VirtualPC 2004 (build 528) detection (?)

Tue, 05 Sep 2006 10:48:34 -0700 

Hello ;>


Recently I've been working on a disassembler. When implementing the 
'REPE/REPNE' prefix, I've asked myself, how many prefixes 'REP' can there be ?

I tested it by creating an application with code like:

REP REP REP ... REP MOVSB

After a few tests (by me and ReWolf) we've found out that the CPU generates 
Illegal Instruction exception when there are at least 15*REP. The exception is 
not generated when there are "only" 14*REP or less. We have tested this on both 
Intel (P3, P4) CPUs and AMD (duron).

I have decided also to test this on virtual CPUs like VMWare, VirtualPC, and so 
on.


I found out that on VirtualPC 2004 (build 528) the exception is NOT generated 
(when there are 15 REP). 


This fact can be used to detect that an app is running on VirtualPC 2004 (build 
528). I have not tested in on other versions.


Proof of concept code follows.

(sorry for my bad english ;<)


gynvael.coldwind//vx

Team Vexillium



--proof of concept--

; masm32 

; research & code by gynvael.coldwind//vx

; special thx to ReWolf (even more research ;>) & vul7ur3 (testing)

.386

.model flat, stdcall

option casemap :none   ; case sensitive


include \masm32\include\windows.inc

include \masm32\include\user32.inc

include \masm32\include\kernel32.inc


includelib \masm32\lib\user32.lib

includelib \masm32\lib\kernel32.lib


.code


start:

  ; some strings

  jmp @F

    szDlgTitle    db "VirtualPC 2004 RedPill (by gynvael.coldwind//vx)",0

    szMsgOFF      db "VirtualPC was NOT detected",0

    szMsgON       db "VirtualPC DETECTED!",0

  @@:


  ; SEH

  xor eax, eax

  push offset detected

  db 064h ; FS

  push dword ptr [eax]

  db 064h ; FS

  mov dword ptr [eax], esp


  ; teh RedPill

  mov esi, esp

  mov edi, esp

  mov ecx, 1


  ; This is REP REP REP REP ... REP movsb

  ; 15 * REP generate 'Invalid Instruction' exception on real CPU (tested on 
both Intel and AMD)

  ; Microsoft Virtual PC 2004 does NOT generate this exception.

  db 0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h;

  movsb    


  ; was found!

  invoke MessageBox, 0, ADDR szMsgON, ADDR szDlgTitle, MB_OK

  invoke ExitProcess, 0


detected:

  invoke MessageBox, 0, ADDR szMsgOFF, ADDR szDlgTitle, MB_OK

  invoke ExitProcess, 0

  

end start

Reply via email to