前言
在当今信息安全领域,特别是恶意软件分析中,经常需要利用到 虚拟机技术,以提高病毒分析过程的安全性以及硬件资源的节约性,因此它在恶意软件领域中是应用越来越来广泛。这里我们所谓的 虚拟机(Virtual Machine)是指通过软件模拟的具有完整硬件系统功能的、运行在一个完全隔离环境中的完整计算机系统。通过 虚拟机软件(比如VMware,Virtual PC ,VirtualBox),你可以在一台物理计算机上模拟出一台或多台 虚拟的计算机,这些 虚拟机完全就像真正的计算机那样进行工作,例如你可以安装操作系统、安装应用程序、访问网络资源等等。攻击者为了提高恶意程序的隐蔽性以及破坏真实主机的成功率,他们都在恶意程序中加入检测 虚拟机的代码,以判断程序所处的运行环境。当发现程序处于 虚拟机(特别是蜜罐系统)中时,它就会改变操作行为或者中断执行,以此提高反病毒人员分析恶意软件行为的难度。本文主要针对基于Intel CPU的 虚拟环境VMware中的Windows XP SP3系统进行检测分析,并列举出当前常见的几种 虚拟机检测方法。方法一:通过执行特权指令来检测虚拟机
bool IsInsideVMWare() { bool rc = true; __try { __asm { push edx push ecx push ebx mov eax, 'VMXh' mov ebx, 0 // 将ebx设置为非幻数’VMXH’的其它值 mov ecx, 10 // 指定功能号,用于获取VMWare版本,当它为0x14时用于获取VMware内存大小 mov edx, 'VX' // 端口号 in eax, dx // 从端口dx读取VMware版本到eax //若上面指定功能号为0x14时,可通过判断eax中的值是否大于0,若是则说明处于虚拟机中 cmp ebx, 'VMXh' // 判断ebx中是否包含VMware版本’VMXh’,若是则在虚拟机中 setz [rc] // 设置返回值 pop ebx pop ecx pop edx } } __except(EXCEPTION_EXECUTE_HANDLER) //如果未处于VMware中,则触发此异常 { rc = false; } return rc; }
typedef struct { WORD IDTLimit; // IDT的大小 WORD LowIDTbase; // IDT的低位地址 WORD HiIDTbase; // IDT的高位地址 } IDTINFO;
#include <stdio.h> int main () { unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3"; //相当于SIDT[adrr],其中addr用于保存IDT地址 *((unsigned*)&rpill[3]) = (unsigned)m; //将sidt[addr]中的addr设为m的地址 ((void(*)())&rpill)(); //执行SIDT指令,并将读取后IDT地址保存在数组m中 printf ("idt base: %#x\n", *((unsigned*)&m[2])); //由于前2字节为IDT大小,因此从m[2]开始即为IDT地址 if (m[5]>0xd0) printf ("Inside Matrix!\n", m[5]); //当IDT基址大于0xd0xxxxxx时则说明程序处于VMware中 else printf ("Not in Matrix.\n"); return 0; }
#include <stdio.h> void LDTDetect(void) { unsigned short ldt_addr = 0; unsigned char ldtr[2]; _asm sldt ldtr ldt_addr = *((unsigned short *)&ldtr); printf("LDT BaseAddr: 0x%x\n", ldt_addr); if(ldt_addr == 0x0000) { printf("Native OS\n"); } else printf("Inside VMware\n"); } void GDTDetect(void) { unsigned int gdt_addr = 0; unsigned char gdtr[4]; _asm sgdt gdtr gdt_addr = *((unsigned int *)&gdtr[2]); printf("GDT BaseAddr:0x%x\n", gdt_addr); if((gdt_addr >> 24) == 0xff) { printf("Inside VMware\n"); } else printf("Native OS\n"); } int main(void) { LDTDetect(); GDTDetect(); return 0; }
#include <stdio.h> int main(void) { unsigned char mem[4] = {0}; int i; __asm str mem; printf (" STR base: 0x"); for (i=0; i<4; i++) { printf("%02x",mem[i]); } if ( (mem[0]==0x00) && (mem[1]==0x40)) printf("\n INSIDE MATRIX!!\n"); else printf("\n Native OS!!\n"); return 0; }
补充另外一处 具体代码如下:
BOOL DetectVM() { HKEY hKey; char szBuffer[64]; unsigned long hSize= sizeof(szBuffer) - 1; if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\BIOS\\", 0, KEY_READ, &hKey )==ERROR_SUCCESS ) { RegQueryValueEx( hKey, "SystemManufacturer", NULL, NULL, (unsigned char *)szBuffer, &hSize ); if( strstr( szBuffer, "VMWARE" )) { RegCloseKey( hKey ); return TRUE; } RegCloseKey( hKey ); } return FALSE; }除以上这些表项之外,还有很多地方可以检测,特别是 虚拟机提供的 虚拟化软硬件、服务之类,比如文件共享服务,VMware 物理磁盘助手服务,VMware Ethernet Adapter Driver,VMware SCSI Controller等等的这些信息都可作为检测 虚拟机的手段。这里我们就以其中某表项为例编程举例一下,其它表项检测方法同理,具体代码如下:
.386 .model flat, stdcall option casemap:none include windows.inc include user32.inc include kernel32.inc include advapi32.inc includelib user32.lib includelib kernel32.lib includelib advapi32.lib .data szCaption db "VMware Detector ",0 szInside db "Inside VMware!",0 szOutside db "Native OS!",0 szSubKey db "software\VMWare, Inc.\VMware tools",0 hKey dd ? .code start: invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE, addr szSubKey, 0,\ KEY_WRITE or KEY_READ, addr hKey .if eax == ERROR_SUCCESS invoke MessageBox, NULL,addr szInside, addr szCaption, MB_OK .else invoke MessageBox, NULL,addr szOutside, addr szCaption, MB_OK .endif invoke RegCloseKey,hKey invoke ExitProcess,NULL end start
.586p .model flat, stdcall option casemap:none include windows.inc include kernel32.inc include user32.inc includelib kernel32.lib includelib user32.lib .data szTitle db "VMDetect With RDTSC", 0h szInsideVM db "Inside VMware!", 0h szOutsideVM db "Native OS!", 0h .code start: RDTSC xchg ecx, eax RDTSC sub eax, ecx cmp eax, 0FFh jg Detected invoke MessageBox, 0, offset szOutsideVM, offset szTitle, 0 ret Detected: invoke MessageBox, 0, offset szInsideVM, offset szTitle, 0 ret end start
但由于这些可经过修改配置文件来绕过检测。另外,还可通过检测特定的硬件控制器,BIOS,USB控制器,显卡,网卡等特征字符串进行检测,这些在前面使用注册表检测方法中已有所涉及。
另外之前在看雪论坛上也有朋友提到通过检测硬盘Model Number是否含有“vmware”或“virtual”等字样来实现检测虚拟机的功能,具体转载如下:
小试 anti vmware 今天偶然看到一款绿色版的硬盘专业工具,突然发现可以利用其中的一项功能来实现anti vmware。 今日事今日毕,那就在今晚12:00之前把这个想法实现吧,let's go! 我的想法就是检测硬盘的modelnumber,具体什么是modelnumber自己网上搜吧,反正不是硬盘序列号。难点就是在多种操作系统下都要能起到anti vmware的效果。程序在xp、2k、2003下都可以检测到vmware的运行。 直接贴代码了,如果看不懂也没关系,我也是逆了人家的代码写出来的。Delphi也可以当汇编语言开发工具用,难道不是吗? unit Unit1; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls, Buttons; type TForm1 = class(TForm) BitBtn1: TBitBtn; procedure BitBtn1Click(Sender: TObject); procedure FormClose(Sender: TObject; var Action: TCloseAction); private { Private declarations } public { Public declarations } end; var Form1: TForm1; hDeviceHandle:Thandle; implementation {$R *.dfm} procedure TForm1.BitBtn1Click(Sender: TObject); var InBuffer: array[0..$8f] of byte; cb:Cardinal; tmp:Pchar; begin hDeviceHandle:=CreateFile('\\.\PHYSICALDRIVE0',$C0000000,$3,nil,OPEN_EXISTING,$8000000,0); ZeroMemory(@InBuffer,sizeof(InBuffer)); asm pushad lea ebx,InBuffer xor ecx,ecx mov al,$2c MOV [ebx],al MOV EAX,$200c0000 MOV [ebx+4], eax mov al,$01 MOV [ebx+8],al mov al,$40 MOV [ebx+$c],al MOV EAX,$0001a5E0 MOV [ebx+$10], eax mov al,$30 MOV [ebx+$18],al mov al,$12 MOV [ebx+$1c],al mov al,$40 MOV [ebx+$20],al add ecx,ebx add ecx,$50 MOV [ebx+$14], ecx popad end; if DeviceIoControl(hDeviceHandle,$4D014,@InBuffer,$50,@InBuffer,$50,cb,nil) then begin asm pushad lea ebx,InBuffer add ebx,$58 mov tmp,ebx popad end; //asm if ((pos('vmware',LowerCase(tmp))>0) or (pos('virtual',LowerCase(tmp))>0)) then showmessage('检测到 VMware Workstation!!!') else showmessage('请在VMware中测试!'); end; end; procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction); begin closehandle(hDeviceHandle); end; end. 代码很短,但是效果不错。截图几张,留作纪念!
C++代码实现如下:
通过IOCTL_STORAGE_QUERY_PROPERTY typedef enum _STORAGE_QUERY_TYPE {PropertyStandardQuery = 0,PropertyExistsQuery,PropertyMaskQuery,PropertyQueryMaxDefined} STORAGE_QUERY_TYPE, *PSTORAGE_QUERY_TYPE; typedef enum _STORAGE_PROPERTY_ID {StorageDeviceProperty = 0,StorageAdapterProperty} STORAGE_PROPERTY_ID, *PSTORAGE_PROPERTY_ID; typedef struct _STORAGE_PROPERTY_QUERY { STORAGE_PROPERTY_ID PropertyId; STORAGE_QUERY_TYPE QueryType; UCHAR AdditionalParameters[1]; } STORAGE_PROPERTY_QUERY, *PSTORAGE_PROPERTY_QUERY; typedef struct _STORAGE_DEVICE_DESCRIPTOR { ULONG Version; ULONG Size; UCHAR DeviceType; UCHAR DeviceTypeModifier; BOOLEAN RemovableMedia; BOOLEAN CommandQueueing; ULONG VendorIdOffset; ULONG ProductIdOffset; } STORAGE_DEVICE_DESCRIPTOR, *PSTORAGE_DEVICE_DESCRIPTOR; #define IOCTL_STORAGE_QUERY_PROPERTY CTL_CODE(IOCTL_STORAGE_BASE, 0x0500, METHOD_BUFFERED, FILE_ANY_ACCESS) bool IsSandboxed() { HANDLE hPhysicalDriveIOCTL = 0; int j = 0,k = 0; char szModel[128],szBuffer[128]; char *szDrives[] = { "qemu", "virtual", "vmware", NULL }; hPhysicalDriveIOCTL = CreateFile ("\\\\.\\PhysicalDrive0", 0,FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,OPEN_EXISTING, 0, NULL); if (hPhysicalDriveIOCTL != INVALID_HANDLE_VALUE) { STORAGE_PROPERTY_QUERY query; DWORD cbBytesReturned = 0; memset ((void *) & query, 0, sizeof (query)); query.PropertyId = StorageDeviceProperty; memset (szBuffer, 0, sizeof (szBuffer)); memset (szModel, 0, sizeof (szModel)); if (DeviceIoControl(hPhysicalDriveIOCTL, IOCTL_STORAGE_QUERY_PROPERTY,& query,sizeof (query),& szBuffer,sizeof (szBuffer),& cbBytesReturned, NULL)){ STORAGE_DEVICE_DESCRIPTOR *descrip = (STORAGE_DEVICE_DESCRIPTOR*)&szBuffer; int pos = descrip->ProductIdOffset; int m = 0; for(int g = pos;szBuffer[g] != '\0';g++){ szModel[m++] = szBuffer[g]; } CharLowerBuff(szModel,strlen(szModel)); for (int i = 0; i < (sizeof(szDrives)/sizeof(LPSTR)) - 1; i++ ) { if (szDrives[i][0] != 0) { if(strstr(szModel,szDrives[i])) return TRUE; } } } CloseHandle (hPhysicalDriveIOCTL); } return FALSE; }
因为现代计算系统大多是由文件系统,内存,处理器及各种硬件组件构成的,上面提到的四种检测手段均包含了这些因素。纵观前面各种检测方法,也均在此四类当中。除此之外,也有人提出通过网络来检测虚拟机,比如搜索ICMP和TCP数据通讯的时间差异,IP ID数据包差异以及数据包中的异常头信息等等。随着技术研究的深入,相信会有更多的检测手段出现,与此同时,虚拟机厂商也会不断进化它们的产品,以增加anti-vmware的难度,这不也正是一场永无休止的无烟战争!
================================================================================
对于上边 方法一二三四六的解决方案是 :
1.在本机BIOS的CPU设置中开启VT(虚拟化)选项。 注意要先做这一步以后 才能安装VM 顺序错了只能把VM完全卸载重新安装。
2.新建虚拟机 在CPU设置如下图设置:
主要目的是为了 关闭二进制优化 开启虚拟机的VT虚拟化。
3.关闭一些虚拟机的设置 用记事本打开 VMX 文件 这个文件是VM的配置文件 如类似地址"C:\VM Machines\Windows 7 (32位)\Windows 7 (32位).vmx",在文本末尾加入
isolation.tools.getPtrLocation.disable = "TRUE" isolation.tools.setPtrLocation.disable = "TRUE" isolation.tools.setVersion.disable = "TRUE" isolation.tools.getVersion.disable = "TRUE" monitor_control.disable_directexec = "TRUE" monitor_control.disable_chksimd = "TRUE" monitor_control.disable_ntreloc = "TRUE" monitor_control.disable_selfmod = "TRUE" monitor_control.disable_reloc = "TRUE" monitor_control.disable_btinout = "TRUE" monitor_control.disable_btmemspace = "TRUE" monitor_control.disable_btpriv = "TRUE" monitor_control.disable_btseg = "TRUE" monitor_control.restrict_backdoor = "TRUE"这样一来 就实现了 开启VT虚拟化 关闭二进制优化 关闭各种后门 然后安装VM中的系统 如WIN7 安装好后在VM WIN7中运行 方法一二三四六的检测全部通过了。
方法七的解决方案就是修改硬件信息,这里的VM特征硬件信息有很多,这里只说网卡的,直接下载一个mac地址修改器,修改mac这样一来mac地址就不是VM特有的了,从而达到过方法七的效果。
方法五,很多商业软件都是用这个方法来验证,原因很简单不管是在驱动还是在应用层都可以很方便的读取注册表,只要保护开发人员自己安装一个VM就能提取里边特征注册码,这个解决方案就是 搜索注册表的“VMware” "virtual" 等字段,把能修改的都修改了,然后导出注册表,以便重启系统后导入,因为重启VM后有些注册表信息会还原。
实例如下:
环境:VM虚拟机 WIN7 32位,光盘镜像名称 XBL_GHOST_WIN7_SP1_07ZJB.iso
原理:修改注册表中的 “VMware” 修改为了 “test123”
注册表:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation] "BIOSVersion"="6.00" "BIOSReleaseDate"="07/02/2012" "SystemManufacturer"="test123, Inc." "SystemProductName"="test123 test123 Platform" "InformationSource"=dword:00000001 [HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS] "BiosMajorRelease"=dword:00000004 "BiosMinorRelease"=dword:00000006 "ECFirmwareMajorRelease"=dword:00000000 "ECFirmwareMinorRelease"=dword:00000000 "BaseBoardManufacturer"="Intel Corporation" "BaseBoardProduct"="440BX Desktop Reference Platform" "BaseBoardVersion"="None" "BIOSReleaseDate"="07/02/2012" "BIOSVendor"="Phoenix Technologies LTD" "BIOSVersion"="6.00" "SystemFamily"="" "SystemManufacturer"="test123, Inc." "SystemProductName"="test123 test123 Platform" "SystemSKU"="" "SystemVersion"="None" [HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0] "InquiryData"=hex:00,00,02,02,1f,00,00,73,56,4d,77,61,72,65,2c,20,56,4d,77,61,\ 72,65,20,56,69,72,74,75,61,6c,20,53,31,2e,30,20 "Identifier"="test123, test123 Virtual S1.0 " "DeviceType"="DiskPeripheral" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000] "CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\ 64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\ 00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00 "InfPath"="oem2.inf" "InfSection"="vmx_svga_vista" "ProviderName"="test123, Inc." "DriverDateData"=hex:00,80,de,95,e5,e0,ca,01 "DriverDate"="4-21-2010" "DriverVersion"="11.6.0.35" "MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00" "DriverDesc"="test123 SVGA II" "FeatureScore"=dword:000000fc [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation] "BIOSVersion"="6.00" "BIOSReleaseDate"="07/02/2012" "SystemManufacturer"="test123, Inc." "SystemProductName"="test123 test123 Platform" "InformationSource"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" "Resolution.0"=hex:33,32,30,78,32,34,30,00 "Resolution.1"=hex:34,30,30,78,33,30,30,00 "Resolution.2"=hex:35,31,32,78,33,38,34,00 "Resolution.3"=hex:36,34,30,78,34,38,30,00 "Resolution.4"=hex:38,30,30,78,36,30,30,00 "Resolution.5"=hex:31,30,32,34,78,37,36,38,00 "Resolution.6"=hex:31,31,35,32,78,38,36,34,00 "Resolution.7"=hex:31,32,38,30,78,39,36,30,00 "Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00 "Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00 "Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00 "Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00 "Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00 "Resolution.13"=hex:38,35,34,78,34,38,30,00 "Resolution.14"=hex:31,32,38,30,78,37,32,30,00 "Resolution.15"=hex:31,33,36,36,78,37,36,38,00 "Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00 "Resolution.17"=hex:31,32,38,30,78,38,30,30,00 "Resolution.18"=hex:31,34,34,30,78,39,30,30,00 "Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00 "Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00 "Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00 "Resolution.22"=hex:37,32,30,78,34,38,30,00 "Resolution.23"=hex:37,32,30,78,35,37,36,00 "Resolution.24"=hex:33,32,30,78,32,30,30,00 "Resolution.25"=hex:36,34,30,78,34,30,30,00 "Resolution.26"=hex:38,30,30,78,34,38,30,00 "Resolution.27"=hex:31,32,38,30,78,37,36,38,00 "Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00 "HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\ 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 "HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\ 00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 "HardwareInformation.MemorySize"=hex:00,00,00,08 "HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\ 00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 "HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\ 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000\VolatileSettings] "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\ 00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\ 45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\ 00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\ 45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\ 00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\ 35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\ 00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\ 31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001\VolatileSettings] "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\ 00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\ 45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\ 00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\ 45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\ 00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\ 35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\ 00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\ 31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vmx_svga\Device0] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000] "CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\ 64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\ 00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00 "InfPath"="oem2.inf" "InfSection"="vmx_svga_vista" "ProviderName"="test123, Inc." "DriverDateData"=hex:00,80,de,95,e5,e0,ca,01 "DriverDate"="4-21-2010" "DriverVersion"="11.6.0.35" "MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00" "DriverDesc"="test123 SVGA II" "FeatureScore"=dword:000000fc [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" "Resolution.0"=hex:33,32,30,78,32,34,30,00 "Resolution.1"=hex:34,30,30,78,33,30,30,00 "Resolution.2"=hex:35,31,32,78,33,38,34,00 "Resolution.3"=hex:36,34,30,78,34,38,30,00 "Resolution.4"=hex:38,30,30,78,36,30,30,00 "Resolution.5"=hex:31,30,32,34,78,37,36,38,00 "Resolution.6"=hex:31,31,35,32,78,38,36,34,00 "Resolution.7"=hex:31,32,38,30,78,39,36,30,00 "Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00 "Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00 "Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00 "Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00 "Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00 "Resolution.13"=hex:38,35,34,78,34,38,30,00 "Resolution.14"=hex:31,32,38,30,78,37,32,30,00 "Resolution.15"=hex:31,33,36,36,78,37,36,38,00 "Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00 "Resolution.17"=hex:31,32,38,30,78,38,30,30,00 "Resolution.18"=hex:31,34,34,30,78,39,30,30,00 "Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00 "Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00 "Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00 "Resolution.22"=hex:37,32,30,78,34,38,30,00 "Resolution.23"=hex:37,32,30,78,35,37,36,00 "Resolution.24"=hex:33,32,30,78,32,30,30,00 "Resolution.25"=hex:36,34,30,78,34,30,30,00 "Resolution.26"=hex:38,30,30,78,34,38,30,00 "Resolution.27"=hex:31,32,38,30,78,37,36,38,00 "Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00 "HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\ 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 "HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\ 00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 "HardwareInformation.MemorySize"=hex:00,00,00,08 "HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\ 00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 "HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\ 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\vmx_svga\Device0] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000] "CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\ 64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\ 00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00 "InfPath"="oem2.inf" "InfSection"="vmx_svga_vista" "ProviderName"="test123, Inc." "DriverDateData"=hex:00,80,de,95,e5,e0,ca,01 "DriverDate"="4-21-2010" "DriverVersion"="11.6.0.35" "MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00" "DriverDesc"="test123 SVGA II" "FeatureScore"=dword:000000fc [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation] "BIOSVersion"="6.00" "BIOSReleaseDate"="07/02/2012" "SystemManufacturer"="test123, Inc." "SystemProductName"="test123 test123 Platform" "InformationSource"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" "Resolution.0"=hex:33,32,30,78,32,34,30,00 "Resolution.1"=hex:34,30,30,78,33,30,30,00 "Resolution.2"=hex:35,31,32,78,33,38,34,00 "Resolution.3"=hex:36,34,30,78,34,38,30,00 "Resolution.4"=hex:38,30,30,78,36,30,30,00 "Resolution.5"=hex:31,30,32,34,78,37,36,38,00 "Resolution.6"=hex:31,31,35,32,78,38,36,34,00 "Resolution.7"=hex:31,32,38,30,78,39,36,30,00 "Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00 "Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00 "Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00 "Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00 "Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00 "Resolution.13"=hex:38,35,34,78,34,38,30,00 "Resolution.14"=hex:31,32,38,30,78,37,32,30,00 "Resolution.15"=hex:31,33,36,36,78,37,36,38,00 "Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00 "Resolution.17"=hex:31,32,38,30,78,38,30,30,00 "Resolution.18"=hex:31,34,34,30,78,39,30,30,00 "Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00 "Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00 "Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00 "Resolution.22"=hex:37,32,30,78,34,38,30,00 "Resolution.23"=hex:37,32,30,78,35,37,36,00 "Resolution.24"=hex:33,32,30,78,32,30,30,00 "Resolution.25"=hex:36,34,30,78,34,30,30,00 "Resolution.26"=hex:38,30,30,78,34,38,30,00 "Resolution.27"=hex:31,32,38,30,78,37,36,38,00 "Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00 "HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\ 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 "HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\ 00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 "HardwareInformation.MemorySize"=hex:00,00,00,08 "HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\ 00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 "HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\ 53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000\VolatileSettings] "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\ 00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\ 45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\ 00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\ 45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\ 00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\ 35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\ 00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\ 31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001\VolatileSettings] "{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\ 00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\ 45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\ 00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\ 45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\ 00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\ 35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\ 00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\ 31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmx_svga\Device0] "InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\ 00 "VgaCompatible"=dword:00000000 "DefaultSettings.XResolution"=dword:00000280 "DefaultSettings.YResolution"=dword:000001e0 "DefaultSettings.BitsPerPel"=dword:00000020 "Device Description"="test123 SVGA II"这样一来就解决了方法五,anti VM有可能是多种方法结合,所以需要具体测试。