前言
在當今資訊安全領域,特别是惡意軟體分析中,經常需要利用到虛拟機技術,以提高病毒分析過程的安全性以及硬體資源的節約性,是以它在惡意軟體領域中是應用越來越來廣泛。這裡我們所謂的虛拟機(Virtual Machine)是指通過軟體模拟的具有完整硬體系統功能的、運作在一個完全隔離環境中的完整計算機系統。通過虛拟機軟體(比如VMware,Virtual PC ,VirtualBox),你可以在一台實體計算機上模拟出一台或多台虛拟的計算機,這些虛拟機完全就像真正的計算機那樣進行工作,例如你可以安裝作業系統、安裝應用程式、通路網絡資源等等。攻擊者為了提高惡意程式的隐蔽性以及破壞真實主機的成功率,他們都在惡意程式中加入檢測虛拟機的代碼,以判斷程式所處的運作環境。當發現程式處于虛拟機(特别是蜜罐系統)中時,它就會改變操作行為或者中斷執行,以此提高反病毒人員分析惡意軟體行為的難度。本文主要針對基于Intel CPU的虛拟環境VMware中的Windows XP SP3系統進行檢測分析,并列舉出目前常見的幾種虛拟機檢測方法。
方法一:通過執行特權指令來檢測虛拟機
Vmware為真主機與虛拟機之間提供了互相溝通的通訊機制,它使用“IN”指令來讀取特定端口的資料以進行兩機通訊,但由于IN指令屬于特權指令,在處于保護模式下的真機上執行此指令時,除非權限允許,否則将會觸發類型為“EXCEPTION_PRIV_INSTRUCTION”的異常,而在虛拟機中并不會發生異常,在指定功能号0A(擷取VMware版本)的情況下,它會在EBX中傳回其版本号“VMXH”;而當功能号為0x14時,可用于擷取VMware記憶體大小,當大于0時則說明處于虛拟機中。VMDetect正是利用前一種方法來檢測VMware的存在,其檢測代碼分析如下:
代碼:
bool IsInsideVMWare()
{
bool rc = true;
__try
{
__asm
{
push edx
push ecx
push ebx
mov eax, 'VMXh'
mov ebx, 0 // 将ebx設定為非幻數’VMXH’的其它值
mov ecx, 10 // 指定功能号,用于擷取VMWare版本,當它為0x14時用于擷取VMware記憶體大小
mov edx, 'VX' // 端口号
in eax, dx // 從端口dx讀取VMware版本到eax
//若上面指定功能号為0x14時,可通過判斷eax中的值是否大于0,若是則說明處于虛拟機中
cmp ebx, 'VMXh' // 判斷ebx中是否包含VMware版本’VMXh’,若是則在虛拟機中
setz [rc] // 設定傳回值
pop ebx
pop ecx
pop edx
}
}
__except(EXCEPTION_EXECUTE_HANDLER) //如果未處于VMware中,則觸發此異常
{
rc = false;
}
return rc;
}
測試結果:
圖1
如圖1所示,VMDetect成功檢測出VMWare的存在。
方法二:利用IDT基址檢測虛拟機
利用IDT基址檢測虛拟機的方法是一種通用方式,對VMware和Virtual PC均适用。中斷描述符表IDT(Interrupt Descriptor Table)用于查找進行中斷時所用的軟體函數,它是一個由256項組成的資料,其中每一中斷對應一項函數。為了讀取IDT基址,我們需要通過SIDT指令來讀取IDTR(中斷描述符表寄存器,用于IDT在記憶體中的基址),SIDT指令是以如下格式來存儲IDTR的内容:
代碼:
typedef struct
{
WORD IDTLimit; // IDT的大小
WORD LowIDTbase; // IDT的低位位址
WORD HiIDTbase; // IDT的高位位址
} IDTINFO;
由于隻存在一個IDTR,但又存在兩個作業系統,即虛拟機系統和真主機系統。為了防止發生沖突,VMM(虛拟機監控器)必須更改虛拟機中的IDT位址,利用真主機與虛拟機環境中執行sidt指令的差異即可用于檢測虛拟機是否存在。著名的“紅丸”(redpill)正是利用此原理來檢測VMware的。Redpill作者在VMware上發現虛拟機系統上的IDT位址通常位于0xFFXXXXXX,而Virtual PC通常位于0xE8XXXXXX,而在真實主機上正如圖2所示都位于0x80xxxxxx。Redpill僅僅是通過判斷執行SIDT指令後傳回的第一位元組是否大于0xD0,若是則說明它處于虛拟機,否則處于真實主機中。Redpill的源碼甚是精簡,源碼分析如下:
代碼:
#include <stdio.h>
int main () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3"; //相當于SIDT[adrr],其中addr用于儲存IDT位址
*((unsigned*)&rpill[3]) = (unsigned)m; //将sidt[addr]中的addr設為m的位址
((void(*)())&rpill)(); //執行SIDT指令,并将讀取後IDT位址儲存在數組m中
printf ("idt base: %#x\n", *((unsigned*)&m[2])); //由于前2位元組為IDT大小,是以從m[2]開始即為IDT位址
if (m[5]>0xd0) printf ("Inside Matrix!\n", m[5]); //當IDT基址大于0xd0xxxxxx時則說明程式處于VMware中
else printf ("Not in Matrix.\n");
return 0;
}
測試結果如圖2所示:
圖2
利用此IDT檢測的方法存在一個缺陷,由于IDT的值隻針對處于正在運作的處理器而言,在單CPU中它是個常量,但當它處于多CPU時就可能會受到影響了,因為每個CPU都有其自己的IDT,這樣問題就自然而然的産生了。針對此問題,Offensive Computing組織成員提出了兩種應對方法,其中一種方法就是利用Redpill反複地在系統上循環執行任務,以此構造出一張目前系統的IDT值變化統計圖,但這會增加CPU負擔;另一種方法就是windows API函數SetThreadAffinityMask()将線程限制在單處理器上執行,當執行此測試時隻能準确地将線程執行環境限制在本地處理器,而對于将線程限制在VM處理器上就可能行不通了,因為VM是計劃在各處理器上運作的,VM線程在不同的處理器上執行時,IDT值将會發生變化,是以此方法也是很少被使用的。為此,有人提出了使用LDT的檢測方法,它在具有多個CPU的環境下檢測虛拟機明顯優于IDT檢測方法,該方法具體内容參見下節内容。
方法三:利用LDT和GDT的檢測方法
在 《Intel® 64 and IA-32 Architecture Software Developer’s Manual Volume 3A: System Programming Guide》第二章的Vol.3 2-5 一頁(我的Intel開發手冊是2008版的)中對于LDT和GDT的描述如下(以下内容為個人翻譯):
在保護模式下,所有的記憶體通路都要通過全局描述符表(GDT)或者本地描述符表(LDT)才能進行。這些表包含有段描述符的調用入口。各個段描述符都包含有各段的基址,通路權限,類型和使用資訊,而且每個段描述符都擁有一個與之相比對的段選擇子,各個段選擇子都為軟體程式提供一個GDT或LDT索引(與之相關聯的段描述符偏移量),一個全局/本地标志(決定段選擇子是指向GDT還是LDT),以及通路權限資訊。
若想通路段中的某一位元組,必須同時提供一個段選擇子和一個偏移量。段選擇子為段提供可通路的段描述符位址(在GDT 或者LDT 中)。通過段描述符,處理器從中擷取段線上性位址空間裡的基址,而偏移量用于确定位元組位址相對基址的位置。假定處理器在目前權限級别(CPL)可通路這個段,那麼通過這種機制就可以通路在GDT 或LDT 中的各種有效代碼、資料或者堆棧段,這裡的CPL是指目前可執行代碼段的保護級别。
……
GDT的線性基址被儲存在GDT寄存器(GDTR)中,而LDT的線性基址被儲存在LDT寄存器(LDTR)中。
由于虛拟機與真實主機中的GDT和LDT并不能相同,這與使用IDT的檢測方法一樣,是以虛拟機必須為它們提供一個“複制體”。關于GDT和LDT的基址可通過SGDT和SLDT指令擷取。虛拟機檢測工具Scoopy suite的作者Tobias Klein經測試發現,當LDT基址位于0x0000(隻有兩位元組)時為真實主機,否則為虛拟機,而當GDT基址位于0xFFXXXXXX時說明處于虛拟機中,否則為真實主機。具體實作代碼如下:
代碼:
#include <stdio.h>
void LDTDetect(void)
{
unsigned short ldt_addr = 0;
unsigned char ldtr[2];
_asm sldt ldtr
ldt_addr = *((unsigned short *)&ldtr);
printf("LDT BaseAddr: 0x%x\n", ldt_addr);
if(ldt_addr == 0x0000)
{
printf("Native OS\n");
}
else
printf("Inside VMware\n");
}
void GDTDetect(void)
{
unsigned int gdt_addr = 0;
unsigned char gdtr[4];
_asm sgdt gdtr
gdt_addr = *((unsigned int *)&gdtr[2]);
printf("GDT BaseAddr:0x%x\n", gdt_addr);
if((gdt_addr >> 24) == 0xff)
{
printf("Inside VMware\n");
}
else
printf("Native OS\n");
}
int main(void)
{
LDTDetect();
GDTDetect();
return 0;
}
測試結果如圖3所示:
圖3
方法四:基于STR的檢測方法
在保護模式下運作的所有程式在切換任務時,對于目前任務中指向TSS的段選擇器将會被存儲在任務寄存器中,TSS中包含有目前任務的可執行環境狀态,包括通用寄存器狀态,段寄存器狀态,标志寄存器狀态,EIP寄存器狀态等等,當此項任務再次被執行時,處理器就會其原先儲存的任務狀态。每項任務均有其自己的TSS,而我們可以通過STR指令來擷取指向目前任務中TSS的段選擇器。這裡STR(Store task register)指令是用于将任務寄存器 (TR) 中的段選擇器存儲到目标操作數,目标操作數可以是通用寄存器或記憶體位置,使用此指令存儲的段選擇器指向目前正在運作的任務的任務狀态段 (TSS)。在虛拟機和真實主機之中,通過STR讀取的位址是不同的,當位址等于0x0040xxxx時,說明處于虛拟機中,否則為真實主機。實作代碼如下:
代碼:
#include <stdio.h>
int main(void)
{
unsigned char mem[4] = {0};
int i;
__asm str mem;
printf (" STR base: 0x");
for (i=0; i<4; i++)
{
printf("%02x",mem[i]);
}
if ( (mem[0]==0x00) && (mem[1]==0x40))
printf("\n INSIDE MATRIX!!\n");
else
printf("\n Native OS!!\n");
return 0;
}
測試結果如圖4所示:
圖4
方法五:基于系統資料庫檢測虛拟機
在windows虛拟機中常常安裝有VMware Tools以及其它的虛拟硬體(如網絡擴充卡、虛拟列印機,USB集線器……),它們都會建立任何程式都可以讀取的windows系統資料庫項,是以我們可以通過檢測系統資料庫中的一些關鍵字元來判斷程式是否處于虛拟機之中。關于這些系統資料庫的位置我們可以通過在系統資料庫中搜尋關鍵詞“vmware”來擷取,下面是我在VMware下的WinXP中找到的一些系統資料庫項:
項名:HKEY_CLASSES_ROOT\Applications\VMwareHostOpen.exe
項名:HKEY_CLASSES_ROOT\Installer\Products\C2A6F2EFE6910124C940B2B12CF170FE\ProductName
鍵值“VMware Tools”
項名:HKEY_CLASSES_ROOT\Installer\Products\C2A6F2EFE6910124C940B2B12CF170FE\SourceList\PackageName
鍵值:VMware Tools.msi
項名:HKEY_CURRENT_USER\Printers\DeviceOld
鍵值:_#VMwareVirtualPrinter,winspool,TPVM:
項名:HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
鍵值:VMware Virtual IDE Hard Drive
項名:HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
鍵值:NECVMWar VMware IDE CDR10
項名:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C2A6F2EFE6910124C940B2B12CF170FE\ProductName
鍵值:VMware Tools
項名:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C2A6F2EFE6910124C940B2B12CF170FE\InstallProperties\DisplayName
鍵值:VMware Tools
項名:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\0002\DeviceDesc
鍵值:VMware SVGA II
項名:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\2\Description
鍵值:VMware Accelerated AMD PCNet Adapter
項名:HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
項名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
鍵值:VMware SVGA II
項名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-
08002BE10318}\0000\ProviderName
鍵值:VMware, Inc.
項名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001\DriverDesc
鍵值:VMware Accelerated AMD PCNet Adapter
項名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
鍵值:VMware SCSI Controller
項名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ThinPrint Print Port Monitor for VMWare
補充另外一處 具體代碼如下:
[cpp] view plain copy
- BOOL DetectVM() {
- HKEY hKey;
- char szBuffer[64];
- unsigned long hSize= sizeof(szBuffer) - 1;
- if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\BIOS\\", 0, KEY_READ, &hKey )==ERROR_SUCCESS ) {
- RegQueryValueEx( hKey, "SystemManufacturer", NULL, NULL, (unsigned char *)szBuffer, &hSize );
- if( strstr( szBuffer, "VMWARE" )) {
- RegCloseKey( hKey );
- return TRUE;
- }
- RegCloseKey( hKey );
- }
- return FALSE;
- }
除以上這些表項之外,還有很多地方可以檢測,特别是虛拟機提供的虛拟化軟硬體、服務之類,比如檔案共享服務,VMware 實體磁盤助手服務,VMware Ethernet Adapter Driver,VMware SCSI Controller等等的這些資訊都可作為檢測虛拟機的手段。這裡我們就以其中某表項為例程式設計舉例一下,其它表項檢測方法同理,具體代碼如下:
代碼:
.386
.model flat, stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
include advapi32.inc
includelib user32.lib
includelib kernel32.lib
includelib advapi32.lib
.data
szCaption db "VMware Detector ",0
szInside db "Inside VMware!",0
szOutside db "Native OS!",0
szSubKey db "software\VMWare, Inc.\VMware tools",0
hKey dd ?
.code
start:
invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE, addr szSubKey, 0,\
KEY_WRITE or KEY_READ, addr hKey
.if eax == ERROR_SUCCESS
invoke MessageBox, NULL,addr szInside, addr szCaption, MB_OK
.else
invoke MessageBox, NULL,addr szOutside, addr szCaption, MB_OK
.endif
invoke RegCloseKey,hKey
invoke ExitProcess,NULL
end start
測試結果如圖5所示:
圖5
方法六:基于時間差的檢測方式
本方法通過運作一段特定代碼,然後比較這段代碼在虛拟機和真實主機之中的相對運作時間,以此來判斷是否處于虛拟機之中。這段代碼我們可以通過RDTSC指令來實作,RDTSC指令是用于将計算機啟動以來的CPU運作周期數存放到EDX:EAX裡面,其中EDX是高位,而EAX是低位。下面我們以xchg ecx, eax 一句指令的運作時間為例,這段指令在我的真實主機windows 7系統上的運作時間為0000001E,如圖6所示:
圖6
而該指令在虛拟機WinXP下的運作時間為00000442,如圖7所示:
圖7
兩者之間的運作時間明顯差别很多,在虛拟機中的運作速度遠不如真實主機的,一般情況下,當它的運作時間大于0xFF時,就可以确定它處于虛拟機之中了,是以不難寫出檢測程式,具體實作代碼如下:
代碼:
.586p
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.data
szTitle db "VMDetect With RDTSC", 0h
szInsideVM db "Inside VMware!", 0h
szOutsideVM db "Native OS!", 0h
.code
start:
RDTSC
xchg ecx, eax
RDTSC
sub eax, ecx
cmp eax, 0FFh
jg Detected
invoke MessageBox, 0, offset szOutsideVM, offset szTitle, 0
ret
Detected:
invoke MessageBox, 0, offset szInsideVM, offset szTitle, 0
ret
end start
測試結果如圖8所示:
圖8
方法七:利用虛拟硬體指紋檢測虛拟機
利用虛拟硬體指紋也可用于檢測虛拟機的存在,比如VMware預設的網卡MAC位址字首為“00-05-69,00-0C-29或者00-50-56”,這前3節是由VMware配置設定的唯一辨別符OUI,以供它的虛拟化擴充卡使用。在我的VMWare WinXP下的MAC位址為00-0C-29-5B-D7-67,如圖9所示:
圖9
但由于這些可經過修改配置檔案來繞過檢測。另外,還可通過檢測特定的硬體控制器,BIOS,USB控制器,顯示卡,網卡等特征字元串進行檢測,這些在前面使用系統資料庫檢測方法中已有所涉及。
另外之前在看雪論壇上也有朋友提到通過檢測硬碟Model Number是否含有“vmware”或“virtual”等字樣來實作檢測虛拟機的功能,具體轉載如下:
[cpp] view plain copy
- 小試 anti vmware
- 今天偶然看到一款綠色版的硬碟專業工具,突然發現可以利用其中的一項功能來實作anti vmware。
- 今日事今日畢,那就在今晚12:00之前把這個想法實作吧,let's go!
- 我的想法就是檢測硬碟的modelnumber,具體什麼是modelnumber自己網上搜吧,反正不是硬碟序列号。難點就是在多種作業系統下都要能起到anti vmware的效果。程式在xp、2k、2003下都可以檢測到vmware的運作。
- 直接貼代碼了,如果看不懂也沒關系,我也是逆了人家的代碼寫出來的。Delphi也可以當彙編語言開發工具用,難道不是嗎?
- unit Unit1;
- interface
- uses
- Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
- Dialogs, StdCtrls, Buttons;
- type
- TForm1 = class(TForm)
- BitBtn1: TBitBtn;
- procedure BitBtn1Click(Sender: TObject);
- procedure FormClose(Sender: TObject; var Action: TCloseAction);
- private
- { Private declarations }
- public
- { Public declarations }
- end;
- var
- Form1: TForm1;
- hDeviceHandle:Thandle;
- implementation
- {$R *.dfm}
- procedure TForm1.BitBtn1Click(Sender: TObject);
- var
- InBuffer: array[0..$8f] of byte;
- cb:Cardinal;
- tmp:Pchar;
- begin
- hDeviceHandle:=CreateFile('\\.\PHYSICALDRIVE0',$C0000000,$3,nil,OPEN_EXISTING,$8000000,0);
- ZeroMemory(@InBuffer,sizeof(InBuffer));
- asm
- pushad
- lea ebx,InBuffer
- xor ecx,ecx
- mov al,$2c
- MOV [ebx],al
- MOV EAX,$200c0000
- MOV [ebx+4], eax
- mov al,$01
- MOV [ebx+8],al
- mov al,$40
- MOV [ebx+$c],al
- MOV EAX,$0001a5E0
- MOV [ebx+$10], eax
- mov al,$30
- MOV [ebx+$18],al
- mov al,$12
- MOV [ebx+$1c],al
- mov al,$40
- MOV [ebx+$20],al
- add ecx,ebx
- add ecx,$50
- MOV [ebx+$14], ecx
- popad
- end;
- if DeviceIoControl(hDeviceHandle,$4D014,@InBuffer,$50,@InBuffer,$50,cb,nil) then
- begin
- asm
- pushad
- lea ebx,InBuffer
- add ebx,$58
- mov tmp,ebx
- popad
- end; //asm
- if ((pos('vmware',LowerCase(tmp))>0) or (pos('virtual',LowerCase(tmp))>0)) then
- showmessage('檢測到 VMware Workstation!!!')
- else
- showmessage('請在VMware中測試!');
- end;
- end;
- procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);
- begin
- closehandle(hDeviceHandle);
- end;
- end.
- 代碼很短,但是效果不錯。截圖幾張,留作紀念!
C++代碼實作如下:
[cpp] view plain copy
- 通過IOCTL_STORAGE_QUERY_PROPERTY
- typedef enum _STORAGE_QUERY_TYPE {PropertyStandardQuery = 0,PropertyExistsQuery,PropertyMaskQuery,PropertyQueryMaxDefined} STORAGE_QUERY_TYPE, *PSTORAGE_QUERY_TYPE;
- typedef enum _STORAGE_PROPERTY_ID {StorageDeviceProperty = 0,StorageAdapterProperty} STORAGE_PROPERTY_ID, *PSTORAGE_PROPERTY_ID;
- typedef struct _STORAGE_PROPERTY_QUERY {
- STORAGE_PROPERTY_ID PropertyId;
- STORAGE_QUERY_TYPE QueryType;
- UCHAR AdditionalParameters[1];
- } STORAGE_PROPERTY_QUERY, *PSTORAGE_PROPERTY_QUERY;
- typedef struct _STORAGE_DEVICE_DESCRIPTOR {
- ULONG Version;
- ULONG Size;
- UCHAR DeviceType;
- UCHAR DeviceTypeModifier;
- BOOLEAN RemovableMedia;
- BOOLEAN CommandQueueing;
- ULONG VendorIdOffset;
- ULONG ProductIdOffset;
- } STORAGE_DEVICE_DESCRIPTOR, *PSTORAGE_DEVICE_DESCRIPTOR;
- #define IOCTL_STORAGE_QUERY_PROPERTY CTL_CODE(IOCTL_STORAGE_BASE, 0x0500, METHOD_BUFFERED, FILE_ANY_ACCESS)
- bool IsSandboxed()
- {
- HANDLE hPhysicalDriveIOCTL = 0;
- int j = 0,k = 0;
- char szModel[128],szBuffer[128];
- char *szDrives[] = {
- "qemu",
- "virtual",
- "vmware",
- NULL
- };
- hPhysicalDriveIOCTL = CreateFile ("\\\\.\\PhysicalDrive0", 0,FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,OPEN_EXISTING, 0, NULL);
- if (hPhysicalDriveIOCTL != INVALID_HANDLE_VALUE)
- {
- STORAGE_PROPERTY_QUERY query;
- DWORD cbBytesReturned = 0;
- memset ((void *) & query, 0, sizeof (query));
- query.PropertyId = StorageDeviceProperty;
- memset (szBuffer, 0, sizeof (szBuffer));
- memset (szModel, 0, sizeof (szModel));
- if (DeviceIoControl(hPhysicalDriveIOCTL, IOCTL_STORAGE_QUERY_PROPERTY,& query,sizeof (query),& szBuffer,sizeof (szBuffer),& cbBytesReturned, NULL)){
- STORAGE_DEVICE_DESCRIPTOR *descrip = (STORAGE_DEVICE_DESCRIPTOR*)&szBuffer;
- int pos = descrip->ProductIdOffset;
- int m = 0;
- for(int g = pos;szBuffer[g] != '\0';g++){
- szModel[m++] = szBuffer[g];
- }
- CharLowerBuff(szModel,strlen(szModel));
- for (int i = 0; i < (sizeof(szDrives)/sizeof(LPSTR)) - 1; i++ ) {
- if (szDrives[i][0] != 0) {
- if(strstr(szModel,szDrives[i]))
- return TRUE;
- }
- }
- }
- CloseHandle (hPhysicalDriveIOCTL);
- }
- return FALSE;
- }
總結
國外SANS安全組織的研究人員總結出目前各種虛拟機檢測手段不外乎以下四類:
● 搜尋虛拟環境中的程序,檔案系統,系統資料庫;
● 搜尋虛拟環境中的記憶體
● 搜尋虛拟環境中的特定虛拟硬體
● 搜尋虛拟環境中的特定處理器指令和功能
因為現代計算系統大多是由檔案系統,記憶體,處理器及各種硬體元件構成的,上面提到的四種檢測手段均包含了這些因素。縱觀前面各種檢測方法,也均在此四類當中。除此之外,也有人提出通過網絡來檢測虛拟機,比如搜尋ICMP和TCP資料通訊的時間差異,IP ID資料包差異以及資料包中的異常頭資訊等等。随着技術研究的深入,相信會有更多的檢測手段出現,與此同時,虛拟機廠商也會不斷進化它們的産品,以增加anti-vmware的難度,這不也正是一場永無休止的無煙戰争!
================================================================================
anti VM的解決方法
對于上邊 方法一二三四六的解決方案是 :
1.在本機BIOS的CPU設定中開啟VT(虛拟化)選項。 注意要先做這一步以後 才能安裝VM 順序錯了隻能把VM完全解除安裝重新安裝。
2.建立虛拟機 在CPU設定如下圖設定:
主要目的是為了 關閉二進制優化 開啟虛拟機的VT虛拟化。
3.關閉一些虛拟機的設定 用記事本打開 VMX 檔案 這個檔案是VM的配置檔案 如類似位址"C:\VM Machines\Windows 7 (32位)\Windows 7 (32位).vmx",在文本末尾加入
[cpp] view plain copy
- isolation.tools.getPtrLocation.disable = "TRUE"
- isolation.tools.setPtrLocation.disable = "TRUE"
- isolation.tools.setVersion.disable = "TRUE"
- isolation.tools.getVersion.disable = "TRUE"
- monitor_control.disable_directexec = "TRUE"
- monitor_control.disable_chksimd = "TRUE"
- monitor_control.disable_ntreloc = "TRUE"
- monitor_control.disable_selfmod = "TRUE"
- monitor_control.disable_reloc = "TRUE"
- monitor_control.disable_btinout = "TRUE"
- monitor_control.disable_btmemspace = "TRUE"
- monitor_control.disable_btpriv = "TRUE"
- monitor_control.disable_btseg = "TRUE"
- monitor_control.restrict_backdoor = "TRUE"
這樣一來 就實作了 開啟VT虛拟化 關閉二進制優化 關閉各種後門 然後安裝VM中的系統 如WIN7 安裝好後在VM WIN7中運作 方法一二三四六的檢測全部通過了。
方法七的解決方案就是修改硬體資訊,這裡的VM特征硬體資訊有很多,這裡隻說網卡的,直接下載下傳一個mac位址修改器,修改mac這樣一來mac位址就不是VM特有的了,進而達到過方法七的效果。
方法五,很多商業軟體都是用這個方法來驗證,原因很簡單不管是在驅動還是在應用層都可以很友善的讀取系統資料庫,隻要保護開發人員自己安裝一個VM就能提取裡邊特征注冊碼,這個解決方案就是 搜尋系統資料庫的“VMware” "virtual" 等字段,把能修改的都修改了,然後導出系統資料庫,以便重新開機系統後導入,因為重新開機VM後有些系統資料庫資訊會還原。
執行個體如下:
環境:VM虛拟機 WIN7 32位,CD光牒鏡像名稱 XBL_GHOST_WIN7_SP1_07ZJB.iso
原理:修改系統資料庫中的 “VMware” 修改為了 “test123”
系統資料庫:
[cpp] view plain copy
- Windows Registry Editor Version 5.00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation]
- "BIOSVersion"="6.00"
- "BIOSReleaseDate"="07/02/2012"
- "SystemManufacturer"="test123, Inc."
- "SystemProductName"="test123 test123 Platform"
- "InformationSource"=dword:00000001
- [HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS]
- "BiosMajorRelease"=dword:00000004
- "BiosMinorRelease"=dword:00000006
- "ECFirmwareMajorRelease"=dword:00000000
- "ECFirmwareMinorRelease"=dword:00000000
- "BaseBoardManufacturer"="Intel Corporation"
- "BaseBoardProduct"="440BX Desktop Reference Platform"
- "BaseBoardVersion"="None"
- "BIOSReleaseDate"="07/02/2012"
- "BIOSVendor"="Phoenix Technologies LTD"
- "BIOSVersion"="6.00"
- "SystemFamily"=""
- "SystemManufacturer"="test123, Inc."
- "SystemProductName"="test123 test123 Platform"
- "SystemSKU"=""
- "SystemVersion"="None"
- [HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0]
- "InquiryData"=hex:00,00,02,02,1f,00,00,73,56,4d,77,61,72,65,2c,20,56,4d,77,61,\
- 72,65,20,56,69,72,74,75,61,6c,20,53,31,2e,30,20
- "Identifier"="test123, test123 Virtual S1.0 "
- "DeviceType"="DiskPeripheral"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000]
- "CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\
- 64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\
- 00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00
- "InfPath"="oem2.inf"
- "InfSection"="vmx_svga_vista"
- "ProviderName"="test123, Inc."
- "DriverDateData"=hex:00,80,de,95,e5,e0,ca,01
- "DriverDate"="4-21-2010"
- "DriverVersion"="11.6.0.35"
- "MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00"
- "DriverDesc"="test123 SVGA II"
- "FeatureScore"=dword:000000fc
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation]
- "BIOSVersion"="6.00"
- "BIOSReleaseDate"="07/02/2012"
- "SystemManufacturer"="test123, Inc."
- "SystemProductName"="test123 test123 Platform"
- "InformationSource"=dword:00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- "Resolution.0"=hex:33,32,30,78,32,34,30,00
- "Resolution.1"=hex:34,30,30,78,33,30,30,00
- "Resolution.2"=hex:35,31,32,78,33,38,34,00
- "Resolution.3"=hex:36,34,30,78,34,38,30,00
- "Resolution.4"=hex:38,30,30,78,36,30,30,00
- "Resolution.5"=hex:31,30,32,34,78,37,36,38,00
- "Resolution.6"=hex:31,31,35,32,78,38,36,34,00
- "Resolution.7"=hex:31,32,38,30,78,39,36,30,00
- "Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00
- "Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00
- "Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00
- "Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00
- "Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00
- "Resolution.13"=hex:38,35,34,78,34,38,30,00
- "Resolution.14"=hex:31,32,38,30,78,37,32,30,00
- "Resolution.15"=hex:31,33,36,36,78,37,36,38,00
- "Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00
- "Resolution.17"=hex:31,32,38,30,78,38,30,30,00
- "Resolution.18"=hex:31,34,34,30,78,39,30,30,00
- "Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00
- "Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00
- "Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00
- "Resolution.22"=hex:37,32,30,78,34,38,30,00
- "Resolution.23"=hex:37,32,30,78,35,37,36,00
- "Resolution.24"=hex:33,32,30,78,32,30,30,00
- "Resolution.25"=hex:36,34,30,78,34,30,30,00
- "Resolution.26"=hex:38,30,30,78,34,38,30,00
- "Resolution.27"=hex:31,32,38,30,78,37,36,38,00
- "Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00
- "HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
- 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- "HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\
- 00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- "HardwareInformation.MemorySize"=hex:00,00,00,08
- "HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\
- 00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- "HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
- 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000\VolatileSettings]
- "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\
- 00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\
- 45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\
- 00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\
- 45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\
- 00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\
- 35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\
- 00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\
- 31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001\VolatileSettings]
- "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\
- 00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\
- 45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\
- 00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\
- 45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\
- 00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\
- 35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\
- 00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\
- 31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vmx_svga\Device0]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000]
- "CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\
- 64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\
- 00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00
- "InfPath"="oem2.inf"
- "InfSection"="vmx_svga_vista"
- "ProviderName"="test123, Inc."
- "DriverDateData"=hex:00,80,de,95,e5,e0,ca,01
- "DriverDate"="4-21-2010"
- "DriverVersion"="11.6.0.35"
- "MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00"
- "DriverDesc"="test123 SVGA II"
- "FeatureScore"=dword:000000fc
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- "Resolution.0"=hex:33,32,30,78,32,34,30,00
- "Resolution.1"=hex:34,30,30,78,33,30,30,00
- "Resolution.2"=hex:35,31,32,78,33,38,34,00
- "Resolution.3"=hex:36,34,30,78,34,38,30,00
- "Resolution.4"=hex:38,30,30,78,36,30,30,00
- "Resolution.5"=hex:31,30,32,34,78,37,36,38,00
- "Resolution.6"=hex:31,31,35,32,78,38,36,34,00
- "Resolution.7"=hex:31,32,38,30,78,39,36,30,00
- "Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00
- "Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00
- "Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00
- "Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00
- "Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00
- "Resolution.13"=hex:38,35,34,78,34,38,30,00
- "Resolution.14"=hex:31,32,38,30,78,37,32,30,00
- "Resolution.15"=hex:31,33,36,36,78,37,36,38,00
- "Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00
- "Resolution.17"=hex:31,32,38,30,78,38,30,30,00
- "Resolution.18"=hex:31,34,34,30,78,39,30,30,00
- "Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00
- "Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00
- "Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00
- "Resolution.22"=hex:37,32,30,78,34,38,30,00
- "Resolution.23"=hex:37,32,30,78,35,37,36,00
- "Resolution.24"=hex:33,32,30,78,32,30,30,00
- "Resolution.25"=hex:36,34,30,78,34,30,30,00
- "Resolution.26"=hex:38,30,30,78,34,38,30,00
- "Resolution.27"=hex:31,32,38,30,78,37,36,38,00
- "Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00
- "HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
- 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- "HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\
- 00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- "HardwareInformation.MemorySize"=hex:00,00,00,08
- "HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\
- 00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- "HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
- 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\vmx_svga\Device0]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000]
- "CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\
- 64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\
- 00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00
- "InfPath"="oem2.inf"
- "InfSection"="vmx_svga_vista"
- "ProviderName"="test123, Inc."
- "DriverDateData"=hex:00,80,de,95,e5,e0,ca,01
- "DriverDate"="4-21-2010"
- "DriverVersion"="11.6.0.35"
- "MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00"
- "DriverDesc"="test123 SVGA II"
- "FeatureScore"=dword:000000fc
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation]
- "BIOSVersion"="6.00"
- "BIOSReleaseDate"="07/02/2012"
- "SystemManufacturer"="test123, Inc."
- "SystemProductName"="test123 test123 Platform"
- "InformationSource"=dword:00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- "Resolution.0"=hex:33,32,30,78,32,34,30,00
- "Resolution.1"=hex:34,30,30,78,33,30,30,00
- "Resolution.2"=hex:35,31,32,78,33,38,34,00
- "Resolution.3"=hex:36,34,30,78,34,38,30,00
- "Resolution.4"=hex:38,30,30,78,36,30,30,00
- "Resolution.5"=hex:31,30,32,34,78,37,36,38,00
- "Resolution.6"=hex:31,31,35,32,78,38,36,34,00
- "Resolution.7"=hex:31,32,38,30,78,39,36,30,00
- "Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00
- "Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00
- "Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00
- "Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00
- "Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00
- "Resolution.13"=hex:38,35,34,78,34,38,30,00
- "Resolution.14"=hex:31,32,38,30,78,37,32,30,00
- "Resolution.15"=hex:31,33,36,36,78,37,36,38,00
- "Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00
- "Resolution.17"=hex:31,32,38,30,78,38,30,30,00
- "Resolution.18"=hex:31,34,34,30,78,39,30,30,00
- "Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00
- "Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00
- "Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00
- "Resolution.22"=hex:37,32,30,78,34,38,30,00
- "Resolution.23"=hex:37,32,30,78,35,37,36,00
- "Resolution.24"=hex:33,32,30,78,32,30,30,00
- "Resolution.25"=hex:36,34,30,78,34,30,30,00
- "Resolution.26"=hex:38,30,30,78,34,38,30,00
- "Resolution.27"=hex:31,32,38,30,78,37,36,38,00
- "Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00
- "HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
- 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- "HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\
- 00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- "HardwareInformation.MemorySize"=hex:00,00,00,08
- "HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\
- 00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- "HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
- 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000\VolatileSettings]
- "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\
- 00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\
- 45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\
- 00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\
- 45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\
- 00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\
- 35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\
- 00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\
- 31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001\VolatileSettings]
- "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\
- 00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\
- 45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\
- 00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\
- 45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\
- 00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\
- 35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\
- 00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\
- 31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmx_svga\Device0]
- "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
- 00
- "VgaCompatible"=dword:00000000
- "DefaultSettings.XResolution"=dword:00000280
- "DefaultSettings.YResolution"=dword:000001e0
- "DefaultSettings.BitsPerPel"=dword:00000020
- "Device Description"="test123 SVGA II"
這樣一來就解決了方法五,anti VM有可能是多種方法結合,是以需要具體測試。
轉載于:https://www.cnblogs.com/15157737693zsp/p/4620773.html