下面列出检测 VMware 虚拟机的常见技术：

#include <iostream>
#include <windows.h>
#include <sysinfoapi.h>
#include <comdef.h>
#include <Wbemidl.h>
#include <ShlObj.h>
#include <LM.h>
#include <TlHelp32.h>
#include <string.h>
#include <string>
#include <atlbase.h>
#include <Iphlpapi.h>#include <Psapi.h>
#include <shlwapi.h>  //PathFileExists
#pragma comment(lib, "psapi.lib")
#pragma comment(lib, "shlwapi.lib")#pragma comment(lib, "wbemuuid.lib")
#pragma comment(lib, "netapi32.lib")
#pragma comment(lib,"Iphlpapi.lib") //GetAdaptersInfo需要添加Iphlpapi.lib库#define  ARRAY_SIZE 1024
using namespace std;// 检查管理员权限
BOOL isAdmin()
{BOOL bElevated = FALSE;HANDLE hToken = NULL;// Get current process tokenif (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))return FALSE;TOKEN_ELEVATION tokenEle;DWORD dwRetLen = 0;// Retrieve token elevation informationif (GetTokenInformation(hToken, TokenElevation, &tokenEle, sizeof(tokenEle), &dwRetLen)){if (dwRetLen == sizeof(tokenEle)){bElevated = tokenEle.TokenIsElevated;}}CloseHandle(hToken);return bElevated;
}// 检查CPU核心数
// SYSTEM_INFO.dwNumberOfProcessors
BOOL checkCPUCores(INT cores)
{INT i = 0;_asm { // x64编译模式下不支持__asm的汇编嵌入mov eax, dword ptr fs : [0x18] ; // TEBmov eax, dword ptr ds : [eax + 0x30] ; // PEBmov eax, dword ptr ds : [eax + 0x64] ;mov i, eax;}return i < cores;
}// 检查CPU温度（需要管理员权限）
// Get-WMIObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi"
// VM中无返回结果
// https://docs.microsoft.com/en-us/windows/win32/wmisdk/example--getting-wmi-data-from-the-local-computer
BOOL checkCPUTemperature()
{HRESULT hres;BOOL res = -1;do{// Step 1: --------------------------------------------------// Initialize COM. ------------------------------------------hres = CoInitializeEx(0, COINIT_MULTITHREADED);if (FAILED(hres)){// cout << "Failed to initialize COM library. Error code = 0x" << hex << hres << endl;break;                  // Program has failed.}// Step 2: --------------------------------------------------// Set general COM security levels --------------------------hres = CoInitializeSecurity(NULL,-1,                          // COM authenticationNULL,                        // Authentication servicesNULL,                        // ReservedRPC_C_AUTHN_LEVEL_DEFAULT,   // Default authentication RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation  NULL,                        // Authentication infoEOAC_NONE,                   // Additional capabilities NULL                         // Reserved);if (FAILED(hres)){// cout << "Failed to initialize security. Error code = 0x" << hex << hres << endl;CoUninitialize();break;                    // Program has failed.}// Step 3: ---------------------------------------------------// Obtain the initial locator to WMI -------------------------IWbemLocator* pLoc = NULL;hres = CoCreateInstance(CLSID_WbemLocator,0,CLSCTX_INPROC_SERVER,IID_IWbemLocator, (LPVOID*)&pLoc);if (FAILED(hres)){// cout << "Failed to create IWbemLocator object." << " Err code = 0x" << hex << hres << endl;CoUninitialize();break;                 // Program has failed.}// Step 4: -----------------------------------------------------// Connect to WMI through the IWbemLocator::ConnectServer methodIWbemServices* pSvc = NULL;// Connect to the root\cimv2 namespace with// the current user and obtain pointer pSvc// to make IWbemServices calls.hres = pLoc->ConnectServer(// _bstr_t(L"ROOT\\CIMV2"), // Object path of WMI namespace_bstr_t(L"ROOT\\WMI"),NULL,                    // User name. NULL = current userNULL,                    // User password. NULL = current0,                       // Locale. NULL indicates currentNULL,                    // Security flags.0,                       // Authority (for example, Kerberos)0,                       // Context object &pSvc                    // pointer to IWbemServices proxy);if (FAILED(hres)){// cout << "Could not connect. Error code = 0x" << hex << hres << endl;pLoc->Release();CoUninitialize();break;                // Program has failed.}// cout << "Connected to ROOT\\WMI WMI namespace" << endl;// Step 5: --------------------------------------------------// Set security levels on the proxy -------------------------hres = CoSetProxyBlanket(pSvc,                        // Indicates the proxy to setRPC_C_AUTHN_WINNT,           // RPC_C_AUTHN_xxxRPC_C_AUTHZ_NONE,            // RPC_C_AUTHZ_xxxNULL,                        // Server principal name RPC_C_AUTHN_LEVEL_CALL,      // RPC_C_AUTHN_LEVEL_xxx RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxxNULL,                        // client identityEOAC_NONE                    // proxy capabilities );if (FAILED(hres)){// cout << "Could not set proxy blanket. Error code = 0x" << hex << hres << endl;pSvc->Release();pLoc->Release();CoUninitialize();break;               // Program has failed.}// Step 6: --------------------------------------------------// Use the IWbemServices pointer to make requests of WMI ----// For example, get the name of the operating systemIEnumWbemClassObject* pEnumerator = NULL;hres = pSvc->ExecQuery(bstr_t("WQL"),bstr_t("SELECT * FROM MSAcpi_ThermalZoneTemperature"),WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY,NULL,&pEnumerator);if (FAILED(hres)){// cout << "Query for operating system name failed." << " Error code = 0x" << hex << hres << endl;pSvc->Release();pLoc->Release();CoUninitialize();break;               // Program has failed.}// Step 7: -------------------------------------------------// Get the data from the query in step 6 -------------------IWbemClassObject* pclsObj = NULL;ULONG uReturn = 0;while (pEnumerator){HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);if (0 == uReturn) // VM中结果为空{if (-1 == res){res = TRUE;}break;}VARIANT vtProp;// Get the value of the Name propertyhr = pclsObj->Get(L"CurrentTemperature", 0, &vtProp, 0, 0);// res = vtProp.ullVal / 10.0 - 273.15; // 开氏转摄氏res = FALSE;VariantClear(&vtProp);pclsObj->Release();}// Cleanup// ========pSvc->Release();pLoc->Release();pEnumerator->Release();CoUninitialize();} while (false);return res;
}// 检测MAC地址
// 00:05:69、00:0c:29、00:50:56开始的MAC地址与VMware相对应
// 00:03:ff开始的MAC地址与virtualpc对应
// 08:00:27开始的MAC地址与virtualbox对应
BOOL CheckMACEx()
{PIP_ADAPTER_INFO pIpAdapterInfo = new IP_ADAPTER_INFO();//PIP_ADAPTER_INFO结构体指针存储本机网卡信息unsigned long stSize = sizeof(IP_ADAPTER_INFO);         //得到结构体大小,用于GetAdaptersInfo参数int nRel = GetAdaptersInfo(pIpAdapterInfo, &stSize);     //调用GetAdaptersInfo函数,填充pIpAdapterInfo指针变量;其中stSize参数既是一个输入量也是一个输出量wchar_t MAC[5][9] = { L"08-00-27", L"00-03-FF", L"00-0C-29" };//mac=="00-05-69", mac=="00-50-56"该方法不准确WCHAR buffer[20]{ 0 };//WCHAR* CurrentAPR;bool bRet = false;// 返回值if (ERROR_BUFFER_OVERFLOW == nRel){//如果函数返回的是ERROR_BUFFER_OVERFLOW//则说明GetAdaptersInfo参数传递的内存空间不够,同时其传出stSize,表示需要的空间大小//这也是说明为什么stSize既是一个输入量也是一个输出量               delete pIpAdapterInfo;//释放原来的内存空间     pIpAdapterInfo = (PIP_ADAPTER_INFO)new BYTE[stSize];//重新申请内存空间用来存储所有网卡信息        nRel = GetAdaptersInfo(pIpAdapterInfo, &stSize);    //再次调用GetAdaptersInfo函数,填充pIpAdapterInfo指针变量}if (ERROR_SUCCESS == nRel){//可能有多网卡,因此通过循环去判断while (pIpAdapterInfo){wsprintf(buffer, L"%02X-%02X-%02X", pIpAdapterInfo->Address[0], pIpAdapterInfo->Address[1], pIpAdapterInfo->Address[2]);for (int i = 0; i < 3; ++i){// 检查MAC地址前3位是否在拼接好的内容中。if (wcsstr(buffer, MAC[i])){bRet = TRUE;break;}}pIpAdapterInfo = pIpAdapterInfo->Next;}}//释放内存空间if (pIpAdapterInfo){delete[]pIpAdapterInfo;}return bRet;
}// 检测内存大小
// SELECT * FROM Win32_ComputerSystem
// TotalPhysicalMemory
BOOL checkMemory(INT memory)
{_MEMORYSTATUSEX mst;mst.dwLength = sizeof(mst);GlobalMemoryStatusEx(&mst);if (mst.ullTotalPhys / (1024.0 * 1024 * 1024) < memory) // B{return TRUE;}else{return FALSE;}
}// 检测磁盘大小（需要管理员权限）
// SELECT * FROM Win32_LogicalDisk
// Size
BOOL checkPhyDisk(INT disk)
{HANDLE hDrive;GET_LENGTH_INFORMATION size;DWORD lpBytes;hDrive = CreateFileA("\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);if (hDrive == INVALID_HANDLE_VALUE){CloseHandle(hDrive);return FALSE;}bool result = DeviceIoControl(hDrive, IOCTL_DISK_GET_LENGTH_INFO, NULL, 0, &size, sizeof(GET_LENGTH_INFORMATION), &lpBytes, NULL);CloseHandle(hDrive);if ((size.Length.QuadPart / 1073741824) < disk){return TRUE;}else{return FALSE;}
}// 检测进程
BOOL checkProcess()
{const char* list[5] = { "VBoxService.exe", "VBoxTray.exe", "VGAuthService.exe","vm3dservice.exe", "vmtoolsd.exe" };PROCESSENTRY32 pe32;pe32.dwSize = sizeof(pe32);HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);BOOL bResult = Process32First(hProcessSnap, &pe32);while (bResult){char sz_Name[MAX_PATH] = { 0 };WideCharToMultiByte(CP_ACP, 0, pe32.szExeFile, -1, sz_Name, sizeof(sz_Name), NULL, NULL);for (int i = 0; i < 4; ++i){if (strcmp(sz_Name, list[i]) == 0){return TRUE;}}bResult = Process32Next(hProcessSnap, &pe32);}return FALSE;
}// 检测注册表和文件路径（可能需要管理员权限）
BOOL checkPath()
{HKEY hkey;int CoeckStrictMode = 0;WIN32_FIND_DATA wfd1, wfd2;if (RegOpenKeyA(HKEY_CLASSES_ROOT, "\\Applications\\VMwareHostOpen.exe", &hkey) == ERROR_SUCCESS ||RegOpenKeyA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Oracle\\VirtualBox Guest Additions", &hkey) == ERROR_SUCCESS){return TRUE;}// 文件夹路径//if (!PathIsDirectoryA("C:\\Program Files\\VMware\\VMware Tools\\") || //!PathIsDirectoryA("C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\"))//{//printf("E2\n");//return TRUE;//}HANDLE hFind1 = FindFirstFileW(L"C:\\Program Files\\VMware\\VMware Tools\\", &wfd1);HANDLE hFind2 = FindFirstFileW(L"C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\", &wfd2);if (INVALID_HANDLE_VALUE != hFind1 && (wfd1.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))CoeckStrictMode++;if (INVALID_HANDLE_VALUE != hFind2 && (wfd2.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))CoeckStrictMode++;CloseHandle(hFind1);CloseHandle(hFind2);if (PathFileExistsW(L"C:\\Program Files\\VMware\\VMware Tools\\") ||PathFileExistsW(L"C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\"))CoeckStrictMode++;if (INVALID_FILE_ATTRIBUTES != GetFileAttributesW(L"C:\\Program Files\\VMware\\VMware Tools\\")||INVALID_FILE_ATTRIBUTES != GetFileAttributesW(L"C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\"))CoeckStrictMode++;if (CoeckStrictMode > 1) return TRUE;return FALSE;
}int EnumDriverDevice() {DWORD cbNeeded = 0; // drivers[] 返回的字节数LPVOID drivers[ARRAY_SIZE] = { 0 }; // 驱动程序地址列表数组int cDrivers = 0;	// 驱动个数int CoeckStrictMode = 0;const wchar_t* wsDRVFile[8] = {L"vmmouse.sys",L"vmusbmouse.sys",L"vmrawdsk.sys",L"vmmemctl.sys",L"vm3dmp.sys",L"vm3dmp_loader.sys",L"vm3dmp-debug.sys",L"vm3dmp-stats.sys"};if (K32EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) // EnumDeviceDrivers 检索每个驱动文件的加载地址{wchar_t szDriver[ARRAY_SIZE] = { 0 };	// 驱动文件名wchar_t szPath[ARRAY_SIZE] = { 0 };	// 存放驱动文件全路径wchar_t szSystemPath[ARRAY_SIZE] = { 0 }; // 存放 system32 文件夹路径cDrivers = cbNeeded / sizeof(LPVOID);	// 驱动个数//得到C:\Windows\system32\dbghelp.dllGetSystemDirectoryW(szSystemPath, sizeof(szSystemPath));wcscat_s(szSystemPath, L"\\dbghelp.dll");for (int i = 0; i < cDrivers; i++){if (K32GetDeviceDriverBaseNameW(drivers[i], szDriver, sizeof(szDriver) / sizeof(LPVOID))){for (int i = 0; i < 8; i++)if (wcscmp(szDriver, wsDRVFile[i]) == 0)CoeckStrictMode++;// 打印驱动名//printf("【%d】:%ws\n", i + 1, szDriver);// 打印驱动文件路径//GetDeviceDriverFileName(drivers[i], szPath, sizeof(szPath));//printf("%s\n", szPath);}}}return CoeckStrictMode;
}BOOL checkVMDriversFile()
{if (EnumDriverDevice() >= 1) return TRUE;return FALSE;
}// 检测服务
BOOL checkSerivce()
{int menu = 0;// 打开系统服务控制器    SC_HANDLE SCMan = OpenSCManager(NULL, NULL, SC_MANAGER_ENUMERATE_SERVICE);if (SCMan == NULL){return -1;}// 保存系统服务的结构  LPENUM_SERVICE_STATUSA service_status;DWORD cbBytesNeeded = NULL;DWORD ServicesReturned = NULL;DWORD ResumeHandle = NULL;service_status = (LPENUM_SERVICE_STATUSA)LocalAlloc(LPTR, 1024 * 64);// 获取系统服务的简单信息    bool ESS = EnumServicesStatusA(SCMan, //系统服务句柄    SERVICE_WIN32, //服务的类型    SERVICE_STATE_ALL,  //服务的状态    (LPENUM_SERVICE_STATUSA)service_status,  //输出参数，系统服务的结构    1024 * 64,  //结构的大小    &cbBytesNeeded, //输出参数，接收返回所需的服务    &ServicesReturned, //输出参数，接收返回服务的数量    &ResumeHandle //输入输出参数，第一次调用必须为0，返回为0代表成功);if (ESS == NULL){return -1;}for (DWORD i = 0; i < ServicesReturned; i++){if (strstr(service_status[i].lpDisplayName, "VMware Tools") != NULL ||strstr(service_status[i].lpDisplayName, "VMware 物理磁盘助手服务") != NULL || strstr(service_status[i].lpDisplayName, "Virtual Machine") != NULL ||strstr(service_status[i].lpDisplayName, "VirtualBox Guest") != NULL){return TRUE;}}//关闭服务管理器的句柄   CloseServiceHandle(SCMan);return FALSE;
}// 检测开机时间
BOOL checkUptime(DWORD msTime)
{DWORD UpTime = GetTickCount();if (UpTime < msTime){return TRUE;}else{return FALSE;}
}// 使用CPUID指令
// 当EAX=1时，CPUID的ECX中HYPERV_HYPERVISOR_PRESENT_BIT标识是否在虚拟环境中
BOOL checkCPUID()
{DWORD dw_ecx;bool bFlag = true;_asm {pushad; // 将32位通用寄存器压入堆栈pushfd; // 将32位标志寄存器EFLAGS压入堆栈mov eax, 1; // Processor Info and Feature Bitscpuid; // 根据传递给EAX寄存器的值，将对应的信息返回给EAX、EBX、ECX、EDXmov dw_ecx, ecx; // Feature Informationand ecx, 0x80000000; // Hypervisor present (always zero on physical CPUs) 即 HYPERV_HYPERVISOR_PRESENT_BITtest ecx, ecx; // AND为0的话ZF=1setz[bFlag]; // ZF为1的话bFlag=1popfd;popad;}if (bFlag) // 真实机器{return FALSE;}else{return TRUE;}
}// 检测TEMP目录下的文件数量
BOOL checkTempDir(INT aNum)
{int file_count = 0;DWORD dwRet;LPSTR pszOldVal;pszOldVal = (LPSTR)malloc(MAX_PATH * sizeof(char));dwRet = GetEnvironmentVariableA("TEMP", pszOldVal, MAX_PATH);std::string stdstr = pszOldVal;stdstr += "\\*";LPSTR s = const_cast<char*>(stdstr.c_str());WIN32_FIND_DATAA data;HANDLE hFind = FindFirstFileA(s, &data);if (hFind != INVALID_HANDLE_VALUE){do{file_count++;} while (FindNextFileA(hFind, &data));FindClose(hFind);}if (file_count < aNum){return TRUE;}else{return FALSE;}
}// 检测主板序列号、主机型号、系统盘所在磁盘名称等硬件信息
// WMI ROOT\\CIMV2
BOOL ManageWMIInfo(string& result, string table, wstring wcol)
{char bord[1024];HRESULT hres = CoInitialize(0);IWbemLocator* pLoc = NULL;hres = CoCreateInstance(CLSID_WbemLocator,0,CLSCTX_INPROC_SERVER,IID_IWbemLocator, (LPVOID*)&pLoc);if (FAILED(hres)){CoUninitialize();return FALSE;}IWbemServices* pSvc = NULL;hres = pLoc->ConnectServer(_bstr_t(L"ROOT\\CIMV2"), // Object path of WMI namespace  NULL, // User name. NULL = current user  NULL, // User password. NULL = current  0, // Locale. NULL indicates current  NULL, // Security flags.  0, // Authority (e.g. Kerberos)  0, // Context object   &pSvc // pointer to IWbemServices proxy  );if (FAILED(hres)){pLoc->Release();CoUninitialize();return FALSE;}hres = CoSetProxyBlanket(pSvc, // Indicates the proxy to set  RPC_C_AUTHN_WINNT, // RPC_C_AUTHN_xxx  RPC_C_AUTHZ_NONE, // RPC_C_AUTHZ_xxx  NULL, // Server principal name   RPC_C_AUTHN_LEVEL_CALL, // RPC_C_AUTHN_LEVEL_xxx   RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx  NULL, // client identity  EOAC_NONE // proxy capabilities   );if (FAILED(hres)){pSvc->Release();pLoc->Release();CoUninitialize();return FALSE;}IEnumWbemClassObject* pEnumerator = NULL;string select = "SELECT * FROM " + table;hres = pSvc->ExecQuery(bstr_t("WQL"),bstr_t(select.c_str()),WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY,NULL,&pEnumerator);if (FAILED(hres)){pSvc->Release();pLoc->Release();CoUninitialize();return FALSE;}ULONG uReturn = 0;IWbemClassObject* pclsObj;while (pEnumerator){HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);if (0 == uReturn){break;}VARIANT vtProp;VariantInit(&vtProp);hr = pclsObj->Get(wcol.c_str(), 0, &vtProp, 0, 0);if (!FAILED(hr)){CW2A tmpstr(vtProp.bstrVal);strcpy_s(bord, 200, tmpstr);result = bord;}VariantClear(&vtProp);pclsObj->Release();}pSvc->Release();pLoc->Release();pEnumerator->Release();CoUninitialize();return TRUE;
}// 检测磁盘驱动程序发布商名称
BOOL checkHardwareInfo()
{BOOL bRet = TRUE;do{string ret;ManageWMIInfo(ret, "Win32_BaseBoard", L"SerialNumber");if (ret == "None"){break;}ManageWMIInfo(ret, "Win32_DiskDrive", L"Caption");if (ret.find("VMware") != string::npos || ret.find("VBOX") != string::npos || ret.find("Virtual HD") != string::npos){break;}ManageWMIInfo(ret, "Win32_computersystem", L"Model");if (ret.find("VMware") != string::npos || ret.find("VirtualBox") != string::npos || ret.find("Virtual Machine") != string::npos){break;}bRet = FALSE;} while (FALSE);return bRet;
}// 使用sgdt和sldt指令探测VMware的技术通常被称为No Pill
// 通过禁用VMware加速可以防止No Pill技术的探测
BOOL checkNoPill()
{ULONG xdt = 0;ULONG InVM = 0;__asm{push edxsidt[esp - 2] // 将中断描述符表寄存器IDTR的内容存入指定地址单元pop edxnopmov xdt, edx}if (xdt > 0xd0000000){InVM = 1;}__asm{push edxsgdt[esp - 2] // 将全局描述符表格寄存器GDTR的内容存入指定地址单元pop edxnopmov xdt, edx}if (xdt > 0xd0000000){InVM += 1;}if (InVM == 0){return FALSE;}else{return TRUE;}
}// 检测IO端口
// VMware会监视in指令的执行，并捕获目的通信端口为0x5668(VX)的I/O
// VMware会检查第二个操作数是否是VX，在这种情况发生时
// EAX寄存器载入的值是0x564D5868(VMXh)
// ECX寄存器为在端口上执行相应操作的值
// 0xA：get VMware version type
// 0x14：get the memory size
// 则EBX为magic数VMXh，ECX为版本号
// 在真实机器上运行会触发EXCEPTION_EXECUTE_HANDLER异常
// https://www.aldeid.com/wiki/VMXh-Magic-Value
BOOL checkIOPort()
{bool rc = true;__try{__asm{push   edxpush   ecxpush   ebxmov    eax, 'VMXh'mov    ebx, 0mov    ecx, 10mov    edx, 'VX'in     eax, dx // 从一个源操作数指定的端口dx复制数据到目的操作数指定的内存地址cmp    ebx, 'VMXh'setz[rc]pop    ebxpop    ecxpop    edx}}__except (EXCEPTION_EXECUTE_HANDLER){rc = false;}return rc;
}// 检测无效指令
// VirtualPC使用一堆无效指令来允许虚拟机和VirtualPC之间连接，如果VirtualPC存在则不引起异常
DWORD IslnsideVPC_exceptionFilter(LPEXCEPTION_POINTERS ep)
{PCONTEXT ctx = ep->ContextRecord;ctx->Ebx = -1; // 未运行在VPC中  ctx->Eip += 4; // 跳过call VPC操作  return EXCEPTION_CONTINUE_EXECUTION;
}BOOL checkUnISA()
{bool rc = TRUE;__try{__asm{push ebxmov ebx, 0mov eax, 1__emit 0fh // 在当前位置直接插入数据__emit 3fh__emit 07h__emit 0bhtest ebx, ebxsetz[rc]pop ebx}}__except (IslnsideVPC_exceptionFilter(GetExceptionInformation())){rc = FALSE;}return rc;
}int DetectVisualMachine(int *s, int drd) {int* p = s;if (drd == 0 && checkCPUTemperature()) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 1 && checkPhyDisk(250)) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 2 && checkPath()) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 3 && checkCPUCores(4)) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 4 && CheckMACEx()) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 5 && checkMemory(4)) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 6 && checkProcess()) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 7 && checkSerivce()) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 8 && checkCPUID()) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 9 && checkHardwareInfo()) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 10 && checkIOPort()) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 11 && checkVMDriversFile()) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}if (*p == 12 && checkProcess()) {s = new int;*s = *p;*p = (*s) + 1;DetectVisualMachine(p, ++drd);}else {s = new int;*s = *p;*p = (*s);DetectVisualMachine(p, ++drd);}
}int main()
{// 需要管理员权限if (isAdmin() && IsUserAnAdmin()){printf("[+] Admin\n");if (checkCPUTemperature()){printf("[-] checkCPUTemperature - VM\n");}else{printf("[+] checkCPUTemperature - not VM\n");}if (checkPhyDisk(250)){printf("[-] checkPhyDisk - VM\n");}else{printf("[+] checkPhyDisk - not VM\n");}if (checkPath())//{printf("[-] checkPath - VM\n");}else{printf("[+] checkPath - not VM\n");}}//printf("[+] Not Admin\n");if (checkCPUCores(4)){printf("[-] checkCPUCores - VM\n");}else{printf("[+] checkCPUCores - not VM\n");}if (CheckMACEx()){printf("[-] checkMAC - VM\n");}else{printf("[+] checkMAC - not VM\n");}if (checkMemory(4)){printf("[-] checkMemory - VM\n");}else{printf("[+] checkMemory - not VM\n");}if (checkProcess()){printf("[-] checkProcess - VM\n");}else{printf("[+] checkProcess - not VM\n");}if (checkSerivce()){printf("[-] checkSerivce - VM\n");}else{printf("[+] checkSerivce - not VM\n");}if (checkCPUID()){printf("[-] checkCPUID - VM\n");}else{printf("[+] checkCPUID - not VM\n");}/**if (checkTempDir(30)){printf("[-] checkTempDir - VM\n");}else{printf("[+] checkTempDir - not VM\n");}*/if (checkHardwareInfo()){printf("[-] checkHardwareInfo - VM\n");}else{printf("[+] checkHardwareInfo - not VM\n");}if (checkIOPort()){printf("[-] checkIOPort - VM\n");}else{printf("[+] checkIOPort - not VM\n");}if (checkVMDriversFile()){printf("[-] checkDriversFile - VM\n");}else{printf("[+] checkDriversFile - not VM\n");}cin.get();return 0;
}

虚拟机实测：

---

发布于：2024.03.10.