(C++) Querying the I/O Communication Port by Unprotect

Created the Saturday 05 September 2020. Updated 2 years, 2 months ago.

Description:

Source: https://gist.github.com/kooroshh/e4a303368555ea57f04f87e5630147b5

Code

            void CheckVM(void)
{
	unsigned int    a, b;

	__try {
		__asm {

			// save register values on the stack
			push eax
			push ebx
			push ecx
			push edx

			// perform fingerprint
			mov eax, 'VMXh' // VMware magic value (0x564D5868)
			mov ecx, 0Ah // special version cmd (0x0a)
			mov dx, 'VX' // special VMware I/O port (0x5658)

			in eax, dx // special I/O cmd

			mov a, ebx // data 
			mov b, ecx // data (eax gets also modified

			// restore register values from the stack
			pop edx
			pop ecx
			pop ebx
			pop eax
		}
	}
	__except (EXCEPTION_EXECUTE_HANDLER) {}

	if (a == 'VMXh') { // is the value equal to the VMware magic value?
		printf("Result  : VMware detected\nVersion : ");
		if (b == 1)
			printf("Express\n\n");
		else if (b == 2)
			printf("ESX\n\n");
		else if (b == 3)
			printf("GSX\n\n");
		else if (b == 4)
			printf("Workstation\n\n");
		else
			printf("unknown version\n\n");
	}
	else
		printf("Result  : Not Detected\n\n");
}