Advertisement
waliedassar

Virtual PC 2007 DR7 Trick

Oct 29th, 2012
468
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Use this code to detect if Windows XP is running inside Virtual PC 2007
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7. #define CONTEXT_ALL 0x1003F
  8. unsigned char ARR[4]={0};
  9. unsigned char LIST[28]={0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f,0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f,0x50,0x51,0x52,0x53,0x54};
  10. unsigned long current=0;
  11. unsigned long hits=0;
  12.  
  13. int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
  14. {
  15.     if(pRec->ExceptionCode==0xC0000096)  //Privileged instruction
  16.     {
  17.         *(unsigned long*)(pContext)=CONTEXT_ALL;
  18.         *(unsigned long*)(pContext+0x4)=(unsigned long)(&ARR[0]);
  19.         *(unsigned long*)(pContext+0x8)=0;
  20.         *(unsigned long*)(pContext+0xC)=0;
  21.         *(unsigned long*)(pContext+0x10)=0;
  22.         *(unsigned long*)(pContext+0x14)=0;
  23.         unsigned long dr7_=0x050001;
  24.         unsigned char* pDr7_FLags=((unsigned char*)(&dr7_))+1;
  25.         *pDr7_FLags=LIST[current];
  26.         *(unsigned long*)(pContext+0x18)=dr7_;
  27.         (*(unsigned long*)(pContext+0xB8))++;
  28.         return ExceptionContinueExecution;
  29.     }
  30.     else if(pRec->ExceptionCode==EXCEPTION_SINGLE_STEP)
  31.     {
  32.         unsigned long dr77=*(unsigned long*)(pContext+0x18);
  33.         hits++;
  34.         return ExceptionContinueExecution;
  35.     }
  36.     return ExceptionContinueSearch;
  37. }
  38. int main()
  39. {
  40.     for(current=0;current<28;current++)
  41.     {
  42.         __asm
  43.         {
  44.            push offset Handler
  45.            push dword ptr fs:[0x0]
  46.            mov dword ptr fs:[0x0],esp
  47.            STI; Triggers an exception(privileged instruction)
  48.         }
  49.         __asm
  50.         {
  51.             mov edi,offset ARR
  52.             mov ecx,0x4
  53.             xor eax,eax
  54.             inc eax
  55.             mov byte ptr[edi],0xCE
  56.             pop dword ptr fs:[0x0]
  57.             pop ebx
  58.         }
  59.     }
  60.     if(hits!=28)
  61.     {
  62.         printf("Virtual PC 2007 detected\r\n");
  63.         MessageBox(0,"Virtual PC 2007 detected\r\n","waliedassar",0);
  64.     }
  65.     else
  66.     {
  67.         MessageBox(0,"Expected behavior","waliedassar",0);
  68.     }
  69.     return 0;
  70. }
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement