visual-c++ - 64位Windows VMware检测

Question

我正在尝试开发一个应用程序，该程序可以检测程序是否在虚拟机中运行。

对于32位Windows，以下链接中已经介绍了方法:
http://www.codeproject.com/Articles/9823/Detect-if-your-program-is-running-inside-a-Virtual

我正在尝试在64位Windows操作系统中修改有关Virtual PC和VMware检测的代码。对于VMware，该代码可以在Windows XP 64位OS中成功检测到。但是，当我在 native 系统(Windows 7 64位操作系统)中运行该程序时，该程序崩溃了。

我将代码放在.asm文件中，并使用ml64.exe文件定义自定义生成步骤。 64位Windows的asm代码为:

IsInsideVM proc

      push   rdx
      push   rcx
      push   rbx

      mov    rax, 'VMXh'
      mov    rbx, 0     ; any value but not the MAGIC VALUE
      mov    rcx, 10    ; get VMWare version
      mov    rdx, 'VX'  ; port number

      in     rax, dx    ; read port
                        ; on return EAX returns the VERSION
      cmp    rbx, 'VMXh'; is it a reply from VMWare?
      setz   al         ; set return value
      movzx rax,al

      pop    rbx
      pop    rcx
      pop    rdx

      ret
IsInsideVM endp

我在cpp文件中将此部分称为:

__try
{
returnValue = IsInsideVM();
}
__except(1)
{
    returnValue = false;
}

提前致谢。

Answer 1

来自Joanna的旧红色药丸可能起作用:random backup page of invisiblethings.org blog:

Swallowing the Red Pill is more or less equivalent to the following code (returns non zero when in Matrix):

 int swallow_redpill () {
   unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
   *((unsigned*)&rpill[3]) = (unsigned)m;
   ((void(*)())&rpill)();
   return (m[5]>0xd0) ? 1 : 0;
 }

The heart of this code is actually the SIDT instruction (encoded as 0F010D[addr]), which stores the contents of the interrupt descriptor table register (IDTR) in the destination operand, which is actually a memory location. What is special and interesting about SIDT instruction is that, it can be executed in non privileged mode (ring3) but it returns the contents of the sensitive register, used internally by operating system.

Because there is only one IDTR register, but there are at least two OS running concurrently (i.e. the host and the guest OS), VMM needs to relocate the guest's IDTR in a safe place, so that it will not conflict with a host's one. Unfortunately, VMM cannot know if (and when) the process running in guest OS executes SIDT instruction, since it is not privileged (and it doesn't generate exception). Thus the process gets the relocated address of IDT table. It was observed that on VMWare, the relocated address of IDT is at address 0xffXXXXXX, whereas on Virtual PC it is 0xe8XXXXXX. This was tested on VMWare Workstation 4 and Virtual PC 2004, both running on Windows XP host OS.

注意:我没有亲自测试过它，但是看起来它使用了一种无特权的方法。如果一开始对于x64不起作用，请进行一些调整。

另外，只是发现了一个内容可能对您有帮助的问题: Detecting VMM on linux