本帖最后由 tk86935367 于 2012-5-8 17:54 编辑
PS:这个是自己写的一个反虚拟机的测试,不知道发在这里合不合适,如果不合适,版主帮忙移动下。 这是一个最简单的反虚拟机测试,通过检测是否包含虚拟机tools的进程来判断是否是虚拟机。 首先写一个函数,判断是否包含某进程 //是否包含某进程
BOOL IsContainsProcess(CString strProName)
{
PROCESSENTRY32 pe32; //定义结构体变量来保存进程的信息
pe32.dwSize = sizeof(pe32); //填充大小
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //创建快照
if (hProcessSnap==INVALID_HANDLE_VALUE)
{
//MessageBox("进程快照失败","提示",MB_OK);
exit(1);
}
//遍历所有快照
BOOL bMore = ::Process32First(hProcessSnap,&pe32);
while(bMore)
{
if (strProName==pe32.szExeFile)
{
return TRUE; //如果存在该进程,则返回TRUE
bMore=FALSE; //停止循环
}
else
{
bMore=::Process32Next(hProcessSnap,&pe32);
}
}
//扫尾
CloseHandle(hProcessSnap);
return FALSE;
}
if (
(IsContainsProcess("VBoxTray.exe")) ||
(IsContainsProcess("VBoxService.exe")) ||
(IsContainsProcess("VMwareUser.exe"))||
(IsContainsProcess("VMwareTray.exe")) ||
(IsContainsProcess("VMUpgradeHelper.exe"))||
(IsContainsProcess("vmtoolsd.exe"))||
(IsContainsProcess("vmacthlp.exe"))
)
{
AfxMessageBox("请不要在虚拟机中运行该程序");
exit(0);
}
00401496 > \6A 00 push 0
00401498 . 6A 00 push 0
0040149A . 68 A0804100 push 004180A0 ; 请不要在虚拟机中运行该程序
0040149F . E8 8FF80000 call 00410D33
004013C9 . /0F85 C7000000 jnz 00401496
004013CF . |51 push ecx
004013D0 . |8BCC mov ecx, esp
004013D2 . |896424 14 mov dword ptr [esp+14], esp
004013D6 . |68 10814100 push 00418110 ; vboxservice.exe
004013DB . |E8 48E30000 call 0040F728
004013E0 . |8BCE mov ecx, esi
004013E2 . |E8 29FEFFFF call 00401210
004013E7 . |85C0 test eax, eax
004013E9 . |0F85 A7000000 jnz 00401496
004013EF . |51 push ecx
004013F0 . |8BCC mov ecx, esp
004013F2 . |896424 14 mov dword ptr [esp+14], esp
004013F6 . |68 00814100 push 00418100 ; vmwareuser.exe
004013FB . |E8 28E30000 call 0040F728
00401400 . |8BCE mov ecx, esi
00401402 . |E8 09FEFFFF call 00401210
00401407 . |85C0 test eax, eax
00401409 . |0F85 87000000 jnz 00401496
0040140F . |51 push ecx
00401410 . |8BCC mov ecx, esp
00401412 . |896424 14 mov dword ptr [esp+14], esp
00401416 . |68 F0804100 push 004180F0 ; vmwaretray.exe
0040141B . |E8 08E30000 call 0040F728
00401420 . |8BCE mov ecx, esi
00401422 . |E8 E9FDFFFF call 00401210
00401427 . |85C0 test eax, eax
00401429 . |75 6B jnz short 00401496
0040142B . |51 push ecx
0040142C . |8BCC mov ecx, esp
0040142E . |896424 14 mov dword ptr [esp+14], esp
00401432 . |68 DC804100 push 004180DC ; vmupgradehelper.exe
00401437 . |E8 ECE20000 call 0040F728
0040143C . |8BCE mov ecx, esi
0040143E . |E8 CDFDFFFF call 00401210
00401443 . |85C0 test eax, eax
00401445 . |75 4F jnz short 00401496
00401447 . |51 push ecx
00401448 . |8BCC mov ecx, esp
0040144A . |896424 14 mov dword ptr [esp+14], esp
0040144E . |68 CC804100 push 004180CC ; vmtoolsd.exe
00401453 . |E8 D0E20000 call 0040F728
00401458 . |8BCE mov ecx, esi
0040145A . |E8 B1FDFFFF call 00401210
0040145F . |85C0 test eax, eax
00401461 . |75 33 jnz short 00401496
00401463 . |51 push ecx
00401464 . |8BCC mov ecx, esp
00401466 . |896424 14 mov dword ptr [esp+14], esp
0040146A . |68 BC804100 push 004180BC ; vmacthlp.exe
0040146F . |E8 B4E20000 call 0040F728
00401474 . |8BCE mov ecx, esi
00401476 . |E8 95FDFFFF call 00401210
0040147B . |85C0 test eax, eax
0040147D . |75 17 jnz short 00401496
0040147F . |8B4C24 14 mov ecx, dword ptr [esp+14]
00401483 . |5F pop edi
00401484 . |5E pop esi
00401485 . |B8 01000000 mov eax, 1
0040148A . |64:890D 00000> mov dword ptr fs:[0], ecx
00401491 . |5B pop ebx
00401492 . |83C4 14 add esp, 14
00401495 . |C3 retn
00401496 > \6A 00 push 0
004013AF . 51 push ecx
004013B0 . 8BCC mov ecx, esp
004013B2 . 896424 14 mov dword ptr [esp+14], esp
004013B6 . 68 20814100 push 00418120 ; vboxtray.exe
004013BB . E8 68E30000 call 0040F728 ; 判断是否包含该进程
004013C0 . 8BCE mov ecx, esi
004013C2 . E8 49FEFFFF call 00401210
004013C7 33C0 xor eax, eax
004013C9 0F85 C7000000 jnz 00401496
004013CF . 51 push ecx
004013D0 . 8BCC mov ecx, esp
004013D2 . 896424 14 mov dword ptr [esp+14], esp
004013D6 . 68 10814100 push 00418110 ; vboxservice.exe
004013DB . E8 48E30000 call 0040F728
004013E0 . 8BCE mov ecx, esi
004013E2 . E8 29FEFFFF call 00401210
004013E7 33C0 xor eax, eax
004013E9 0F85 A7000000 jnz 00401496
004013EF . 51 push ecx
004013F0 . 8BCC mov ecx, esp
004013F2 . 896424 14 mov dword ptr [esp+14], esp
004013F6 . 68 00814100 push 00418100 ; vmwareuser.exe
004013FB . E8 28E30000 call 0040F728
00401400 . 8BCE mov ecx, esi
00401402 . E8 09FEFFFF call 00401210
00401407 33C0 xor eax, eax
00401409 0F85 87000000 jnz 00401496
0040140F . 51 push ecx
00401410 . 8BCC mov ecx, esp
00401412 . 896424 14 mov dword ptr [esp+14], esp
00401416 . 68 F0804100 push 004180F0 ; vmwaretray.exe
0040141B . E8 08E30000 call 0040F728
00401420 . 8BCE mov ecx, esi
00401422 . E8 E9FDFFFF call 00401210
00401427 33C0 xor eax, eax
00401429 75 6B jnz short 00401496
0040142B . 51 push ecx
0040142C . 8BCC mov ecx, esp
0040142E . 896424 14 mov dword ptr [esp+14], esp
00401432 . 68 DC804100 push 004180DC ; vmupgradehelper.exe
00401437 . E8 ECE20000 call 0040F728
0040143C . 8BCE mov ecx, esi
0040143E . E8 CDFDFFFF call 00401210
00401443 33C0 xor eax, eax
00401445 75 4F jnz short 00401496
00401447 . 51 push ecx
00401448 . 8BCC mov ecx, esp
0040144A . 896424 14 mov dword ptr [esp+14], esp
0040144E . 68 CC804100 push 004180CC ; vmtoolsd.exe
00401453 . E8 D0E20000 call 0040F728
00401458 . 8BCE mov ecx, esi
0040145A . E8 B1FDFFFF call 00401210
0040145F 33C0 xor eax, eax
00401461 75 33 jnz short 00401496
00401463 . 51 push ecx
00401464 . 8BCC mov ecx, esp
00401466 . 896424 14 mov dword ptr [esp+14], esp
0040146A . 68 BC804100 push 004180BC ; vmacthlp.exe
0040146F . E8 B4E20000 call 0040F728
00401474 . 8BCE mov ecx, esi
00401476 . E8 95FDFFFF call 00401210
0040147B 33C0 xor eax, eax
0040147D 75 17 jnz short 00401496
0040147F . 8B4C24 14 mov ecx, dword ptr [esp+14]
00401483 . 5F pop edi
00401484 . 5E pop esi
00401485 . B8 01000000 mov eax, 1
0040148A . 64:890D 00000>mov dword ptr fs:[0], ecx
00401491 . 5B pop ebx
00401492 . 83C4 14 add esp, 14
00401495 . C3 retn
这个排版看起来太头疼了。
需要看的可以移步:
http://www.cnblogs.com/tk091/archive/2012/04/21/2461158.html
|
[复制链接]
发表于 2012-5-8 17:53
