Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

A simple way to detect VirtualBox

WarGame
Electrical Ordered Freedom #2 (EOF-DR-RRLF)
July 2008

[Back to index] [Comments]

1) Introduction

There are a lot of ways to detect virtualized env, here I will show only a simple trick to detect if you are running inside VirtualBox. This trick requires that guest additions (a component that let you exchange files between a virtualized system and the real one) are installed on the virtualized system because the detection is based on it. If you want to go deeper in VM detection look at http://www.invisiblethings.org/papers/redpill.html ! Now go to the real stuff

2) Theory & Code

The detection can be done in two ways:

  1. Check if VBoxHook.dll exists in the system (using LoadLibrary() for example)
  2. Check if the pseudo-device \\.\VBoxMiniRdrDN exists in the system (you need CreateFile())

Here are listed two simple programs that demonstrate this:

detectVBox_1.c

/* Check if VBoxHook.dll exists */

#include <windows.h>

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
        if(LoadLibrary("VBoxHook.dll") != NULL)
        {
                MessageBox(NULL,"VBox detected!","Warning",MB_OK|MB_ICONWARNING);
        }

        else
        {
                MessageBox(NULL,"Not inside VBox","Info",MB_OK|MB_ICONINFORMATION);
        }
}
 

detectVBox_2.c

/* Check if \\.\VBoxMiniRdrDN exists */

#include <windows.h>

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
        if(CreateFile("\\\\.\\VBoxMiniRdrDN",GENERIC_READ,FILE_SHARE_READ,
                NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL) != INVALID_HANDLE_VALUE)
        {
                MessageBox(NULL,"VBox detected!","Warning",MB_OK|MB_ICONWARNING);
        }

        else
        {
                MessageBox(NULL,"Not inside VBox","Info",MB_OK|MB_ICONINFORMATION);
        }
}
 

3) Greetz

greetz to #eof-project,#virus,#vxcode @ undernet a special thx to MrAnderson for testing :D You can contact me at [email protected] or visit http://vx.netlux.org/wargamevx

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua