API tools faq
paste
Advertisement
waliedassar

Virtual PC 2007 DR7 Trick

waliedassar
Oct 29th, 2012
822
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.91 KB | None | 0 0
raw download clone embed print report
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Use this code to detect if Windows XP is running inside Virtual PC 2007
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7. #define CONTEXT_ALL 0x1003F
  8. unsigned char ARR[4]={0};
  9. unsigned char LIST[28]={0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f,0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f,0x50,0x51,0x52,0x53,0x54};
  10. unsigned long current=0;
  11. unsigned long hits=0;
  12.  
  13. int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
  14. {
  15.     if(pRec->ExceptionCode==0xC0000096)  //Privileged instruction
  16.     {
  17.         *(unsigned long*)(pContext)=CONTEXT_ALL;
  18.         *(unsigned long*)(pContext+0x4)=(unsigned long)(&ARR[0]);
  19.         *(unsigned long*)(pContext+0x8)=0;
  20.         *(unsigned long*)(pContext+0xC)=0;
  21.         *(unsigned long*)(pContext+0x10)=0;
  22.         *(unsigned long*)(pContext+0x14)=0;
  23.         unsigned long dr7_=0x050001;
  24.         unsigned char* pDr7_FLags=((unsigned char*)(&dr7_))+1;
  25.         *pDr7_FLags=LIST[current];
  26.         *(unsigned long*)(pContext+0x18)=dr7_;
  27.         (*(unsigned long*)(pContext+0xB8))++;
  28.         return ExceptionContinueExecution;
  29.     }
  30.     else if(pRec->ExceptionCode==EXCEPTION_SINGLE_STEP)
  31.     {
  32.         unsigned long dr77=*(unsigned long*)(pContext+0x18);
  33.         hits++;
  34.         return ExceptionContinueExecution;
  35.     }
  36.     return ExceptionContinueSearch;
  37. }
  38. int main()
  39. {
  40.     for(current=0;current<28;current++)
  41.     {
  42.         __asm
  43.         {
  44.            push offset Handler
  45.            push dword ptr fs:[0x0]
  46.            mov dword ptr fs:[0x0],esp
  47.            STI; Triggers an exception(privileged instruction)
  48.         }
  49.         __asm
  50.         {
  51.             mov edi,offset ARR
  52.             mov ecx,0x4
  53.             xor eax,eax
  54.             inc eax
  55.             mov byte ptr[edi],0xCE
  56.             pop dword ptr fs:[0x0]
  57.             pop ebx
  58.         }
  59.     }
  60.     if(hits!=28)
  61.     {
  62.         printf("Virtual PC 2007 detected\r\n");
  63.         MessageBox(0,"Virtual PC 2007 detected\r\n","waliedassar",0);
  64.     }
  65.     else
  66.     {
  67.         MessageBox(0,"Expected behavior","waliedassar",0);
  68.     }
  69.     return 0;
  70. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!