VirtualBox CPUID-SEP Trick

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. //CPUID detects a supported SYSENTER/SYSEXIT even if they are not. This can be used to detect VirtualBox if Intel-VTx/AMD-V is disabled.
4. #include "stdafx.h"
5. #include "windows.h"
6. #include "stdio.h"
7.  
8. struct OSVERSIONINFOEx_
9. {
10.   unsigned long dwOSVersionInfoSize;
11.   unsigned long dwMajorVersion;
12.   unsigned long dwMinorVersion;
13.   unsigned long dwBuildNumber;
14.   unsigned long dwPlatformId;
15.   unsigned char szCSDVersion[128];
16.   unsigned short wServicePackMajor;
17.   unsigned short wServicePackMinor;
18.   unsigned short  wSuiteMask;
19.   unsigned char  wProductType;
20.   unsigned char  wReserved;
21. };
22. //-----------------------------------------------
23.  
24. bool IsCPUID_Supported()
25. {
26.     unsigned long x=0;
27.     __asm
28.     {
29.         pushad
30.         pushfd
31.         pop eax
32.         or eax,0x00200000
33.         push eax
34.         popfd
35.         pushfd
36.         pop eax
37.         and eax,0x00200000
38.         jz CPUID_NOT_SUPPORTED ;Are you still alive?
39.         mov x,1
40.         jmp bye
41. CPUID_NOT_SUPPORTED:
42.         mov x,0
43. bye:
44.         popad
45.     }
46.     return(x?true:false);
47. }
48. bool CPUID_Sep()
49. {
50.     bool sep=false;
51.     if(IsCPUID_Supported())
52.     {
53.         __asm
54.         {
55.             xor eax,eax
56.             inc eax
57.             cpuid
58.             test edx,0x800
59.             jz No_Sysenter
60.             mov sep,1
61.             jmp end
62. No_Sysenter:
63.             mov sep,0
64. end:
65.             nop
66.         }
67.     }
68.     return sep;
69. }
70.  
71. int __cdecl Handler(EXCEPTION_RECORD* pRec,void*,unsigned char* pContext,void*)
72. {
73.     if(pRec->ExceptionCode==0xC000001D) //Illegal instruction
74.     {
75.         if(CPUID_Sep())
76.         {
77.                MessageBox(0,"VirtualBox detected!","waliedassar",0);
78.                ExitProcess(0);
79.         }
80.     }
81.     (*(unsigned long*)(pContext+0xB8))+=2;
82.     return ExceptionContinueExecution;
83. }
84.  
85. void Test()
86. {
87.     __asm
88.     {
89.         push offset Handler
90.         push dword ptr fs:[0x0]
91.         mov dword ptr fs:[0x0],esp
92.         push 0
93.         push 0
94.         push esp
95.         push 0
96.         call A
97.         jmp end
98. A:
99.         mov eax,0x3B
100.         call here
101.         jmp end
102. here:
103.         mov edx,esp
104.         __emit 0x0F
105.         __emit 0x34
106. end:
107.     }
108.     MessageBox(0,"Expected behavior","waliedassar",0);
109.     ExitProcess(0);
110. }
111.  
112.  
113. int main(int argc, char* argv[])
114. {
115.  
116.     OSVERSIONINFOEx_ OSI={sizeof(OSI)};
117.     GetVersionEx((LPOSVERSIONINFO)&OSI);
118.     if(OSI.dwMajorVersion==0x5 && OSI.dwMinorVersion==0x1)
119.     {
120.         if(OSI.wServicePackMajor==0x2 || OSI.wServicePackMajor==0x3) //SP2 or SP3
121.             Test();
122.     }
123.     return 0;
124. }