//http://waleedassar.blogspot.com 
//http://www.twitter.com/waleedassar
//Use this code to detect if Windows XP is running inside Virtual PC 2007
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
#define CONTEXT_ALL 0x1003F
unsigned char ARR[4]={0};
unsigned char LIST[28]={0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f,0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f,0x50,0x51,0x52,0x53,0x54};
unsigned long current=0;
unsigned long hits=0;

int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
{
	if(pRec->ExceptionCode==0xC0000096)  //Privileged instruction
	{
		*(unsigned long*)(pContext)=CONTEXT_ALL;
		*(unsigned long*)(pContext+0x4)=(unsigned long)(&ARR[0]); 
		*(unsigned long*)(pContext+0x8)=0;
		*(unsigned long*)(pContext+0xC)=0;
		*(unsigned long*)(pContext+0x10)=0;
		*(unsigned long*)(pContext+0x14)=0;
		unsigned long dr7_=0x050001;
		unsigned char* pDr7_FLags=((unsigned char*)(&dr7_))+1;
		*pDr7_FLags=LIST[current];
		*(unsigned long*)(pContext+0x18)=dr7_;
		(*(unsigned long*)(pContext+0xB8))++;
		return ExceptionContinueExecution;
	}
	else if(pRec->ExceptionCode==EXCEPTION_SINGLE_STEP)
	{
		unsigned long dr77=*(unsigned long*)(pContext+0x18);
		hits++;
		return ExceptionContinueExecution;
	}
	return ExceptionContinueSearch;
}
int main()
{
	for(current=0;current<28;current++)
	{
	    __asm
		{
		   push offset Handler
		   push dword ptr fs:[0x0]
           mov dword ptr fs:[0x0],esp
		   STI; Triggers an exception(privileged instruction)
		}
		__asm
		{
			mov edi,offset ARR
			mov ecx,0x4
			xor eax,eax
			inc eax
			mov byte ptr[edi],0xCE
			pop dword ptr fs:[0x0]
			pop ebx
		}
	}
	if(hits!=28)
	{
		printf("Virtual PC 2007 detected\r\n");
		MessageBox(0,"Virtual PC 2007 detected\r\n","waliedassar",0);
	}
	else
	{
		MessageBox(0,"Expected behavior","waliedassar",0);
	}
    return 0;
}