waliedassar

Virtual PC 2007 DR7 Trick

Oct 29th, 2012
313
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Use this code to detect if Windows XP is running inside Virtual PC 2007
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7. #define CONTEXT_ALL 0x1003F
  8. unsigned char ARR[4]={0};
  9. unsigned char LIST[28]={0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f,0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f,0x50,0x51,0x52,0x53,0x54};
  10. unsigned long current=0;
  11. unsigned long hits=0;
  12.  
  13. int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
  14. {
  15.     if(pRec->ExceptionCode==0xC0000096)  //Privileged instruction
  16.     {
  17.         *(unsigned long*)(pContext)=CONTEXT_ALL;
  18.         *(unsigned long*)(pContext+0x4)=(unsigned long)(&ARR[0]);
  19.         *(unsigned long*)(pContext+0x8)=0;
  20.         *(unsigned long*)(pContext+0xC)=0;
  21.         *(unsigned long*)(pContext+0x10)=0;
  22.         *(unsigned long*)(pContext+0x14)=0;
  23.         unsigned long dr7_=0x050001;
  24.         unsigned char* pDr7_FLags=((unsigned char*)(&dr7_))+1;
  25.         *pDr7_FLags=LIST[current];
  26.         *(unsigned long*)(pContext+0x18)=dr7_;
  27.         (*(unsigned long*)(pContext+0xB8))++;
  28.         return ExceptionContinueExecution;
  29.     }
  30.     else if(pRec->ExceptionCode==EXCEPTION_SINGLE_STEP)
  31.     {
  32.         unsigned long dr77=*(unsigned long*)(pContext+0x18);
  33.         hits++;
  34.         return ExceptionContinueExecution;
  35.     }
  36.     return ExceptionContinueSearch;
  37. }
  38. int main()
  39. {
  40.     for(current=0;current<28;current++)
  41.     {
  42.         __asm
  43.         {
  44.            push offset Handler
  45.            push dword ptr fs:[0x0]
  46.            mov dword ptr fs:[0x0],esp
  47.            STI; Triggers an exception(privileged instruction)
  48.         }
  49.         __asm
  50.         {
  51.             mov edi,offset ARR
  52.             mov ecx,0x4
  53.             xor eax,eax
  54.             inc eax
  55.             mov byte ptr[edi],0xCE
  56.             pop dword ptr fs:[0x0]
  57.             pop ebx
  58.         }
  59.     }
  60.     if(hits!=28)
  61.     {
  62.         printf("Virtual PC 2007 detected\r\n");
  63.         MessageBox(0,"Virtual PC 2007 detected\r\n","waliedassar",0);
  64.     }
  65.     else
  66.     {
  67.         MessageBox(0,"Expected behavior","waliedassar",0);
  68.     }
  69.     return 0;
  70. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×