FULL*/
  18.         *(unsigned long*)(pContext+0x4)=(unsigned long)(&dummy);
  19.         *(unsigned long*)(pContext+0x8)=(unsigned long)(&dummy);
  20.         *(unsigned long*)(pContext+0xC)=(unsigned long)(&dummy);
  21.         *(unsigned long*)(pContext+0x10)=(unsigned long)(&dummy);
  22.         *(unsigned long*)(pContext+0x14)=0;
  23.         *(unsigned long*)(pContext+0x18)=0x155; //Enable the four DRx On-Execute
  24.         //---------------------------------------------------------------------------------
  25.         (*(unsigned long*)(pContext+0xB8))++;
  26.         return ExceptionContinueExecution;
  27.     }
  28.     else if(pRec->ExceptionCode==EXCEPTION_SINGLE_STEP)
  29.     {
  30.         if(gf==1)
  31.         {
  32.                MessageBox(0,"Expected behavior (XP)","waliedassar",0);
  33.                ExitProcess(0);
  34.         }
  35.         gf++;
  36.         (*(unsigned long*)(pContext+0xC0))|=0x00010000; //Set the RF (Resume Flag)
  37.         return ExceptionContinueExecution;
  38.     }
  39.     return ExceptionContinueSearch;
  40. }
  41.  
  42. int dummy(int x)
  43. {
  44.     x+=0x100;
  45.     return x;
  46. }
  47.  
  48. int main(int shitArg)
  49. {
  50.     unsigned long ver_=GetVersion();
  51.     unsigned long major=ver_&0xFF;
  52.     unsigned long minor=(ver_>>0x8)&0xFF;
  53.     if(major==0x05 & minor==0x01) //Windows XP
  54.     {
  55.         unsigned long x=0;
  56.         __asm
  57.         {
  58.            push offset Handler
  59.            push dword ptr fs:[0x0]
  60.            mov dword ptr fs:[0x0],esp
  61.            STI; Triggers an exception(privileged instruction)
  62.         }
  63.         dummy(0xFF);
  64.         __asm
  65.         {
  66.             pop dword ptr fs:[0x0]
  67.             pop ebx
  68.         }
  69.         MessageBox(0,"Virtual PC 2007 detected (XP)","waliedassar",0);
  70.     }
  71.     return 0;
  72. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×