VPCEXT

Created the Monday 11 March 2019. Updated 3 weeks ago.

The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.

Technique Identifiers

U1321 B0009.038

Code Snippets

/*
-----------------------------------------------------------------------------
  * Created by * lallous <lallousx86@yahoo.com> *
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE
LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF
  * SUCH DAMAGE.
  *
-----------------------------------------------------------------------------
*/

// IsInsideVPC's exception filter
DWORD __forceinline IsInsideVPC_exceptionFilter(LPEXCEPTION_POINTERS ep)
{
   PCONTEXT ctx = ep->ContextRecord;

   ctx->Ebx = -1; // Not running VPC
   ctx->Eip += 4; // skip past the "call VPC" opcodes
   return EXCEPTION_CONTINUE_EXECUTION;
   // we can safely resume execution since we skipped faulty instruction
}

// high level language friendly version of IsInsideVPC()
bool IsInsideVPC()
{
   bool rc = false;

   __try
   {
     _asm push ebx
     _asm mov  ebx, 0 // Flag
     _asm mov  eax, 1 // VPC function number

     // call VPC
     _asm __emit 0Fh
     _asm __emit 3Fh
     _asm __emit 07h
     _asm __emit 0Bh

     _asm test ebx, ebx
     _asm setz [rc]
     _asm pop ebx
   }
   // The except block shouldn't get triggered if VPC is running!!
   __except(IsInsideVPC_exceptionFilter(GetExceptionInformation()))
   {
   }

   return rc;
}

Contributors

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.