Shulou(Shulou.com)06/03 Report--

Overtest the virtual machine download:

K7.8x64 download address: ①: https://yunpan.360.cn/surl_ydaQm3pwpEk

K7.8x64 download address: ②: https://pan.baidu.com/s/1iaCU-FZLs5ScEE3PPK1fLA

Introduction to over-test instructions:

Malicious code writers often use anti-virtual machine technology to evade analysis, which can detect whether they are running in a virtual machine. If malicious code detects that it is running in a virtual machine, it will perform a behavior different from its own behavior, the simplest of which is to stop running itself. In recent years, with the increasing use of virtualization technology, the number of malicious code using anti-virtual machine technology has gradually decreased. Malicious code writers have begun to realize that just because the target host is a virtual machine doesn't mean it has no value. With the continuous development of virtualization technology and common applications, anti-virtual machine technology may become more rare. This article examines the most common anti-virtual machine technologies (including VMware, virtualbox, and virtualpc, with a focus on the most commonly used VMware), and describes some ways to defend against them. First, detect the trace of the virtual machine 1. According to the MAC address

Typically, the first three bytes of the MAC address identify a provider. MAC addresses that begin at 00:05:69, 00:0c:29, and 00:50:56 correspond to VMware, MAC addresses that begin with 00:03:ff correspond to virtualpc, and MAC addresses that begin at 08:00:27 correspond to virtualbox.

BOOL CheckVMWare ()

{

String mac

Get_3part_mac (mac)

If (mac== "00-05-69" | | mac== "00-0c-29" | | mac== "00-50-56")

{

Return TRUE

}

Else

{

Return FALSE

}

} BOOL CheckVirtualPC ()

{

String mac

Get_3part_mac (mac)

If (mac== "00-03-ff")

{

Return TRUE

}

Else

{

Return FALSE

}

} BOOL CheckVirtualBox ()

{

String mac

Get_3part_mac (mac)

If (mac== "08-00-27")

{

Return TRUE

}

Else

{

Return FALSE

}

} typedef struct ASTAT

{

ADAPTER_STATUS adapt

NAME_BUFFER NameBuff [30]

} ASTAT, PASTAT;void get_3part_mac (string & mac)

{

NCB Ncb

ASTAT Adapter

UCHAR uRetCode

LANA_ENUM lenum

Memset (& Ncb, 0, sizeof (Ncb))

Ncb.ncb_command = NCBENUM

Ncb.ncb_buffer = (UCHAR) & lenum

Ncb.ncb_length = sizeof (lenum)

URetCode = Netbios (& Ncb)

For (int I = 0; I < lenum.length; iTunes +)

{

Memset (& Ncb, 0, sizeof (Ncb))

Ncb.ncb_command = NCBRESET

Ncb.ncb_lana_num = lenum.lana [I]

URetCode = Netbios (& Ncb)

Memset (& Ncb, 0, sizeof (Ncb))

Ncb.ncb_command = NCBASTAT

Ncb.ncb_lana_num = lenum.lana [I]

Strcpy ((char) Ncb.ncb_callname, "")

Ncb.ncb_buffer = (unsigned char) & Adapter

Ncb.ncb_length = sizeof (Adapter)

URetCode = Netbios (& Ncb)

If (uRetCode = = 0)

{

Char tmp [128]

Sprintf (tmp, "x-x-x"

Adapter.adapt.adapter_address [0]

Adapter.adapt.adapter_address [1]

Adapter.adapt.adapter_address [2]

);

Mac = tmp

}

}

}

two。 Based on other hardware information such as motherboard serial number, host model, disk name where the system disk is located, etc.

/ / obtain host information through WMI

BOOL ManageWMIInfo (string & result, string table, wstring wcol)

{

HRESULT hres

Char bord [1024]

/ / initialize COM

Hres = CoInitialize (0)

/ / obtain the COM interface for WMI connection

IWbemLocator pLoc = NULL

Hres = CoCreateInstance (

CLSID_WbemLocator

0

CLSCTX_INPROC_SERVER

IID_IWbemLocator, (LPVOID) & pLoc)

If (FAILED (hres))

{

Cout

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.