01-29-2025, 09:37 PM
This program will detect if it is being run in a Hyper-V Virtual Machine VM.
Note that hackers will place your programs to run in a VM so that they can
pirate or hack your programs.
This is to detect whether the user is using a Hyper-V VM and to do the
necessary counter action.
Please let me know if you encounter issue with this program.
Note that hackers will place your programs to run in a VM so that they can
pirate or hack your programs.
This is to detect whether the user is using a Hyper-V VM and to do the
necessary counter action.
Please let me know if you encounter issue with this program.
Code:
' Detect HyperV.bas
' This program uses multiple detection methods for Hyper-V VM to increase accuracy.
' However, no single method is foolproof, as virtualization environments
' can be customized or masked by hackers.
#COMPILE EXE
#DIM ALL
#INCLUDE "Win32Api.inc"
%KEY_QUERY_VALUE = &H0001
%ERROR_SUCCESS = 0
TYPE nSYSTEM_INFO
dwOemID AS DWORD
dwPageSize AS DWORD
lpMinimumApplicationAddress AS DWORD
lpMaximumApplicationAddress AS DWORD
dwActiveProcessorMask AS DWORD
dwNumberOfProcessors AS DWORD
dwProcessorType AS DWORD
dwAllocationGranularity AS DWORD
wProcessorLevel AS WORD
wProcessorRevision AS WORD
END TYPE
'===============================
FUNCTION PBMAIN () AS LONG
IF IsHyperV() THEN
? "Inside a Hyper-V virtual machine."
ELSE
? "Not inside a Hyper-V virtual machine."
END IF
END FUNCTION
'===========================
' Detects Hyper-V VM using several methods
FUNCTION IsHyperV() AS LONG
LOCAL hypKey AS DWORD
LOCAL dwType AS DWORD
LOCAL dwData AS DWORD
LOCAL cbData AS DWORD
LOCAL nresult AS LONG
' Indicator for HyperV types
LOCAL tmpHpV AS LONG
tmpHpV = 0
' Check for Hyper-V specific registry key
' HARDWARE\DESCRIPTION\System\BIOS
nresult = RegOpenKeyEx(%HKEY_LOCAL_MACHINE, hwBios, 0, %KEY_QUERY_VALUE, hypKey)
IF nresult = %ERROR_SUCCESS THEN
cbData = SIZEOF(dwData)
'SystemManufacturer
nresult = RegQueryValueEx(hypKey, SysManf , 0, dwType, BYVAL VARPTR(dwData), cbData)
IF nresult = %ERROR_SUCCESS THEN
' MICROSOFT
IF INSTR(UCASE$(PEEK$(VARPTR(dwData), cbData)), stMS ) > 0 THEN
tmpHpV = 1
END IF
END IF
RegCloseKey hypKey
END IF
IF tmpHpV > 0 THEN
IsHyperV = 1
EXIT FUNCTION
END IF
' Check for Hyper-V specific driver (vmbus.sys)
' C:\Windows\System32\drivers\vmbus.sys
IF ISFILE(vmbus) THEN
tmpHpV = 2
END IF
IF tmpHpV > 0 THEN
IsHyperV = 1
EXIT FUNCTION
END IF
' Check for Hyper-V specific hardware (Hyper-V Video) adapter
' C:\Windows\System32\drivers\hvvid.sys
IF ISFILE(hvvid) THEN
tmpHpV = 3
END IF
IF tmpHpV > 0 THEN
IsHyperV = 1
EXIT FUNCTION
END IF
' Look at the system information
LOCAL sysInfo AS nSYSTEM_INFO
LOCAL biosVendor AS STRING
LOCAL biosModel AS STRING
' Get system information
GetSystemInfo sysInfo
' Get BIOS vendor and model information
' BIOS_VENDOR and BIOS_MODEL
biosVendor = ENVIRON$(BVend)
biosModel = ENVIRON$(BModel)
' Check if the BIOS vendor or model contains "Hyper-V"
IF INSTR(UCASE$(biosVendor), StHpV) > 0 OR _
INSTR(UCASE$(biosModel), StHpV) > 0 THEN
tmpHpV = 4
END IF
IF tmpHpV > 0 THEN
IsHyperV = 1
EXIT FUNCTION
END IF
' No detecting any HyperV
IsHyperV = 0
END FUNCTION
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' C:\Windows\System32\drivers\vmbus.sys
FUNCTION vmbus() AS STRING
' Text is 37 bytes excluding the terminating zero
#REGISTER NONE
LOCAL src AS DWORD
LOCAL dst AS DWORD
LOCAL outpt$
src = CODEPTR(datalabel)
outpt$ = NUL$(37)
dst = STRPTR(outpt$)
' -------------------
' copy data to string
' -------------------
! mov esi, src
! mov edi, dst
! mov ecx, 37
! rep movsb
src = CODEPTR(paddlabel)
' -----------------------------
' xor string data to unique pad
' -----------------------------
! mov esi, dst
! mov ebx, 37
! mov edi, src
! add esi, ebx
! add edi, ebx
! neg ebx
lbl0:
! movzx eax, BYTE PTR [edi+ebx]
! xor [esi+ebx], al
! add ebx, 1
! jz lbl1
! movzx eax, BYTE PTR [edi+ebx]
! xor [esi+ebx], al
! add ebx, 1
! jz lbl1
! movzx eax, BYTE PTR [edi+ebx]
! xor [esi+ebx], al
! add ebx, 1
! jz lbl1
! movzx eax, BYTE PTR [edi+ebx]
! xor [esi+ebx], al
! add ebx, 1
! jnz lbl0
lbl1:
FUNCTION = outpt$
EXIT FUNCTION
#ALIGN 4
datalabel:
! db 193,174,66,178,212,51,215,33,254,70,7,94,230,164,89,187
! db 134,1,189,113,148,12,28,39,62,174,155,85,248,5,225,47
! db 40,39,248,212,127,0
#ALIGN 4
paddlabel:
! db 130,148,30,229,189,93,179,78,137,53,91,13,159,215,45,222
! db 235,50,143,45,240,126,117,81,91,220,232,9,142,104,131,90
! db 91,9,139,173,12,0
END FUNCTION
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' C:\Windows\System32\drivers\hvvid.sys
FUNCTION hvvid() AS STRING
' Text is 37 bytes excluding the terminating zero
#REGISTER NONE
LOCAL src AS DWORD
LOCAL dst AS DWORD
LOCAL outpt$
src = CODEPTR(datalabel)
outpt$ = NUL$(37)
dst = STRPTR(outpt$)
' -------------------
' copy data to string
' -------------------
! mov esi, src
! mov edi, dst
! mov ecx, 37
! rep movsb
src = CODEPTR(paddlabel)
' -----------------------------
' xor string data to unique pad
' -----------------------------
! mov esi, dst
! mov ebx, 37
! mov edi, src
! add esi, ebx
! add edi, ebx
! neg ebx
lbl0:
! movzx eax, BYTE PTR [edi+ebx]
! xor [esi+ebx], al
! add ebx, 1
! jz lbl1
! movzx eax, BYTE PTR [edi+ebx]
! xor [esi+ebx], al
! add ebx, 1
! jz lbl1
! movzx eax, BYTE PTR [edi+ebx]
! xor [esi+ebx], al
! add ebx, 1
! jz lbl1
! movzx eax, BYTE PTR [edi+ebx]
! xor [esi+ebx], al
! add ebx, 1
! jnz lbl0
lbl1:
FUNCTION = outpt$
EXIT FUNCTION
#ALIGN 4
datalabel:
! db 189,165,122,161,218,108,74,157,208,172,158,224,34,204,210,8
! db 75,32,135,113,156,83,65,255,47,184,167,134,80,167,159,156
! db 94,242,107,0,133,0
#ALIGN 4
paddlabel:
! db 254,159,38,246,179,2,46,242,167,223,194,179,91,191,166,109
! db 38,19,181,45,248,33,40,137,74,202,212,218,56,209,233,245
! db 58,220,24,121,246,0
END FUNCTION
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
'BIOS_VENDOR
FUNCTION BVend() AS STRING
#REGISTER NONE
LOCAL pstr AS DWORD
LOCAL a$
a$ = NUL$(11)
pstr = STRPTR(a$)
! mov esi, pstr
! mov BYTE PTR [esi+3], 83
! mov BYTE PTR [esi+5], 86
! mov BYTE PTR [esi+9], 79
! mov BYTE PTR [esi+6], 69
! mov BYTE PTR [esi+10], 82
! mov BYTE PTR [esi+4], 95
! mov BYTE PTR [esi+8], 68
! mov BYTE PTR [esi+1], 73
! mov BYTE PTR [esi+7], 78
! mov BYTE PTR [esi+0], 66
! mov BYTE PTR [esi+2], 79
FUNCTION = a$
END FUNCTION
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' BIOS_MODEL
FUNCTION BModel() AS STRING
#REGISTER NONE
LOCAL pstr AS DWORD
LOCAL a$
a$ = NUL$(10)
pstr = STRPTR(a$)
! mov esi, pstr
! mov BYTE PTR [esi+4], 95
! mov BYTE PTR [esi+3], 83
! mov BYTE PTR [esi+0], 66
! mov BYTE PTR [esi+9], 76
! mov BYTE PTR [esi+2], 79
! mov BYTE PTR [esi+8], 69
! mov BYTE PTR [esi+7], 68
! mov BYTE PTR [esi+1], 73
! mov BYTE PTR [esi+5], 77
! mov BYTE PTR [esi+6], 79
FUNCTION = a$
END FUNCTION
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' HYPER-V
FUNCTION StHpV() AS STRING
#REGISTER NONE
LOCAL pstr AS DWORD
LOCAL a$
a$ = NUL$(7)
pstr = STRPTR(a$)
! mov esi, pstr
! mov BYTE PTR [esi+3], 69
! mov BYTE PTR [esi+2], 80
! mov BYTE PTR [esi+4], 82
! mov BYTE PTR [esi+1], 89
! mov BYTE PTR [esi+5], 45
! mov BYTE PTR [esi+0], 72
! mov BYTE PTR [esi+6], 86
FUNCTION = a$
END FUNCTION
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' MICROSOFT
FUNCTION stMS() AS STRING
#REGISTER NONE
LOCAL pstr AS DWORD
LOCAL a$
a$ = NUL$(9)
pstr = STRPTR(a$)
! mov esi, pstr
! mov BYTE PTR [esi+1], 73
! mov BYTE PTR [esi+7], 70
! mov BYTE PTR [esi+5], 83
! mov BYTE PTR [esi+4], 79
! mov BYTE PTR [esi+8], 84
! mov BYTE PTR [esi+3], 82
! mov BYTE PTR [esi+6], 79
! mov BYTE PTR [esi+0], 77
! mov BYTE PTR [esi+2], 67
FUNCTION = a$
END FUNCTION
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' SystemManufacturer
FUNCTION SysManf() AS STRING
#REGISTER NONE
LOCAL pstr AS DWORD
LOCAL a$
a$ = NUL$(18)
pstr = STRPTR(a$)
! mov esi, pstr
! mov BYTE PTR [esi+14], 117
! mov BYTE PTR [esi+5], 109
! mov BYTE PTR [esi+9], 117
! mov BYTE PTR [esi+16], 101
! mov BYTE PTR [esi+15], 114
! mov BYTE PTR [esi+17], 114
! mov BYTE PTR [esi+11], 97
! mov BYTE PTR [esi+8], 110
! mov BYTE PTR [esi+13], 116
! mov BYTE PTR [esi+3], 116
! mov BYTE PTR [esi+4], 101
! mov BYTE PTR [esi+2], 115
! mov BYTE PTR [esi+0], 83
! mov BYTE PTR [esi+1], 121
! mov BYTE PTR [esi+7], 97
! mov BYTE PTR [esi+12], 99
! mov BYTE PTR [esi+6], 77
! mov BYTE PTR [esi+10], 102
FUNCTION = a$
END FUNCTION
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
' HARDWARE\DESCRIPTION\System\BIOS
FUNCTION hwBios() AS STRING
#REGISTER NONE
LOCAL pstr AS DWORD
LOCAL a$
a$ = NUL$(32)
pstr = STRPTR(a$)
! mov esi, pstr
! mov BYTE PTR [esi+28], 66
! mov BYTE PTR [esi+29], 73
! mov BYTE PTR [esi+27], 92
! mov BYTE PTR [esi+17], 73
! mov BYTE PTR [esi+4], 87
! mov BYTE PTR [esi+30], 79
! mov BYTE PTR [esi+20], 92
! mov BYTE PTR [esi+16], 84
! mov BYTE PTR [esi+21], 83
! mov BYTE PTR [esi+25], 101
! mov BYTE PTR [esi+31], 83
! mov BYTE PTR [esi+12], 67
! mov BYTE PTR [esi+15], 80
! mov BYTE PTR [esi+22], 121
! mov BYTE PTR [esi+9], 68
! mov BYTE PTR [esi+1], 65
! mov BYTE PTR [esi+3], 68
! mov BYTE PTR [esi+6], 82
! mov BYTE PTR [esi+0], 72
! mov BYTE PTR [esi+18], 79
! mov BYTE PTR [esi+23], 115
! mov BYTE PTR [esi+11], 83
! mov BYTE PTR [esi+7], 69
! mov BYTE PTR [esi+19], 78
! mov BYTE PTR [esi+26], 109
! mov BYTE PTR [esi+8], 92
! mov BYTE PTR [esi+2], 82
! mov BYTE PTR [esi+5], 65
! mov BYTE PTR [esi+10], 69
! mov BYTE PTR [esi+13], 82
! mov BYTE PTR [esi+14], 73
! mov BYTE PTR [esi+24], 116
FUNCTION = a$
END FUNCTION
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤