Some of the anti-debugging tricks can be used to detect VMware, one of them is an old anti TRW (TRW was a popular debugger in 9x days) trick.
This anti-debugging trick works fine on a real Windows 9x installations (95, 98, ME) but it raises an exception under VMware (while reading IDT entry).
BOOL IsVMware9xTrw() { // detect NT/XP/Vista if ( (GetVersion() & 0x80000000) == 0 ) { return FALSE; } // detect VMWare (anti debugging trick against TRW) // VMware isn't detected with vm acceleration disabled __try { __asm { sub esp, 6 sidt fword ptr [esp] pop ax pop eax mov al, byte ptr [eax + 00Eh] } } __except(EXCEPTION_EXECUTE_HANDLER) { return TRUE; } return FALSE; }
Binaries and source code:
http://www.pelock.com/download.php?f=vmware_trw.zip (18 kB)
Please test this code on your own systems and tell me about the results.
Tags: VMware
5 Comments to “VMware detection (anti-debugging trick against TRW)”
April 16, 2007
any idea why it only works on 95, 98, ME?
I haven’t tested nor thought about it, I just read your post.
April 16, 2007
Well you can’t read IDT table from NT/XP/Vista (access violation by default)
April 27, 2007
this works for xp
http://invisiblethings.org/papers/redpill.html
April 27, 2007
Redpill works only for 1 CPU workstations, and it works a little bit different by checking IDT’s base address.
Trackbacks & Pingbacks
[Question] Anti-Virtual Machine - The World of Game Hacking
Pingback on September 22nd, 2009 at 4:21 am