lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060902100700.689.qmail@securityfocus.com>
Date: 2 Sep 2006 10:07:00 -0000
From: gynvael@...illium.org
To: bugtraq@...urityfocus.com
Subject: VirtualPC 2004 (build 528) detection (?)

Hello ;>

Recently I've been working on a disassembler. When implementing the 'REPE/REPNE' prefix, I've asked myself, how many prefixes 'REP' can there be ?
I tested it by creating an application with code like:
REP REP REP ... REP MOVSB
After a few tests (by me and ReWolf) we've found out that the CPU generates Illegal Instruction exception when there are at least 15*REP. The exception is not generated when there are "only" 14*REP or less. We have tested this on both Intel (P3, P4) CPUs and AMD (duron).
I have decided also to test this on virtual CPUs like VMWare, VirtualPC, and so on.

I found out that on VirtualPC 2004 (build 528) the exception is NOT generated (when there are 15 REP). 

This fact can be used to detect that an app is running on VirtualPC 2004 (build 528). I have not tested in on other versions.

Proof of concept code follows.
(sorry for my bad english ;<)

gynvael.coldwind//vx
Team Vexillium


--proof of concept--
; masm32 
; research & code by gynvael.coldwind//vx
; special thx to ReWolf (even more research ;>) & vul7ur3 (testing)
.386
.model flat, stdcall
option casemap :none   ; case sensitive

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib

.code

start:
  ; some strings
  jmp @F
    szDlgTitle    db "VirtualPC 2004 RedPill (by gynvael.coldwind//vx)",0
    szMsgOFF      db "VirtualPC was NOT detected",0
    szMsgON       db "VirtualPC DETECTED!",0
  @@:

  ; SEH
  xor eax, eax
  push offset detected
  db 064h ; FS
  push dword ptr [eax]
  db 064h ; FS
  mov dword ptr [eax], esp

  ; teh RedPill
  mov esi, esp
  mov edi, esp
  mov ecx, 1

  ; This is REP REP REP REP ... REP movsb
  ; 15 * REP generate 'Invalid Instruction' exception on real CPU (tested on both Intel and AMD)
  ; Microsoft Virtual PC 2004 does NOT generate this exception.
  db 0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h,0F3h;
  movsb    

  ; was found!
  invoke MessageBox, 0, ADDR szMsgON, ADDR szDlgTitle, MB_OK
  invoke ExitProcess, 0

detected:
  invoke MessageBox, 0, ADDR szMsgOFF, ADDR szDlgTitle, MB_OK
  invoke ExitProcess, 0
  
end start

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ