VMware detection (anti-debugging trick against TRW)
Bartosz Wojcik (bw) <forumspelockcom> Sunday, April 15 2007 16:52.50 CDT


Binaries + source code
http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/

Some of the anti-debugging tricks can be used to detect VMware, one of them is an old anti TRW (TRW was a popular debugger in 9x days) trick.

This anti-debugging trick works fine on a real Windows 9x installations (95, 98, ME) but it raises an exception under VMware (while reading IDT entry).

BOOL IsVMware9xTrw()
{
    // detect NT/XP/Vista
    if ( (GetVersion() & 0x80000000) == 0 )
    {
        return FALSE;
    }

    // detect VMWare (anti debugging trick against TRW)
    // VMware isn't detected with vm acceleration disabled
    __try
    {
        __asm
        {
            sub    esp, 6
            sidt   fword ptr [esp]
            pop    ax
            pop    eax
            mov    al, byte ptr [eax + 00Eh]
        }
    }
    __except(EXCEPTION_EXECUTE_HANDLER)
    {
        return TRUE;
    }

    return FALSE;
}

Comments
Posted: Wednesday, December 31 1969 18:00.00 CST