http://www.trapkit.de/research/vmm/scoopyng/index.html
Viene compilado en .exe pero lo mejor de todo es que viene incluido el source code (lo que me motivó a hacer este pequeño post) Esto es de gran utilidad ya que puede ser agregado en sus aplicaciones (no necesariamente todos los test y no necesariamente debe ser un programa en C, lo pueden portar):
Source Code ScoopyNG.c :
Código
/* ScoopyNG - The VMware detection tool * Version v1.0 * * Tobias Klein, 2008 * www.trapkit.de */ #include <windows.h> #include <excpt.h> #include <stdio.h> #define DEBUG 0 #define EndUserModeAddress (*(UINT_PTR*)0x7FFE02B4) typedef LONG (NTAPI *NTSETLDTENTRIES)(DWORD, DWORD, DWORD, DWORD, DWORD, DWORD); unsigned long get_idt_base (void) { unsigned char idtr[6]; unsigned long idt = 0; _asm sidt idtr idt = *((unsigned long *)&idtr[2]); return (idt); } unsigned long get_ldtr_base (void) { unsigned char ldtr[5] = "\xef\xbe\xad\xde"; unsigned long ldt = 0; _asm sldt ldtr ldt = *((unsigned long *)&ldtr[0]); return (ldt); } unsigned long get_gdt_base (void) { unsigned char gdtr[6]; unsigned long gdt = 0; _asm sgdt gdtr gdt = *((unsigned long *)&gdtr[2]); return (gdt); } void test1 (void) { unsigned int idt_base = 0; idt_base = get_idt_base (); if ((idt_base >> 24) == 0xff) { return; } else { return; } } void test2 (void) { unsigned int ldt_base = 0; ldt_base = get_ldtr_base (); if (ldt_base == 0xdead0000) { return; } else { return; } } void test3 (void) { unsigned int gdt_base = 0; gdt_base = get_gdt_base (); if ((gdt_base >> 24) == 0xff) { return; } else { return; } } // Alfredo Andrés Omella's (S21sec) STR technique void test4 (void) { unsigned char mem[4] = {0, 0, 0, 0}; __asm str mem; if ((mem[0] == 0x00) && (mem[1] == 0x40)) else } void test5 (void) { unsigned int a, b; __try { __asm { // save register values on the stack push eax push ebx push ecx push edx // perform fingerprint mov eax, 'VMXh' // VMware magic value (0x564D5868) mov ecx, 0Ah // special version cmd (0x0a) mov dx, 'VX' // special VMware I/O port (0x5658) in eax, dx // special I/O cmd mov a, ebx // data mov b, ecx // data (eax gets also modified but will not be evaluated) // restore register values from the stack pop edx pop ecx pop ebx pop eax } } __except (EXCEPTION_EXECUTE_HANDLER) {} #if DEBUG == 1 #endif if (a == 'VMXh') { // is the value equal to the VMware magic value? if (b == 1) else if (b == 2) else if (b == 3) else if (b == 4) else } else } void test6 (void) { unsigned int a = 0; __try { __asm { // save register values on the stack push eax push ebx push ecx push edx // perform fingerprint mov eax, 'VMXh' // VMware magic value (0x564D5868) mov ecx, 14h // get memory size command (0x14) mov dx, 'VX' // special VMware I/O port (0x5658) in eax, dx // special I/O cmd mov a, eax // data // restore register values from the stack pop edx pop ecx pop ebx pop eax } } __except (EXCEPTION_EXECUTE_HANDLER) {} if (a > 0) else } int test7_detect (LPEXCEPTION_POINTERS lpep) { if ((UINT_PTR)(lpep->ExceptionRecord->ExceptionAddress) > EndUserModeAddress) else " (enabled acceleration)\n\n"); return (EXCEPTION_EXECUTE_HANDLER); } void __declspec(naked) test7_switchcs () { __asm { pop eax push 0x000F push eax retf } } // Derek Soeder's (eEye Digital Security) VMware emulation test void test7 (void) { NTSETLDTENTRIES ZwSetLdtEntries; LDT_ENTRY csdesc; ZwSetLdtEntries = (NTSETLDTENTRIES)GetProcAddress (GetModuleHandle ("ntdll.dll"), "ZwSetLdtEntries"); csdesc.LimitLow = (WORD)(EndUserModeAddress >> 12); csdesc.HighWord.Bytes.Flags1 = 0xFA; csdesc.HighWord.Bytes.Flags2 = 0xC0 | ((EndUserModeAddress >> 28) & 0x0F); ZwSetLdtEntries (0x000F, ((DWORD*)&csdesc)[0], ((DWORD*)&csdesc)[1], 0, 0, 0); __try { test7_switchcs(); __asm { or eax, -1 jmp eax } } __except (test7_detect (GetExceptionInformation())) { } } int main (void) { test1 (); test2 (); test3 (); test4 (); test5 (); test6 (); test7 (); return 0; }
Créditos: www.trapkit.de