PELock Blog » VMware http://www.pelock.com/blog Assembler, software protection, code obfuscation and other crazy stuff. Fri, 04 Apr 2008 11:05:14 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 VMware detection (anti-debugging trick against TRW) http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/ http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/#comments Sun, 15 Apr 2007 19:44:26 +0000 Bartosz http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/ Some of the anti-debugging tricks can be used to detect VMware, one of them is an old anti TRW (TRW was a popular debugger in 9x days) trick.

This anti-debugging trick works fine on a real Windows 9x installations (95, 98, ME) but it raises an exception under VMware (while reading IDT entry).

BOOL IsVMware9xTrw()
{
    // detect NT/XP/Vista
    if ( (GetVersion() & 0x80000000) == 0 )
    {
        return FALSE;
    }
 
    // detect VMWare (anti debugging trick against TRW)
    // VMware isn't detected with vm acceleration disabled
    __try
    {
        __asm
        {
            sub    esp, 6
            sidt   fword ptr [esp]
            pop    ax
            pop    eax
            mov    al, byte ptr [eax + 00Eh]
        }
    }
    __except(EXCEPTION_EXECUTE_HANDLER)
    {
        return TRUE;
    }
 
    return FALSE;
}

Binaries and source code:
http://www.pelock.com/download.php?f=vmware_trw.zip (18 kB)

Please test this code on your own systems and tell me about the results.

]]> http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/feed/ 5