Статья Анти вм

Admin

Admin

Администратор
C#: 
#include <windows.h>
#include <iostream>
#include <string>
#include <vector>
#include <tchar.h>
#include <iphlpapi.h>
#include <ctime>
#include <tlhelp32.h>

#pragma intrinsic(__rdtsc)
#pragma comment(lib, "iphlpapi.lib")

std::wstring detectionReason = L"";

int isVM() {
    ULONGLONG tsc1 = 0;
    ULONGLONG tsc2 = 0;
    ULONGLONG avg = 0;
    INT cpuInfo[4] = {};
    int result = 0;

    for (INT i = 0; i < 10; i++) {
        tsc1 = __rdtsc();
        __cpuid(cpuInfo, 0);
        tsc2 = __rdtsc();
        avg += (tsc2 - tsc1);
    }
    avg = avg / 10;

    if (!(avg < 2500 && avg > 0)) {
        detectionReason = L"RDTSC timing anomaly hypervisor detected.";
        result = 1;
    }

    if (result == 0) {
        SYSTEM_INFO sysInfo;
        GetSystemInfo(&sysInfo);

        std::vector<std::wstring> knownVMDrivers = {
            L"vmxnet",
            L"VBoxGuest",
            L"vmbus",
            L"HyperV",
        };

        for (size_t i = 0; i < knownVMDrivers.size(); i++) {
            std::wstring driver = knownVMDrivers[i];
            std::wstring path = L"C:\\Windows\\System32\\drivers\\" + driver + L".sys";
            if (GetFileAttributesW(path.c_str()) != INVALID_FILE_ATTRIBUTES) {
                detectionReason = L"VM driver detected: " + driver;
                result = 1;
                break;
            }
        }
    }

    if (result == 0) {
        wchar_t buffer[256] = { 0 };
        DWORD size = sizeof(buffer);
        if (RegGetValueW(HKEY_LOCAL_MACHINE, L"HARDWARE\\DESCRIPTION\\System\\BIOS", L"SystemManufacturer", RRF_RT_REG_SZ, nullptr, buffer, &size) == ERROR_SUCCESS) {
            std::wstring biosManufacturer(buffer);
            if (biosManufacturer.find(L"VMware") != std::wstring::npos ||
                biosManufacturer.find(L"VirtualBox") != std::wstring::npos ||
                biosManufacturer.find(L"Microsoft") != std::wstring::npos) {
                detectionReason = L"BIOS manufacturer indicates a virtual machine: " + biosManufacturer;
                result = 1;
            }
        }
    }

    if (result == 0) {
        HANDLE hDevice = CreateFileW(L"\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
        if (hDevice != INVALID_HANDLE_VALUE) {
            CloseHandle(hDevice);
        }
    }

    if (result == 0) {
        std::vector<std::wstring> knownVMTools = {
            L"vmtoolsd.exe",
            L"VBoxService.exe"
        };

        for (size_t i = 0; i < knownVMTools.size(); i++) {
            std::wstring tool = knownVMTools[i];
            std::wstring path1 = L"C:\\Program Files\\VMware\\VMware Tools\\" + tool;
            std::wstring path2 = L"C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\" + tool;
            if (GetFileAttributesW(path1.c_str()) != INVALID_FILE_ATTRIBUTES ||
                GetFileAttributesW(path2.c_str()) != INVALID_FILE_ATTRIBUTES) {
                detectionReason = L"VM tool detected: " + tool;
                result = 1;
                break;
            }
        }
    }

    if (result == 0) {
        SYSTEM_INFO sysInfo;
        GetSystemInfo(&sysInfo);

        if (sysInfo.dwNumberOfProcessors < 2) {
            detectionReason = L"Number of processors is unusually low (likely a virtual machine).";
            result = 1;
        }
    }

    if (result == 0) {
        ULONGLONG systemUpTime = GetTickCount64();
        if (systemUpTime < 3600000) {
            detectionReason = L"System has been running for less than an hour.";
            result = 1;
        }
    }

    if (result == 0) {
        PIP_ADAPTER_INFO pAdapterInfo = nullptr;
        ULONG len = 0;
        if (GetAdaptersInfo(nullptr, &len) == ERROR_BUFFER_OVERFLOW) {
            pAdapterInfo = (IP_ADAPTER_INFO*)malloc(len);
            if (pAdapterInfo && GetAdaptersInfo(pAdapterInfo, &len) == NO_ERROR) {
                PIP_ADAPTER_INFO pCurr = pAdapterInfo;
                while (pCurr) {
                    if ((pCurr->AddressLength >= 3) &&
                        ((memcmp(pCurr->Address, "\x00\x0C\x29", 3) == 0) ||
                            (memcmp(pCurr->Address, "\x00\x1C\x42", 3) == 0) ||
                            (memcmp(pCurr->Address, "\x00\x50\x56", 3) == 0))) {
                        detectionReason = L"MAC address indicates a virtual machine.";
                        free(pAdapterInfo);
                        result = 1;
                        break;
                    }
                    pCurr = pCurr->Next;
                }
            }
            if (pAdapterInfo) free(pAdapterInfo);
        }
    }

    return result;
}

int main() {
    int result = isVM();
    if (result == 1) {
        MessageBox(NULL, detectionReason.c_str(), L"VM Detected", MB_OK | MB_ICONERROR);
    }
    else {
        MessageBox(NULL, L"PASSED", L"VM Not Detected", MB_OK | MB_ICONINFORMATION);
    }

    return 0;
}
 
Для ответа нужно войти/зарегистрироваться
Похожие темы
Emilio_Gaviriya Статья Как работает Анти-DDoS. Уязвимости и взлом 0
identory IDENTORY - Универсальный анти-детект браузер для безопасного мультиаккаунтинга Ищу работу. Предлагаю свои услуги. 29
E ♛ Evil Team ♛ 3х Оплата ┃ Выплаты До 100%┃ [27 Сайтов]┃ Анти-Всё! Ищу работу. Предлагаю свои услуги. 15
F Анти-восстановление steam Полезные статьи 5
K Формальные ВМ, Именные ЯД, Adv Cash, Платёжные системы: обмен, трансфер, разблокировка 2
АнАлЬнАя ЧуПаКаБрА Сливаем бабки с залоченного ВМ Раздачи и сливы 1

Название темы