Thanks for update. It is all very cool but only good for primitive malware. VirtualBox (anyhow moded) can be detected in a few lines of primitive code. This information is not zeroday, it is used in some top class commercial protection software and it is up to Oracle to patch this.
1. Register top level exception handler
2. Set TF in EFLAGS
3. Execute "cpuid" instruction (on older VirtualBox versions "rdtsc" works the same way)
4. In exception handler check exception Eip. VirtualBox will eat 1 instruction after cpuid. Check if Eip points to 2 instruction after cpuid.
Code: Select all__declspec(naked) void fnCheckVBox()
{
__asm {
pushfd
pop eax
or ah, 1
push eax
popfd
cpuid
nop
call fnNotDetected ;<- if Eip == this address we are in the VBox.
ret
}
}
As a side effect - VirtualPC completely freezes after execution of this code. Some sort of VM detection too.
