VPCEXT

The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.

Code Snippets

/*
-----------------------------------------------------------------------------
  * Created by * lallous <lallousx86@yahoo.com> *
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE
LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF
  * SUCH DAMAGE.
  *
-----------------------------------------------------------------------------
*/

// IsInsideVPC's exception filter
DWORD __forceinline IsInsideVPC_exceptionFilter(LPEXCEPTION_POINTERS ep)
{
   PCONTEXT ctx = ep->ContextRecord;

   ctx->Ebx = -1; // Not running VPC
   ctx->Eip += 4; // skip past the "call VPC" opcodes
   return EXCEPTION_CONTINUE_EXECUTION;
   // we can safely resume execution since we skipped faulty instruction
}

// high level language friendly version of IsInsideVPC()
bool IsInsideVPC()
{
   bool rc = false;

   __try
   {
     _asm push ebx
     _asm mov  ebx, 0 // Flag
     _asm mov  eax, 1 // VPC function number

     // call VPC
     _asm __emit 0Fh
     _asm __emit 3Fh
     _asm __emit 07h
     _asm __emit 0Bh

     _asm test ebx, ebx
     _asm setz [rc]
     _asm pop ebx
   }
   // The except block shouldn't get triggered if VPC is running!!
   __except(IsInsideVPC_exceptionFilter(GetExceptionInformation()))
   {
   }

   return rc;
}

Additional Resources

Subscribe to our Newsletter and don't miss important updates