SHARE
TWEET

Virtual PC 2007 DR7 Trick

waliedassar Oct 29th, 2012 206 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Use this code to detect if Windows XP is running inside Virtual PC 2007
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7. #define CONTEXT_ALL 0x1003F
  8. unsigned char ARR[4]={0};
  9. unsigned char LIST[28]={0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f,0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f,0x50,0x51,0x52,0x53,0x54};
  10. unsigned long current=0;
  11. unsigned long hits=0;
  12.  
  13. int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
  14. {
  15.         if(pRec->ExceptionCode==0xC0000096)  //Privileged instruction
  16.         {
  17.                 *(unsigned long*)(pContext)=CONTEXT_ALL;
  18.                 *(unsigned long*)(pContext+0x4)=(unsigned long)(&ARR[0]);
  19.                 *(unsigned long*)(pContext+0x8)=0;
  20.                 *(unsigned long*)(pContext+0xC)=0;
  21.                 *(unsigned long*)(pContext+0x10)=0;
  22.                 *(unsigned long*)(pContext+0x14)=0;
  23.                 unsigned long dr7_=0x050001;
  24.                 unsigned char* pDr7_FLags=((unsigned char*)(&dr7_))+1;
  25.                 *pDr7_FLags=LIST[current];
  26.                 *(unsigned long*)(pContext+0x18)=dr7_;
  27.                 (*(unsigned long*)(pContext+0xB8))++;
  28.                 return ExceptionContinueExecution;
  29.         }
  30.         else if(pRec->ExceptionCode==EXCEPTION_SINGLE_STEP)
  31.         {
  32.                 unsigned long dr77=*(unsigned long*)(pContext+0x18);
  33.                 hits++;
  34.                 return ExceptionContinueExecution;
  35.         }
  36.         return ExceptionContinueSearch;
  37. }
  38. int main()
  39. {
  40.         for(current=0;current<28;current++)
  41.         {
  42.             __asm
  43.                 {
  44.                    push offset Handler
  45.                    push dword ptr fs:[0x0]
  46.            mov dword ptr fs:[0x0],esp
  47.                    STI; Triggers an exception(privileged instruction)
  48.                 }
  49.                 __asm
  50.                 {
  51.                         mov edi,offset ARR
  52.                         mov ecx,0x4
  53.                         xor eax,eax
  54.                         inc eax
  55.                         mov byte ptr[edi],0xCE
  56.                         pop dword ptr fs:[0x0]
  57.                         pop ebx
  58.                 }
  59.         }
  60.         if(hits!=28)
  61.         {
  62.                 printf("Virtual PC 2007 detected\r\n");
  63.                 MessageBox(0,"Virtual PC 2007 detected\r\n","waliedassar",0);
  64.         }
  65.         else
  66.         {
  67.                 MessageBox(0,"Expected behavior","waliedassar",0);
  68.         }
  69.     return 0;
  70. }
RAW Paste Data
Top