九色国产,午夜在线视频,新黄色网址,九九色综合,天天做夜夜做久久做狠狠,天天躁夜夜躁狠狠躁2021a,久久不卡一区二区三区

打開APP
userphoto
未登錄

開通VIP,暢享免費(fèi)電子書等14項(xiàng)超值服

開通VIP

首頁

好書

留言交流

下載APP

聯(lián)系客服
虛擬機(jī)檢測(cè)技術(shù)攻防

前言

在當(dāng)今信息安全領(lǐng)域,特別是惡意軟件分析中,經(jīng)常需要利用到虛擬機(jī)技術(shù),以提高病毒分析過程的安全性以及硬件資源的節(jié)約性,因此它在惡意軟件領(lǐng)域中是應(yīng)用越來越來廣泛。這里我們所謂的虛擬機(jī)(Virtual Machine)是指通過軟件模擬的具有完整硬件系統(tǒng)功能的、運(yùn)行在一個(gè)完全隔離環(huán)境中的完整計(jì)算機(jī)系統(tǒng)。通過虛擬機(jī)軟件(比如VMware,Virtual PC ,VirtualBox),你可以在一臺(tái)物理計(jì)算機(jī)上模擬出一臺(tái)或多臺(tái)虛擬的計(jì)算機(jī),這些虛擬機(jī)完全就像真正的計(jì)算機(jī)那樣進(jìn)行工作,例如你可以安裝操作系統(tǒng)、安裝應(yīng)用程序、訪問網(wǎng)絡(luò)資源等等。攻擊者為了提高惡意程序的隱蔽性以及破壞真實(shí)主機(jī)的成功率,他們都在惡意程序中加入檢測(cè)虛擬機(jī)的代碼,以判斷程序所處的運(yùn)行環(huán)境。當(dāng)發(fā)現(xiàn)程序處于虛擬機(jī)(特別是蜜罐系統(tǒng))中時(shí),它就會(huì)改變操作行為或者中斷執(zhí)行,以此提高反病毒人員分析惡意軟件行為的難度。本文主要針對(duì)基于Intel CPU的虛擬環(huán)境VMware中的Windows XP SP3系統(tǒng)進(jìn)行檢測(cè)分析,并列舉出當(dāng)前常見的幾種虛擬機(jī)檢測(cè)方法。

方法一:通過執(zhí)行特權(quán)指令來檢測(cè)虛擬機(jī)

Vmware為真主機(jī)與虛擬機(jī)之間提供了相互溝通的通訊機(jī)制,它使用“IN”指令來讀取特定端口的數(shù)據(jù)以進(jìn)行兩機(jī)通訊,但由于IN指令屬于特權(quán)指令,在處于保護(hù)模式下的真機(jī)上執(zhí)行此指令時(shí),除非權(quán)限允許,否則將會(huì)觸發(fā)類型為“EXCEPTION_PRIV_INSTRUCTION”的異常,而在虛擬機(jī)中并不會(huì)發(fā)生異常,在指定功能號(hào)0A(獲取VMware版本)的情況下,它會(huì)在EBX中返回其版本號(hào)“VMXH”;而當(dāng)功能號(hào)為0x14時(shí),可用于獲取VMware內(nèi)存大小,當(dāng)大于0時(shí)則說明處于虛擬機(jī)中。VMDetect正是利用前一種方法來檢測(cè)VMware的存在,其檢測(cè)代碼分析如下:
代碼:
bool IsInsideVMWare(){  bool rc = true;  __try  {    __asm    {      push   edx      push   ecx      push   ebx      mov    eax, 'VMXh'      mov    ebx, 0  // 將ebx設(shè)置為非幻數(shù)’VMXH’的其它值      mov    ecx, 10 // 指定功能號(hào),用于獲取VMWare版本,當(dāng)它為0x14時(shí)用于獲取VMware內(nèi)存大小      mov    edx, 'VX' // 端口號(hào)      in     eax, dx // 從端口dx讀取VMware版本到eax//若上面指定功能號(hào)為0x14時(shí),可通過判斷eax中的值是否大于0,若是則說明處于虛擬機(jī)中      cmp    ebx, 'VMXh' // 判斷ebx中是否包含VMware版本’VMXh’,若是則在虛擬機(jī)中      setz   [rc] // 設(shè)置返回值      pop    ebx      pop    ecx      pop    edx    }  }  __except(EXCEPTION_EXECUTE_HANDLER)  //如果未處于VMware中,則觸發(fā)此異常  {    rc = false;  }  return rc;}
測(cè)試結(jié)果:
 

                 圖1
如圖1所示,VMDetect成功檢測(cè)出VMWare的存在。

方法二:利用IDT基址檢測(cè)虛擬機(jī)

利用IDT基址檢測(cè)虛擬機(jī)的方法是一種通用方式,對(duì)VMware和Virtual PC均適用。中斷描述符表IDT(Interrupt Descriptor Table)用于查找處理中斷時(shí)所用的軟件函數(shù),它是一個(gè)由256項(xiàng)組成的數(shù)據(jù),其中每一中斷對(duì)應(yīng)一項(xiàng)函數(shù)。為了讀取IDT基址,我們需要通過SIDT指令來讀取IDTR(中斷描述符表寄存器,用于IDT在內(nèi)存中的基址),SIDT指令是以如下格式來存儲(chǔ)IDTR的內(nèi)容:
代碼:
typedef struct{    WORD IDTLimit;    // IDT的大小    WORD LowIDTbase;  // IDT的低位地址    WORD HiIDTbase;  // IDT的高位地址} IDTINFO;
由于只存在一個(gè)IDTR,但又存在兩個(gè)操作系統(tǒng),即虛擬機(jī)系統(tǒng)和真主機(jī)系統(tǒng)。為了防止發(fā)生沖突,VMM(虛擬機(jī)監(jiān)控器)必須更改虛擬機(jī)中的IDT地址,利用真主機(jī)與虛擬機(jī)環(huán)境中執(zhí)行sidt指令的差異即可用于檢測(cè)虛擬機(jī)是否存在。著名的“紅丸”(redpill)正是利用此原理來檢測(cè)VMware的。Redpill作者在VMware上發(fā)現(xiàn)虛擬機(jī)系統(tǒng)上的IDT地址通常位于0xFFXXXXXX,而Virtual PC通常位于0xE8XXXXXX,而在真實(shí)主機(jī)上正如圖2所示都位于0x80xxxxxx。Redpill僅僅是通過判斷執(zhí)行SIDT指令后返回的第一字節(jié)是否大于0xD0,若是則說明它處于虛擬機(jī),否則處于真實(shí)主機(jī)中。Redpill的源碼甚是精簡(jiǎn),源碼分析如下:
代碼:
#include <stdio.h>int main () {  unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";  //相當(dāng)于SIDT[adrr],其中addr用于保存IDT地址  *((unsigned*)&rpill[3]) = (unsigned)m;  //將sidt[addr]中的addr設(shè)為m的地址  ((void(*)())&rpill)();  //執(zhí)行SIDT指令,并將讀取后IDT地址保存在數(shù)組m中  printf ("idt base: %#x\n", *((unsigned*)&m[2]));   //由于前2字節(jié)為IDT大小,因此從m[2]開始即為IDT地址  if (m[5]>0xd0) printf ("Inside Matrix!\n", m[5]); //當(dāng)IDT基址大于0xd0xxxxxx時(shí)則說明程序處于VMware中  else printf ("Not in Matrix.\n");  return 0;}
測(cè)試結(jié)果如圖2所示:
 

                                     圖2
利用此IDT檢測(cè)的方法存在一個(gè)缺陷,由于IDT的值只針對(duì)處于正在運(yùn)行的處理器而言,在單CPU中它是個(gè)常量,但當(dāng)它處于多CPU時(shí)就可能會(huì)受到影響了,因?yàn)槊總€(gè)CPU都有其自己的IDT,這樣問題就自然而然的產(chǎn)生了。針對(duì)此問題,Offensive Computing組織成員提出了兩種應(yīng)對(duì)方法,其中一種方法就是利用Redpill反復(fù)地在系統(tǒng)上循環(huán)執(zhí)行任務(wù),以此構(gòu)造出一張當(dāng)前系統(tǒng)的IDT值變化統(tǒng)計(jì)圖,但這會(huì)增加CPU負(fù)擔(dān);另一種方法就是windows API函數(shù)SetThreadAffinityMask()將線程限制在單處理器上執(zhí)行,當(dāng)執(zhí)行此測(cè)試時(shí)只能準(zhǔn)確地將線程執(zhí)行環(huán)境限制在本地處理器,而對(duì)于將線程限制在VM處理器上就可能行不通了,因?yàn)閂M是計(jì)劃在各處理器上運(yùn)行的,VM線程在不同的處理器上執(zhí)行時(shí),IDT值將會(huì)發(fā)生變化,因此此方法也是很少被使用的。為此,有人提出了使用LDT的檢測(cè)方法,它在具有多個(gè)CPU的環(huán)境下檢測(cè)虛擬機(jī)明顯優(yōu)于IDT檢測(cè)方法,該方法具體內(nèi)容參見下節(jié)內(nèi)容。

方法三:利用LDT和GDT的檢測(cè)方法

在 《Intel? 64 and IA-32  Architecture Software Developer’s Manual Volume 3A: System Programming Guide》第二章的Vol.3 2-5 一頁(我的Intel開發(fā)手冊(cè)是2008版的)中對(duì)于LDT和GDT的描述如下(以下內(nèi)容為個(gè)人翻譯):
在保護(hù)模式下,所有的內(nèi)存訪問都要通過全局描述符表(GDT)或者本地描述符表(LDT)才能進(jìn)行。這些表包含有段描述符的調(diào)用入口。各個(gè)段描述符都包含有各段的基址,訪問權(quán)限,類型和使用信息,而且每個(gè)段描述符都擁有一個(gè)與之相匹配的段選擇子,各個(gè)段選擇子都為軟件程序提供一個(gè)GDT或LDT索引(與之相關(guān)聯(lián)的段描述符偏移量),一個(gè)全局/本地標(biāo)志(決定段選擇子是指向GDT還是LDT),以及訪問權(quán)限信息。
若想訪問段中的某一字節(jié),必須同時(shí)提供一個(gè)段選擇子和一個(gè)偏移量。段選擇子為段提供可訪問的段描述符地址(在GDT 或者LDT 中)。通過段描述符,處理器從中獲取段在線性地址空間里的基址,而偏移量用于確定字節(jié)地址相對(duì)基址的位置。假定處理器在當(dāng)前權(quán)限級(jí)別(CPL)可訪問這個(gè)段,那么通過這種機(jī)制就可以訪問在GDT 或LDT 中的各種有效代碼、數(shù)據(jù)或者堆棧段,這里的CPL是指當(dāng)前可執(zhí)行代碼段的保護(hù)級(jí)別。
……
GDT的線性基址被保存在GDT寄存器(GDTR)中,而LDT的線性基址被保存在LDT寄存器(LDTR)中。 

由于虛擬機(jī)與真實(shí)主機(jī)中的GDT和LDT并不能相同,這與使用IDT的檢測(cè)方法一樣,因此虛擬機(jī)必須為它們提供一個(gè)“復(fù)制體”。關(guān)于GDT和LDT的基址可通過SGDT和SLDT指令獲取。虛擬機(jī)檢測(cè)工具Scoopy suite的作者Tobias Klein經(jīng)測(cè)試發(fā)現(xiàn),當(dāng)LDT基址位于0x0000(只有兩字節(jié))時(shí)為真實(shí)主機(jī),否則為虛擬機(jī),而當(dāng)GDT基址位于0xFFXXXXXX時(shí)說明處于虛擬機(jī)中,否則為真實(shí)主機(jī)。具體實(shí)現(xiàn)代碼如下:
代碼:
#include <stdio.h>void LDTDetect(void){    unsigned short ldt_addr = 0;    unsigned char ldtr[2];    _asm sldt ldtr    ldt_addr = *((unsigned short *)&ldtr);    printf("LDT BaseAddr: 0x%x\n", ldt_addr);    if(ldt_addr == 0x0000)    {        printf("Native OS\n");    }    else        printf("Inside VMware\n");}void GDTDetect(void){    unsigned int gdt_addr = 0;    unsigned char gdtr[4];    _asm sgdt gdtr    gdt_addr = *((unsigned int *)&gdtr[2]);    printf("GDT BaseAddr:0x%x\n", gdt_addr);    if((gdt_addr >> 24) == 0xff)    {        printf("Inside VMware\n");    }    else        printf("Native OS\n");}int main(void){    LDTDetect();    GDTDetect();    return 0;}
測(cè)試結(jié)果如圖3所示:
 

                   圖3

方法四:基于STR的檢測(cè)方法

在保護(hù)模式下運(yùn)行的所有程序在切換任務(wù)時(shí),對(duì)于當(dāng)前任務(wù)中指向TSS的段選擇器將會(huì)被存儲(chǔ)在任務(wù)寄存器中,TSS中包含有當(dāng)前任務(wù)的可執(zhí)行環(huán)境狀態(tài),包括通用寄存器狀態(tài),段寄存器狀態(tài),標(biāo)志寄存器狀態(tài),EIP寄存器狀態(tài)等等,當(dāng)此項(xiàng)任務(wù)再次被執(zhí)行時(shí),處理器就會(huì)其原先保存的任務(wù)狀態(tài)。每項(xiàng)任務(wù)均有其自己的TSS,而我們可以通過STR指令來獲取指向當(dāng)前任務(wù)中TSS的段選擇器。這里STR(Store task register)指令是用于將任務(wù)寄存器 (TR) 中的段選擇器存儲(chǔ)到目標(biāo)操作數(shù),目標(biāo)操作數(shù)可以是通用寄存器或內(nèi)存位置,使用此指令存儲(chǔ)的段選擇器指向當(dāng)前正在運(yùn)行的任務(wù)的任務(wù)狀態(tài)段 (TSS)。在虛擬機(jī)和真實(shí)主機(jī)之中,通過STR讀取的地址是不同的,當(dāng)?shù)刂返扔?x0040xxxx時(shí),說明處于虛擬機(jī)中,否則為真實(shí)主機(jī)。實(shí)現(xiàn)代碼如下:
代碼:
#include <stdio.h>int main(void){    unsigned char mem[4] = {0};    int i;    __asm str mem;    printf (" STR base: 0x");    for (i=0; i<4; i++)    {        printf("%02x",mem[i]);    }    if ( (mem[0]==0x00) && (mem[1]==0x40))        printf("\n INSIDE MATRIX!!\n");    else        printf("\n Native OS!!\n");    return 0;}
測(cè)試結(jié)果如圖4所示:
 

                          圖4

方法五:基于注冊(cè)表檢測(cè)虛擬機(jī)

在windows虛擬機(jī)中常常安裝有VMware Tools以及其它的虛擬硬件(如網(wǎng)絡(luò)適配器、虛擬打印機(jī),USB集線器……),它們都會(huì)創(chuàng)建任何程序都可以讀取的windows注冊(cè)表項(xiàng),因此我們可以通過檢測(cè)注冊(cè)表中的一些關(guān)鍵字符來判斷程序是否處于虛擬機(jī)之中。關(guān)于這些注冊(cè)表的位置我們可以通過在注冊(cè)表中搜索關(guān)鍵詞“vmware”來獲取,下面是我在VMware下的WinXP中找到的一些注冊(cè)表項(xiàng):

項(xiàng)名:HKEY_CLASSES_ROOT\Applications\VMwareHostOpen.exe
項(xiàng)名:HKEY_CLASSES_ROOT\Installer\Products\C2A6F2EFE6910124C940B2B12CF170FE\ProductName
鍵值“VMware Tools”
項(xiàng)名:HKEY_CLASSES_ROOT\Installer\Products\C2A6F2EFE6910124C940B2B12CF170FE\SourceList\PackageName
鍵值:VMware Tools.msi
項(xiàng)名:HKEY_CURRENT_USER\Printers\DeviceOld
鍵值:_#VMwareVirtualPrinter,winspool,TPVM:
項(xiàng)名:HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
鍵值:VMware Virtual IDE Hard Drive
項(xiàng)名:HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
鍵值:NECVMWar VMware IDE CDR10
項(xiàng)名:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C2A6F2EFE6910124C940B2B12CF170FE\ProductName
鍵值:VMware Tools
項(xiàng)名:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C2A6F2EFE6910124C940B2B12CF170FE\InstallProperties\DisplayName
鍵值:VMware Tools
項(xiàng)名:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\0002\DeviceDesc
鍵值:VMware SVGA II
項(xiàng)名:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\2\Description
鍵值:VMware Accelerated AMD PCNet Adapter
項(xiàng)名:HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
項(xiàng)名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
鍵值:VMware SVGA II
項(xiàng)名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-
08002BE10318}\0000\ProviderName
鍵值:VMware, Inc.
項(xiàng)名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001\DriverDesc
鍵值:VMware Accelerated AMD PCNet Adapter
項(xiàng)名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
鍵值:VMware SCSI Controller
項(xiàng)名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ThinPrint Print Port Monitor for VMWare

補(bǔ)充另外一處 具體代碼如下:

  1. BOOL DetectVM() {  
  2.   
  3.     HKEY hKey;  
  4.   
  5.     char szBuffer[64];  
  6.   
  7.     unsigned long hSize= sizeof(szBuffer) - 1;  
  8.   
  9.     if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\BIOS\\", 0, KEY_READ, &hKey )==ERROR_SUCCESS ) {  
  10.   
  11.         RegQueryValueEx( hKey, "SystemManufacturer", NULL, NULL, (unsigned char *)szBuffer, &hSize );  
  12.   
  13.                 if( strstr( szBuffer, "VMWARE" )) {       
  14.   
  15.                     RegCloseKey( hKey );  
  16.   
  17.                     return TRUE;  
  18.   
  19.         }  
  20.   
  21.         RegCloseKey( hKey );  
  22.   
  23.     }  
  24.   
  25.     return FALSE;  
  26.   
  27. }  

除以上這些表項(xiàng)之外,還有很多地方可以檢測(cè),特別是虛擬機(jī)提供的虛擬化軟硬件、服務(wù)之類,比如文件共享服務(wù),VMware 物理磁盤助手服務(wù),VMware Ethernet Adapter Driver,VMware SCSI Controller等等的這些信息都可作為檢測(cè)虛擬機(jī)的手段。這里我們就以其中某表項(xiàng)為例編程舉例一下,其它表項(xiàng)檢測(cè)方法同理,具體代碼如下:

代碼:
.386.model flat, stdcalloption casemap:none   include  windows.inc   include  user32.inc   include  kernel32.inc   include  advapi32.inc   includelib  user32.lib   includelib  kernel32.lib   includelib  advapi32.lib.dataszCaption     db "VMware Detector ",0szInside         db "Inside VMware!",0szOutside              db "Native OS!",0szSubKey      db "software\VMWare, Inc.\VMware tools",0hKey              dd    ?.codestart:  invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE, addr szSubKey, 0,                 KEY_WRITE or KEY_READ, addr hKey  .if eax == ERROR_SUCCESS  invoke MessageBox, NULL,addr szInside, addr szCaption, MB_OK  .else  invoke MessageBox, NULL,addr szOutside, addr szCaption, MB_OK  .endif  invoke RegCloseKey,hKey  invoke ExitProcess,NULLend start
測(cè)試結(jié)果如圖5所示:
 

            圖5

方法六:基于時(shí)間差的檢測(cè)方式

本方法通過運(yùn)行一段特定代碼,然后比較這段代碼在虛擬機(jī)和真實(shí)主機(jī)之中的相對(duì)運(yùn)行時(shí)間,以此來判斷是否處于虛擬機(jī)之中。這段代碼我們可以通過RDTSC指令來實(shí)現(xiàn),RDTSC指令是用于將計(jì)算機(jī)啟動(dòng)以來的CPU運(yùn)行周期數(shù)存放到EDX:EAX里面,其中EDX是高位,而EAX是低位。下面我們以xchg    ecx,  eax 一句指令的運(yùn)行時(shí)間為例,這段指令在我的真實(shí)主機(jī)windows 7系統(tǒng)上的運(yùn)行時(shí)間為0000001E,如圖6所示:
 

              圖6
而該指令在虛擬機(jī)WinXP下的運(yùn)行時(shí)間為00000442,如圖7所示:
 

               圖7
兩者之間的運(yùn)行時(shí)間明顯差別很多,在虛擬機(jī)中的運(yùn)行速度遠(yuǎn)不如真實(shí)主機(jī)的,一般情況下,當(dāng)它的運(yùn)行時(shí)間大于0xFF時(shí),就可以確定它處于虛擬機(jī)之中了,因此不難寫出檢測(cè)程序,具體實(shí)現(xiàn)代碼如下:
代碼:
.586p.model flat, stdcalloption casemap:noneinclude      windows.incinclude       kernel32.incinclude      user32.incincludelib    kernel32.libincludelib    user32.lib      .dataszTitle      db  "VMDetect With RDTSC", 0hszInsideVM    db  "Inside VMware!", 0hszOutsideVM    db  "Native OS!", 0h.codestart:  RDTSC  xchg     ecx, eax  RDTSC    sub    eax, ecx  cmp    eax, 0FFh  jg    Detected    invoke  MessageBox, 0, offset szOutsideVM, offset szTitle, 0  ret  Detected:  invoke   MessageBox, 0, offset szInsideVM, offset szTitle, 0  retend start
測(cè)試結(jié)果如圖8所示:
 

              圖8

方法七:利用虛擬硬件指紋檢測(cè)虛擬機(jī)

利用虛擬硬件指紋也可用于檢測(cè)虛擬機(jī)的存在,比如VMware默認(rèn)的網(wǎng)卡MAC地址前綴為“00-05-69,00-0C-29或者00-50-56”,這前3節(jié)是由VMware分配的唯一標(biāo)識(shí)符OUI,以供它的虛擬化適配器使用。在我的VMWare WinXP下的MAC地址為00-0C-29-5B-D7-67,如圖9所示:
 

                                 圖9

但由于這些可經(jīng)過修改配置文件來繞過檢測(cè)。另外,還可通過檢測(cè)特定的硬件控制器,BIOS,USB控制器,顯卡,網(wǎng)卡等特征字符串進(jìn)行檢測(cè),這些在前面使用注冊(cè)表檢測(cè)方法中已有所涉及。

另外之前在看雪論壇上也有朋友提到通過檢測(cè)硬盤Model Number是否含有“vmware”或“virtual”等字樣來實(shí)現(xiàn)檢測(cè)虛擬機(jī)的功能,具體轉(zhuǎn)載如下:

  1. 小試 anti vmware  
  2.      今天偶然看到一款綠色版的硬盤專業(yè)工具,突然發(fā)現(xiàn)可以利用其中的一項(xiàng)功能來實(shí)現(xiàn)anti vmware。  
  3.   今日事今日畢,那就在今晚12:00之前把這個(gè)想法實(shí)現(xiàn)吧,let's go!  
  4.      我的想法就是檢測(cè)硬盤的modelnumber,具體什么是modelnumber自己網(wǎng)上搜吧,反正不是硬盤序列號(hào)。難點(diǎn)就是在多種操作系統(tǒng)下都要能起到anti vmware的效果。程序在xp、2k、2003下都可以檢測(cè)到vmware的運(yùn)行。  
  5.     直接貼代碼了,如果看不懂也沒關(guān)系,我也是逆了人家的代碼寫出來的。Delphi也可以當(dāng)匯編語言開發(fā)工具用,難道不是嗎?  
  6.     unit Unit1;  
  7.   interface    
  8.   uses  
  9.     Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,  
  10.     Dialogs, StdCtrls, Buttons;  
  11.   type  
  12.     TForm1 = class(TForm)  
  13.     BitBtn1: TBitBtn;  
  14.     procedure BitBtn1Click(Sender: TObject);  
  15.     procedure FormClose(Sender: TObject; var Action: TCloseAction);  
  16.     private  
  17.     { Private declarations }  
  18.     public  
  19.     { Public declarations }  
  20.     end;  
  21.     
  22.   var  
  23.     Form1: TForm1;  
  24.     hDeviceHandle:Thandle;  
  25.     
  26.   implementation  
  27.     
  28.   {$R *.dfm}  
  29.     
  30.   procedure TForm1.BitBtn1Click(Sender: TObject);  
  31.   var  
  32.      InBuffer: array[0..$8f] of byte;  
  33.      cb:Cardinal;  
  34.      tmp:Pchar;  
  35.   begin  
  36.        hDeviceHandle:=CreateFile('\\.\PHYSICALDRIVE0',$C0000000,$3,nil,OPEN_EXISTING,$8000000,0);  
  37.        ZeroMemory(@InBuffer,sizeof(InBuffer));  
  38.       asm  
  39.         pushad  
  40.         lea ebx,InBuffer  
  41.         xor ecx,ecx  
  42.         mov al,$2c  
  43.         MOV [ebx],al  
  44.         MOV EAX,$200c0000  
  45.         MOV [ebx+4], eax  
  46.         mov al,$01  
  47.         MOV [ebx+8],al  
  48.         mov al,$40  
  49.         MOV [ebx+$c],al  
  50.         MOV EAX,$0001a5E0  
  51.         MOV [ebx+$10], eax  
  52.         mov al,$30  
  53.         MOV [ebx+$18],al  
  54.         mov al,$12  
  55.         MOV [ebx+$1c],al  
  56.         mov al,$40  
  57.         MOV [ebx+$20],al  
  58.         add ecx,ebx  
  59.         add ecx,$50  
  60.         MOV [ebx+$14], ecx  
  61.         popad  
  62.       end;  
  63.     
  64.     
  65.       if DeviceIoControl(hDeviceHandle,$4D014,@InBuffer,$50,@InBuffer,$50,cb,nil) then  
  66.          begin  
  67.            asm  
  68.            pushad  
  69.            lea ebx,InBuffer  
  70.            add ebx,$58  
  71.            mov tmp,ebx  
  72.            popad  
  73.            end;  //asm  
  74.     
  75.          if ((pos('vmware',LowerCase(tmp))>0) or (pos('virtual',LowerCase(tmp))>0)) then  
  76.             showmessage('檢測(cè)到 VMware Workstation!!!')  
  77.            else  
  78.                showmessage('請(qǐng)?jiān)赩Mware中測(cè)試!');  
  79.     
  80.          end;  
  81.   end;  
  82.     
  83.   procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);  
  84.   begin  
  85.       closehandle(hDeviceHandle);  
  86.   end;  
  87.      
  88.   end.  
  89.     
  90.   代碼很短,但是效果不錯(cuò)。截圖幾張,留作紀(jì)念!  

C++代碼實(shí)現(xiàn)如下:

  1. 通過IOCTL_STORAGE_QUERY_PROPERTY  
  2.   
  3. typedef enum _STORAGE_QUERY_TYPE {PropertyStandardQuery = 0,PropertyExistsQuery,PropertyMaskQuery,PropertyQueryMaxDefined} STORAGE_QUERY_TYPE, *PSTORAGE_QUERY_TYPE;  
  4.   
  5. typedef enum _STORAGE_PROPERTY_ID {StorageDeviceProperty = 0,StorageAdapterProperty} STORAGE_PROPERTY_ID, *PSTORAGE_PROPERTY_ID;  
  6.   
  7. typedef struct _STORAGE_PROPERTY_QUERY {  
  8.   
  9.     STORAGE_PROPERTY_ID PropertyId;  
  10.   
  11.     STORAGE_QUERY_TYPE QueryType;  
  12.   
  13.     UCHAR AdditionalParameters[1];  
  14.   
  15.       
  16.   
  17. } STORAGE_PROPERTY_QUERY, *PSTORAGE_PROPERTY_QUERY;  
  18.   
  19. typedef struct _STORAGE_DEVICE_DESCRIPTOR {  
  20.   
  21.     ULONG Version;  
  22.   
  23.     ULONG Size;  
  24.   
  25.     UCHAR DeviceType;  
  26.   
  27.     UCHAR DeviceTypeModifier;  
  28.   
  29.     BOOLEAN RemovableMedia;  
  30.   
  31.     BOOLEAN CommandQueueing;  
  32.   
  33.     ULONG VendorIdOffset;  
  34.   
  35.     ULONG ProductIdOffset;  
  36.   
  37. } STORAGE_DEVICE_DESCRIPTOR, *PSTORAGE_DEVICE_DESCRIPTOR;  
  38.   
  39.    
  40.   
  41. #define IOCTL_STORAGE_QUERY_PROPERTY CTL_CODE(IOCTL_STORAGE_BASE, 0x0500, METHOD_BUFFERED, FILE_ANY_ACCESS)  
  42.   
  43.    
  44.   
  45. bool IsSandboxed()  
  46.   
  47. {  
  48.   
  49.     HANDLE hPhysicalDriveIOCTL = 0;  
  50.   
  51.     int j = 0,k = 0;  
  52.   
  53.     char szModel[128],szBuffer[128];  
  54.   
  55.     char *szDrives[] = {  
  56.   
  57.         "qemu",  
  58.   
  59.         "virtual",  
  60.   
  61.         "vmware",  
  62.   
  63.         NULL  
  64.   
  65.     };  
  66.   
  67.       
  68.   
  69.     hPhysicalDriveIOCTL = CreateFile ("\\\\.\\PhysicalDrive0", 0,FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,OPEN_EXISTING, 0, NULL);  
  70.   
  71.     if (hPhysicalDriveIOCTL != INVALID_HANDLE_VALUE)  
  72.   
  73.     {  
  74.   
  75.         STORAGE_PROPERTY_QUERY query;  
  76.   
  77.         DWORD cbBytesReturned = 0;  
  78.   
  79.         memset ((void *) & query, 0, sizeof (query));  
  80.   
  81.         query.PropertyId = StorageDeviceProperty;  
  82.   
  83.         memset (szBuffer, 0, sizeof (szBuffer));  
  84.   
  85.         memset (szModel, 0, sizeof (szModel));  
  86.   
  87.         if (DeviceIoControl(hPhysicalDriveIOCTL, IOCTL_STORAGE_QUERY_PROPERTY,& query,sizeof (query),& szBuffer,sizeof (szBuffer),& cbBytesReturned, NULL)){   
  88.   
  89.             STORAGE_DEVICE_DESCRIPTOR *descrip = (STORAGE_DEVICE_DESCRIPTOR*)&szBuffer;  
  90.   
  91.             int pos = descrip->ProductIdOffset;  
  92.   
  93.             int m = 0;  
  94.   
  95.             for(int g = pos;szBuffer[g] != '\0';g++){  
  96.   
  97.                 szModel[m++] = szBuffer[g];  
  98.   
  99.             }  
  100.   
  101.             CharLowerBuff(szModel,strlen(szModel));  
  102.   
  103.             for (int i = 0; i < (sizeof(szDrives)/sizeof(LPSTR)) - 1; i++ ) {  
  104.   
  105.                 if (szDrives[i][0] != 0) {  
  106.   
  107.                     if(strstr(szModel,szDrives[i]))  
  108.   
  109.                         return TRUE;  
  110.   
  111.                 }  
  112.   
  113.             }  
  114.   
  115.         }  
  116.   
  117.         CloseHandle (hPhysicalDriveIOCTL);  
  118.   
  119.     }  
  120.   
  121.     return FALSE;  
  122.   
  123. }  



總結(jié)
國(guó)外SANS安全組織的研究人員總結(jié)出當(dāng)前各種虛擬機(jī)檢測(cè)手段不外乎以下四類:
●  搜索虛擬環(huán)境中的進(jìn)程,文件系統(tǒng),注冊(cè)表;
●  搜索虛擬環(huán)境中的內(nèi)存
●  搜索虛擬環(huán)境中的特定虛擬硬件
●  搜索虛擬環(huán)境中的特定處理器指令和功能

因?yàn)楝F(xiàn)代計(jì)算系統(tǒng)大多是由文件系統(tǒng),內(nèi)存,處理器及各種硬件組件構(gòu)成的,上面提到的四種檢測(cè)手段均包含了這些因素??v觀前面各種檢測(cè)方法,也均在此四類當(dāng)中。除此之外,也有人提出通過網(wǎng)絡(luò)來檢測(cè)虛擬機(jī),比如搜索ICMP和TCP數(shù)據(jù)通訊的時(shí)間差異,IP ID數(shù)據(jù)包差異以及數(shù)據(jù)包中的異常頭信息等等。隨著技術(shù)研究的深入,相信會(huì)有更多的檢測(cè)手段出現(xiàn),與此同時(shí),虛擬機(jī)廠商也會(huì)不斷進(jìn)化它們的產(chǎn)品,以增加anti-vmware的難度,這不也正是一場(chǎng)永無休止的無煙戰(zhàn)爭(zhēng)!


================================================================================

anti VM的解決方法

對(duì)于上邊 方法一二三四六的解決方案是 :

1.在本機(jī)BIOS的CPU設(shè)置中開啟VT(虛擬化)選項(xiàng)。 注意要先做這一步以后 才能安裝VM 順序錯(cuò)了只能把VM完全卸載重新安裝。

2.新建虛擬機(jī) 在CPU設(shè)置如下圖設(shè)置:

主要目的是為了 關(guān)閉二進(jìn)制優(yōu)化 開啟虛擬機(jī)的VT虛擬化。

3.關(guān)閉一些虛擬機(jī)的設(shè)置 用記事本打開 VMX 文件 這個(gè)文件是VM的配置文件 如類似地址"C:\VM Machines\Windows 7 (32位)\Windows 7 (32位).vmx",在文本末尾加入

  1. isolation.tools.getPtrLocation.disable = "TRUE"  
  2. isolation.tools.setPtrLocation.disable = "TRUE"  
  3. isolation.tools.setVersion.disable = "TRUE"  
  4. isolation.tools.getVersion.disable = "TRUE"  
  5. monitor_control.disable_directexec = "TRUE"  
  6. monitor_control.disable_chksimd = "TRUE"  
  7. monitor_control.disable_ntreloc = "TRUE"  
  8. monitor_control.disable_selfmod = "TRUE"  
  9. monitor_control.disable_reloc = "TRUE"  
  10. monitor_control.disable_btinout = "TRUE"  
  11. monitor_control.disable_btmemspace = "TRUE"  
  12. monitor_control.disable_btpriv = "TRUE"  
  13. monitor_control.disable_btseg = "TRUE"  
  14. monitor_control.restrict_backdoor = "TRUE"  
這樣一來 就實(shí)現(xiàn)了 開啟VT虛擬化 關(guān)閉二進(jìn)制優(yōu)化 關(guān)閉各種后門 然后安裝VM中的系統(tǒng) 如WIN7 安裝好后在VM WIN7中運(yùn)行 方法一二三四六的檢測(cè)全部通過了。

方法七的解決方案就是修改硬件信息,這里的VM特征硬件信息有很多,這里只說網(wǎng)卡的,直接下載一個(gè)mac地址修改器,修改mac這樣一來mac地址就不是VM特有的了,從而達(dá)到過方法七的效果。


方法五,很多商業(yè)軟件都是用這個(gè)方法來驗(yàn)證,原因很簡(jiǎn)單不管是在驅(qū)動(dòng)還是在應(yīng)用層都可以很方便的讀取注冊(cè)表,只要保護(hù)開發(fā)人員自己安裝一個(gè)VM就能提取里邊特征注冊(cè)碼,這個(gè)解決方案就是 搜索注冊(cè)表的“VMware”  "virtual" 等字段,把能修改的都修改了,然后導(dǎo)出注冊(cè)表,以便重啟系統(tǒng)后導(dǎo)入,因?yàn)橹貑M后有些注冊(cè)表信息會(huì)還原。

實(shí)例如下:

環(huán)境:VM虛擬機(jī) WIN7 32位,光盤鏡像名稱 XBL_GHOST_WIN7_SP1_07ZJB.iso

原理:修改注冊(cè)表中的 “VMware” 修改為了 “test123”

注冊(cè)表:

  1. Windows Registry Editor Version 5.00  
  2.   
  3. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation]  
  4. "BIOSVersion"="6.00"  
  5. "BIOSReleaseDate"="07/02/2012"  
  6. "SystemManufacturer"="test123, Inc."  
  7. "SystemProductName"="test123 test123 Platform"  
  8. "InformationSource"=dword:00000001  
  9.   
  10. [HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS]  
  11. "BiosMajorRelease"=dword:00000004  
  12. "BiosMinorRelease"=dword:00000006  
  13. "ECFirmwareMajorRelease"=dword:00000000  
  14. "ECFirmwareMinorRelease"=dword:00000000  
  15. "BaseBoardManufacturer"="Intel Corporation"  
  16. "BaseBoardProduct"="440BX Desktop Reference Platform"  
  17. "BaseBoardVersion"="None"  
  18. "BIOSReleaseDate"="07/02/2012"  
  19. "BIOSVendor"="Phoenix Technologies LTD"  
  20. "BIOSVersion"="6.00"  
  21. "SystemFamily"=""  
  22. "SystemManufacturer"="test123, Inc."  
  23. "SystemProductName"="test123 test123 Platform"  
  24. "SystemSKU"=""  
  25. "SystemVersion"="None"  
  26.   
  27. [HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0]  
  28. "InquiryData"=hex:00,00,02,02,1f,00,00,73,56,4d,77,61,72,65,2c,20,56,4d,77,61,\  
  29.   72,65,20,56,69,72,74,75,61,6c,20,53,31,2e,30,20  
  30. "Identifier"="test123, test123 Virtual S1.0 "  
  31. "DeviceType"="DiskPeripheral"  
  32.   
  33. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000]  
  34. "CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\  
  35.   64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\  
  36.   00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00  
  37. "InfPath"="oem2.inf"  
  38. "InfSection"="vmx_svga_vista"  
  39. "ProviderName"="test123, Inc."  
  40. "DriverDateData"=hex:00,80,de,95,e5,e0,ca,01  
  41. "DriverDate"="4-21-2010"  
  42. "DriverVersion"="11.6.0.35"  
  43. "MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00"  
  44. "DriverDesc"="test123 SVGA II"  
  45. "FeatureScore"=dword:000000fc  
  46.   
  47. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings]  
  48. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  49.   00  
  50. "VgaCompatible"=dword:00000000  
  51. "DefaultSettings.XResolution"=dword:00000280  
  52. "DefaultSettings.YResolution"=dword:000001e0  
  53. "DefaultSettings.BitsPerPel"=dword:00000020  
  54. "Device Description"="test123 SVGA II"  
  55.   
  56. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation]  
  57. "BIOSVersion"="6.00"  
  58. "BIOSReleaseDate"="07/02/2012"  
  59. "SystemManufacturer"="test123, Inc."  
  60. "SystemProductName"="test123 test123 Platform"  
  61. "InformationSource"=dword:00000001  
  62.   
  63. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000]  
  64. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  65.   00  
  66. "VgaCompatible"=dword:00000000  
  67. "DefaultSettings.XResolution"=dword:00000280  
  68. "DefaultSettings.YResolution"=dword:000001e0  
  69. "DefaultSettings.BitsPerPel"=dword:00000020  
  70. "Device Description"="test123 SVGA II"  
  71. "Resolution.0"=hex:33,32,30,78,32,34,30,00  
  72. "Resolution.1"=hex:34,30,30,78,33,30,30,00  
  73. "Resolution.2"=hex:35,31,32,78,33,38,34,00  
  74. "Resolution.3"=hex:36,34,30,78,34,38,30,00  
  75. "Resolution.4"=hex:38,30,30,78,36,30,30,00  
  76. "Resolution.5"=hex:31,30,32,34,78,37,36,38,00  
  77. "Resolution.6"=hex:31,31,35,32,78,38,36,34,00  
  78. "Resolution.7"=hex:31,32,38,30,78,39,36,30,00  
  79. "Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00  
  80. "Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00  
  81. "Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00  
  82. "Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00  
  83. "Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00  
  84. "Resolution.13"=hex:38,35,34,78,34,38,30,00  
  85. "Resolution.14"=hex:31,32,38,30,78,37,32,30,00  
  86. "Resolution.15"=hex:31,33,36,36,78,37,36,38,00  
  87. "Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00  
  88. "Resolution.17"=hex:31,32,38,30,78,38,30,30,00  
  89. "Resolution.18"=hex:31,34,34,30,78,39,30,30,00  
  90. "Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00  
  91. "Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00  
  92. "Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00  
  93. "Resolution.22"=hex:37,32,30,78,34,38,30,00  
  94. "Resolution.23"=hex:37,32,30,78,35,37,36,00  
  95. "Resolution.24"=hex:33,32,30,78,32,30,30,00  
  96. "Resolution.25"=hex:36,34,30,78,34,30,30,00  
  97. "Resolution.26"=hex:38,30,30,78,34,38,30,00  
  98. "Resolution.27"=hex:31,32,38,30,78,37,36,38,00  
  99. "Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00  
  100. "HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\  
  101.   53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  102. "HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\  
  103.   00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  104. "HardwareInformation.MemorySize"=hex:00,00,00,08  
  105. "HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\  
  106.   00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  107. "HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\  
  108.   53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  109.   
  110. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000\VolatileSettings]  
  111. "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\  
  112.   00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\  
  113.   45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\  
  114.   00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\  
  115.   45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\  
  116.   00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\  
  117.   35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\  
  118.   00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\  
  119.   31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00  
  120.   
  121. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001]  
  122. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  123.   00  
  124. "VgaCompatible"=dword:00000000  
  125. "DefaultSettings.XResolution"=dword:00000280  
  126. "DefaultSettings.YResolution"=dword:000001e0  
  127. "DefaultSettings.BitsPerPel"=dword:00000020  
  128. "Device Description"="test123 SVGA II"  
  129.   
  130. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001\VolatileSettings]  
  131. "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\  
  132.   00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\  
  133.   45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\  
  134.   00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\  
  135.   45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\  
  136.   00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\  
  137.   35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\  
  138.   00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\  
  139.   31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00  
  140.   
  141.   [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vmx_svga\Device0]  
  142. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  143.   00  
  144. "VgaCompatible"=dword:00000000  
  145. "DefaultSettings.XResolution"=dword:00000280  
  146. "DefaultSettings.YResolution"=dword:000001e0  
  147. "DefaultSettings.BitsPerPel"=dword:00000020  
  148. "Device Description"="test123 SVGA II"  
  149.   
  150. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000]  
  151. "CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\  
  152.   64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\  
  153.   00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00  
  154. "InfPath"="oem2.inf"  
  155. "InfSection"="vmx_svga_vista"  
  156. "ProviderName"="test123, Inc."  
  157. "DriverDateData"=hex:00,80,de,95,e5,e0,ca,01  
  158. "DriverDate"="4-21-2010"  
  159. "DriverVersion"="11.6.0.35"  
  160. "MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00"  
  161. "DriverDesc"="test123 SVGA II"  
  162. "FeatureScore"=dword:000000fc  
  163.   
  164. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings]  
  165. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  166.   00  
  167. "VgaCompatible"=dword:00000000  
  168. "DefaultSettings.XResolution"=dword:00000280  
  169. "DefaultSettings.YResolution"=dword:000001e0  
  170. "DefaultSettings.BitsPerPel"=dword:00000020  
  171. "Device Description"="test123 SVGA II"  
  172.   
  173. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000]  
  174. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  175.   00  
  176. "VgaCompatible"=dword:00000000  
  177. "DefaultSettings.XResolution"=dword:00000280  
  178. "DefaultSettings.YResolution"=dword:000001e0  
  179. "DefaultSettings.BitsPerPel"=dword:00000020  
  180. "Device Description"="test123 SVGA II"  
  181. "Resolution.0"=hex:33,32,30,78,32,34,30,00  
  182. "Resolution.1"=hex:34,30,30,78,33,30,30,00  
  183. "Resolution.2"=hex:35,31,32,78,33,38,34,00  
  184. "Resolution.3"=hex:36,34,30,78,34,38,30,00  
  185. "Resolution.4"=hex:38,30,30,78,36,30,30,00  
  186. "Resolution.5"=hex:31,30,32,34,78,37,36,38,00  
  187. "Resolution.6"=hex:31,31,35,32,78,38,36,34,00  
  188. "Resolution.7"=hex:31,32,38,30,78,39,36,30,00  
  189. "Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00  
  190. "Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00  
  191. "Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00  
  192. "Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00  
  193. "Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00  
  194. "Resolution.13"=hex:38,35,34,78,34,38,30,00  
  195. "Resolution.14"=hex:31,32,38,30,78,37,32,30,00  
  196. "Resolution.15"=hex:31,33,36,36,78,37,36,38,00  
  197. "Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00  
  198. "Resolution.17"=hex:31,32,38,30,78,38,30,30,00  
  199. "Resolution.18"=hex:31,34,34,30,78,39,30,30,00  
  200. "Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00  
  201. "Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00  
  202. "Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00  
  203. "Resolution.22"=hex:37,32,30,78,34,38,30,00  
  204. "Resolution.23"=hex:37,32,30,78,35,37,36,00  
  205. "Resolution.24"=hex:33,32,30,78,32,30,30,00  
  206. "Resolution.25"=hex:36,34,30,78,34,30,30,00  
  207. "Resolution.26"=hex:38,30,30,78,34,38,30,00  
  208. "Resolution.27"=hex:31,32,38,30,78,37,36,38,00  
  209. "Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00  
  210. "HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\  
  211.   53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  212. "HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\  
  213.   00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  214. "HardwareInformation.MemorySize"=hex:00,00,00,08  
  215. "HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\  
  216.   00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  217. "HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\  
  218.   53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  219.     
  220. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001]  
  221. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  222.   00  
  223. "VgaCompatible"=dword:00000000  
  224. "DefaultSettings.XResolution"=dword:00000280  
  225. "DefaultSettings.YResolution"=dword:000001e0  
  226. "DefaultSettings.BitsPerPel"=dword:00000020  
  227. "Device Description"="test123 SVGA II"  
  228.   
  229. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\vmx_svga\Device0]  
  230. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  231.   00  
  232. "VgaCompatible"=dword:00000000  
  233. "DefaultSettings.XResolution"=dword:00000280  
  234. "DefaultSettings.YResolution"=dword:000001e0  
  235. "DefaultSettings.BitsPerPel"=dword:00000020  
  236. "Device Description"="test123 SVGA II"  
  237.   
  238. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000]  
  239. "CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\  
  240.   64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\  
  241.   00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00  
  242. "InfPath"="oem2.inf"  
  243. "InfSection"="vmx_svga_vista"  
  244. "ProviderName"="test123, Inc."  
  245. "DriverDateData"=hex:00,80,de,95,e5,e0,ca,01  
  246. "DriverDate"="4-21-2010"  
  247. "DriverVersion"="11.6.0.35"  
  248. "MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00"  
  249. "DriverDesc"="test123 SVGA II"  
  250. "FeatureScore"=dword:000000fc  
  251.   
  252. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings]  
  253. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  254.   00  
  255. "VgaCompatible"=dword:00000000  
  256. "DefaultSettings.XResolution"=dword:00000280  
  257. "DefaultSettings.YResolution"=dword:000001e0  
  258. "DefaultSettings.BitsPerPel"=dword:00000020  
  259. "Device Description"="test123 SVGA II"  
  260.   
  261. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation]  
  262. "BIOSVersion"="6.00"  
  263. "BIOSReleaseDate"="07/02/2012"  
  264. "SystemManufacturer"="test123, Inc."  
  265. "SystemProductName"="test123 test123 Platform"  
  266. "InformationSource"=dword:00000001  
  267.   
  268. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000]  
  269. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  270.   00  
  271. "VgaCompatible"=dword:00000000  
  272. "DefaultSettings.XResolution"=dword:00000280  
  273. "DefaultSettings.YResolution"=dword:000001e0  
  274. "DefaultSettings.BitsPerPel"=dword:00000020  
  275. "Device Description"="test123 SVGA II"  
  276. "Resolution.0"=hex:33,32,30,78,32,34,30,00  
  277. "Resolution.1"=hex:34,30,30,78,33,30,30,00  
  278. "Resolution.2"=hex:35,31,32,78,33,38,34,00  
  279. "Resolution.3"=hex:36,34,30,78,34,38,30,00  
  280. "Resolution.4"=hex:38,30,30,78,36,30,30,00  
  281. "Resolution.5"=hex:31,30,32,34,78,37,36,38,00  
  282. "Resolution.6"=hex:31,31,35,32,78,38,36,34,00  
  283. "Resolution.7"=hex:31,32,38,30,78,39,36,30,00  
  284. "Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00  
  285. "Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00  
  286. "Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00  
  287. "Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00  
  288. "Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00  
  289. "Resolution.13"=hex:38,35,34,78,34,38,30,00  
  290. "Resolution.14"=hex:31,32,38,30,78,37,32,30,00  
  291. "Resolution.15"=hex:31,33,36,36,78,37,36,38,00  
  292. "Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00  
  293. "Resolution.17"=hex:31,32,38,30,78,38,30,30,00  
  294. "Resolution.18"=hex:31,34,34,30,78,39,30,30,00  
  295. "Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00  
  296. "Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00  
  297. "Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00  
  298. "Resolution.22"=hex:37,32,30,78,34,38,30,00  
  299. "Resolution.23"=hex:37,32,30,78,35,37,36,00  
  300. "Resolution.24"=hex:33,32,30,78,32,30,30,00  
  301. "Resolution.25"=hex:36,34,30,78,34,30,30,00  
  302. "Resolution.26"=hex:38,30,30,78,34,38,30,00  
  303. "Resolution.27"=hex:31,32,38,30,78,37,36,38,00  
  304. "Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00  
  305. "HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\  
  306.   53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  307. "HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\  
  308.   00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  309. "HardwareInformation.MemorySize"=hex:00,00,00,08  
  310. "HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\  
  311.   00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  312. "HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\  
  313.   53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00  
  314.   
  315. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000\VolatileSettings]  
  316. "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\  
  317.   00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\  
  318.   45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\  
  319.   00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\  
  320.   45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\  
  321.   00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\  
  322.   35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\  
  323.   00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\  
  324.   31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00  
  325.   
  326. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001]  
  327. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  328.   00  
  329. "VgaCompatible"=dword:00000000  
  330. "DefaultSettings.XResolution"=dword:00000280  
  331. "DefaultSettings.YResolution"=dword:000001e0  
  332. "DefaultSettings.BitsPerPel"=dword:00000020  
  333. "Device Description"="test123 SVGA II"  
  334.   
  335. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001\VolatileSettings]  
  336. "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\  
  337.   00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\  
  338.   45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\  
  339.   00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\  
  340.   45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\  
  341.   00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\  
  342.   35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\  
  343.   00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\  
  344.   31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00  
  345.   
  346.   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmx_svga\Device0]  
  347. "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\  
  348.   00  
  349. "VgaCompatible"=dword:00000000  
  350. "DefaultSettings.XResolution"=dword:00000280  
  351. "DefaultSettings.YResolution"=dword:000001e0  
  352. "DefaultSettings.BitsPerPel"=dword:00000020  
  353. "Device Description"="test123 SVGA II"  
這樣一來就解決了方法五,anti VM有可能是多種方法結(jié)合,所以需要具體測(cè)試。

本站僅提供存儲(chǔ)服務(wù),所有內(nèi)容均由用戶發(fā)布,如發(fā)現(xiàn)有害或侵權(quán)內(nèi)容,請(qǐng)點(diǎn)擊舉報(bào)。
打開APP,閱讀全文并永久保存 查看更多類似文章
猜你喜歡
類似文章
檢測(cè)當(dāng)前環(huán)境是否是虛擬機(jī)
判斷程序是否在虛擬機(jī)vmware內(nèi)運(yùn)行
針對(duì)沙箱檢測(cè)的逃逸技術(shù)小討論
外掛原理4
NT 內(nèi)核的進(jìn)程調(diào)度分析筆記
如何判斷 Linux 是否運(yùn)行在虛擬機(jī)上 | vpsee.com
更多類似文章 >>
生活服務(wù)
熱點(diǎn)新聞
分享 收藏 導(dǎo)長(zhǎng)圖 關(guān)注 下載文章
綁定賬號(hào)成功
后續(xù)可登錄賬號(hào)暢享VIP特權(quán)!
如果VIP功能使用有故障,
可點(diǎn)擊這里聯(lián)系客服!

聯(lián)系客服