虛擬機器檢測技術攻防
前言
在當今資訊保安領域,特別是惡意軟體分析中,經常需要利用到虛擬機技術,以提高病毒分析過程的安全性以及硬體資源的節約性,因此它在惡意軟體領域中是應用越來越來廣泛。這裡我們所謂的虛擬機(Virtual Machine)是指通過軟體模擬的具有完整硬體系統功能的、執行在一個完全隔離環境中的完整計算機系統。通過虛擬機軟體(比如VMware,Virtual PC ,VirtualBox),你可以在一臺物理計算機上模擬出一臺或多臺虛擬的計算機,這些虛擬機完全就像真正的計算機那樣進行工作,例如你可以安裝作業系統、安裝應用程式、訪問網路資源等等。攻擊者為了提高惡意程式的隱蔽性以及破壞真實主機的成功率,他們都在惡意程式中加入檢測虛擬機的程式碼,以判斷程式所處的執行環境。當發現程式處於虛擬機(特別是蜜罐系統)中時,它就會改變操作行為或者中斷執行,以此提高反病毒人員分析惡意軟體行為的難度。本文主要針對基於Intel CPU的虛擬環境VMware中的Windows XP SP3系統進行檢測分析,並列舉出當前常見的幾種虛擬機檢測方法。方法一:通過執行特權指令來檢測虛擬機器
程式碼:
bool IsInsideVMWare()
{
bool rc = true;
__try
{
__asm
{
push edx
push ecx
push ebx
mov eax, 'VMXh'
mov ebx, 0 // 將ebx設定為非幻數’VMXH’的其它值
mov ecx, 10 // 指定功能號,用於獲取VMWare版本,當它為0x14時用於獲取VMware記憶體大小
mov edx, 'VX' // 埠號
in eax, dx // 從埠dx讀取VMware版本到eax
//若上面指定功能號為0x14時,可通過判斷eax中的值是否大於0,若是則說明處於虛擬機中
cmp ebx, 'VMXh' // 判斷ebx中是否包含VMware版本’VMXh’,若是則在虛擬機中
setz [rc] // 設定返回值
pop ebx
pop ecx
pop edx
}
}
__except(EXCEPTION_EXECUTE_HANDLER) //如果未處於VMware中,則觸發此異常
{
rc = false;
}
return rc;
}
圖1
如圖1所示,VMDetect成功檢測出VMWare的存在。
方法二:利用IDT基址檢測虛擬機
利用IDT基址檢測虛擬機的方法是一種通用方式,對VMware和Virtual PC均適用。中斷描述符表IDT(Interrupt Descriptor Table)用於查詢處理中斷時所用的軟體函式,它是一個由256項組成的資料,其中每一中斷對應一項函式。為了讀取IDT基址,我們需要通過SIDT指令來讀取IDTR(中斷描述符表暫存器,用於IDT在記憶體中的基址),SIDT指令是以如下格式來儲存IDTR的內容:程式碼:
typedef struct
{
WORD IDTLimit; // IDT的大小
WORD LowIDTbase; // IDT的低位地址
WORD HiIDTbase; // IDT的高位地址
} IDTINFO;
程式碼:
#include <stdio.h>
int main () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3"; //相當於SIDT[adrr],其中addr用於儲存IDT地址
*((unsigned*)&rpill[3]) = (unsigned)m; //將sidt[addr]中的addr設為m的地址
((void(*)())&rpill)(); //執行SIDT指令,並將讀取後IDT地址儲存在陣列m中
printf ("idt base: %#x\n", *((unsigned*)&m[2])); //由於前2位元組為IDT大小,因此從m[2]開始即為IDT地址
if (m[5]>0xd0) printf ("Inside Matrix!\n", m[5]); //當IDT基址大於0xd0xxxxxx時則說明程式處於VMware中
else printf ("Not in Matrix.\n");
return 0;
}
圖2
利用此IDT檢測的方法存在一個缺陷,由於IDT的值只針對處於正在執行的處理器而言,在單CPU中它是個常量,但當它處於多CPU時就可能會受到影響了,因為每個CPU都有其自己的IDT,這樣問題就自然而然的產生了。針對此問題,Offensive Computing組織成員提出了兩種應對方法,其中一種方法就是利用Redpill反覆地在系統上迴圈執行任務,以此構造出一張當前系統的IDT值變化統計圖,但這會增加CPU負擔;另一種方法就是windows API函式SetThreadAffinityMask()將執行緒限制在單處理器上執行,當執行此測試時只能準確地將執行緒執行環境限制在本地處理器,而對於將執行緒限制在VM處理器上就可能行不通了,因為VM是計劃在各處理器上執行的,VM執行緒在不同的處理器上執行時,IDT值將會發生變化,因此此方法也是很少被使用的。為此,有人提出了使用LDT的檢測方法,它在具有多個CPU的環境下檢測虛擬機明顯優於IDT檢測方法,該方法具體內容參見下節內容。
方法三:利用LDT和GDT的檢測方法
在 《Intel® 64 and IA-32 Architecture Software Developer’s Manual Volume 3A: System Programming Guide》第二章的Vol.3 2-5 一頁(我的Intel開發手冊是2008版的)中對於LDT和GDT的描述如下(以下內容為個人翻譯):在保護模式下,所有的記憶體訪問都要通過全域性描述符表(GDT)或者本地描述符表(LDT)才能進行。這些表包含有段描述符的呼叫入口。各個段描述符都包含有各段的基址,訪問許可權,型別和使用資訊,而且每個段描述符都擁有一個與之相匹配的段選擇子,各個段選擇子都為軟體程式提供一個GDT或LDT索引(與之相關聯的段描述符偏移量),一個全域性/本地標誌(決定段選擇子是指向GDT還是LDT),以及訪問許可權資訊。
若想訪問段中的某一位元組,必須同時提供一個段選擇子和一個偏移量。段選擇子為段提供可訪問的段描述符地址(在GDT 或者LDT 中)。通過段描述符,處理器從中獲取段線上性地址空間裡的基址,而偏移量用於確定位元組地址相對基址的位置。假定處理器在當前許可權級別(CPL)可訪問這個段,那麼通過這種機制就可以訪問在GDT 或LDT 中的各種有效程式碼、資料或者堆疊段,這裡的CPL是指當前可執行程式碼段的保護級別。
……
GDT的線性基址被儲存在GDT暫存器(GDTR)中,而LDT的線性基址被儲存在LDT暫存器(LDTR)中。
由於虛擬機與真實主機中的GDT和LDT並不能相同,這與使用IDT的檢測方法一樣,因此虛擬機必須為它們提供一個“複製體”。關於GDT和LDT的基址可通過SGDT和SLDT指令獲取。虛擬機檢測工具Scoopy suite的作者Tobias Klein經測試發現,當LDT基址位於0x0000(只有兩位元組)時為真實主機,否則為虛擬機,而當GDT基址位於0xFFXXXXXX時說明處於虛擬機中,否則為真實主機。具體實現程式碼如下:
程式碼:
#include <stdio.h>
void LDTDetect(void)
{
unsigned short ldt_addr = 0;
unsigned char ldtr[2];
_asm sldt ldtr
ldt_addr = *((unsigned short *)&ldtr);
printf("LDT BaseAddr: 0x%x\n", ldt_addr);
if(ldt_addr == 0x0000)
{
printf("Native OS\n");
}
else
printf("Inside VMware\n");
}
void GDTDetect(void)
{
unsigned int gdt_addr = 0;
unsigned char gdtr[4];
_asm sgdt gdtr
gdt_addr = *((unsigned int *)&gdtr[2]);
printf("GDT BaseAddr:0x%x\n", gdt_addr);
if((gdt_addr >> 24) == 0xff)
{
printf("Inside VMware\n");
}
else
printf("Native OS\n");
}
int main(void)
{
LDTDetect();
GDTDetect();
return 0;
}
圖3
方法四:基於STR的檢測方法
在保護模式下執行的所有程式在切換任務時,對於當前任務中指向TSS的段選擇器將會被儲存在任務暫存器中,TSS中包含有當前任務的可執行環境狀態,包括通用暫存器狀態,段暫存器狀態,標誌暫存器狀態,EIP暫存器狀態等等,當此項任務再次被執行時,處理器就會其原先儲存的任務狀態。每項任務均有其自己的TSS,而我們可以通過STR指令來獲取指向當前任務中TSS的段選擇器。這裡STR(Store task register)指令是用於將任務暫存器 (TR) 中的段選擇器儲存到目標運算元,目標運算元可以是通用暫存器或記憶體位置,使用此指令儲存的段選擇器指向當前正在執行的任務的任務狀態段 (TSS)。在虛擬機和真實主機之中,通過STR讀取的地址是不同的,當地址等於0x0040xxxx時,說明處於虛擬機中,否則為真實主機。實現程式碼如下:程式碼:
#include <stdio.h>
int main(void)
{
unsigned char mem[4] = {0};
int i;
__asm str mem;
printf (" STR base: 0x");
for (i=0; i<4; i++)
{
printf("%02x",mem[i]);
}
if ( (mem[0]==0x00) && (mem[1]==0x40))
printf("\n INSIDE MATRIX!!\n");
else
printf("\n Native OS!!\n");
return 0;
}
圖4
方法五:基於登錄檔檢測虛擬機
在windows虛擬機中常常安裝有VMware Tools以及其它的虛擬硬體(如網路介面卡、虛擬印表機,USB集線器……),它們都會建立任何程式都可以讀取的windows登錄檔項,因此我們可以通過檢測登錄檔中的一些關鍵字元來判斷程式是否處於虛擬機之中。關於這些登錄檔的位置我們可以通過在登錄檔中搜尋關鍵詞“vmware”來獲取,下面是我在VMware下的WinXP中找到的一些登錄檔項:項名:HKEY_CLASSES_ROOT\Applications\VMwareHostOpen.exe
項名:HKEY_CLASSES_ROOT\Installer\Products\C2A6F2EFE6910124C940B2B12CF170FE\ProductName
鍵值“VMware Tools”
項名:HKEY_CLASSES_ROOT\Installer\Products\C2A6F2EFE6910124C940B2B12CF170FE\SourceList\PackageName
鍵值:VMware Tools.msi
項名:HKEY_CURRENT_USER\Printers\DeviceOld
鍵值:_#VMwareVirtualPrinter,winspool,TPVM:
項名:HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
鍵值:VMware Virtual IDE Hard Drive
項名:HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
鍵值:NECVMWar VMware IDE CDR10
項名:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C2A6F2EFE6910124C940B2B12CF170FE\ProductName
鍵值:VMware Tools
項名:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C2A6F2EFE6910124C940B2B12CF170FE\InstallProperties\DisplayName
鍵值:VMware Tools
項名:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\0002\DeviceDesc
鍵值:VMware SVGA II
項名:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\2\Description
鍵值:VMware Accelerated AMD PCNet Adapter
項名:HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
項名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
鍵值:VMware SVGA II
項名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-
08002BE10318}\0000\ProviderName
鍵值:VMware, Inc.
項名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001\DriverDesc
鍵值:VMware Accelerated AMD PCNet Adapter
項名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
鍵值:VMware SCSI Controller
項名:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ThinPrint Print Port Monitor for VMWare
補充另外一處 具體程式碼如下:
BOOL DetectVM() {
HKEY hKey;
char szBuffer[64];
unsigned long hSize= sizeof(szBuffer) - 1;
if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\BIOS\\", 0, KEY_READ, &hKey )==ERROR_SUCCESS ) {
RegQueryValueEx( hKey, "SystemManufacturer", NULL, NULL, (unsigned char *)szBuffer, &hSize );
if( strstr( szBuffer, "VMWARE" )) {
RegCloseKey( hKey );
return TRUE;
}
RegCloseKey( hKey );
}
return FALSE;
}程式碼:
.386 .model flat, stdcall option casemap:none include windows.inc include user32.inc include kernel32.inc include advapi32.inc includelib user32.lib includelib kernel32.lib includelib advapi32.lib .data szCaption db "VMware Detector ",0 szInside db "Inside VMware!",0 szOutside db "Native OS!",0 szSubKey db "software\VMWare, Inc.\VMware tools",0 hKey dd ? .code start: invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE, addr szSubKey, 0,\ KEY_WRITE or KEY_READ, addr hKey .if eax == ERROR_SUCCESS invoke MessageBox, NULL,addr szInside, addr szCaption, MB_OK .else invoke MessageBox, NULL,addr szOutside, addr szCaption, MB_OK .endif invoke RegCloseKey,hKey invoke ExitProcess,NULL end start
圖5
方法六:基於時間差的檢測方式
本方法通過執行一段特定程式碼,然後比較這段程式碼在虛擬機和真實主機之中的相對執行時間,以此來判斷是否處於虛擬機之中。這段程式碼我們可以通過RDTSC指令來實現,RDTSC指令是用於將計算機啟動以來的CPU執行週期數存放到EDX:EAX裡面,其中EDX是高位,而EAX是低位。下面我們以xchg ecx, eax 一句指令的執行時間為例,這段指令在我的真實主機windows 7系統上的執行時間為0000001E,如圖6所示:
圖6
而該指令在虛擬機WinXP下的執行時間為00000442,如圖7所示:
圖7
兩者之間的執行時間明顯差別很多,在虛擬機中的執行速度遠不如真實主機的,一般情況下,當它的執行時間大於0xFF時,就可以確定它處於虛擬機之中了,因此不難寫出檢測程式,具體實現程式碼如下:
程式碼:
.586p .model flat, stdcall option casemap:none include windows.inc include kernel32.inc include user32.inc includelib kernel32.lib includelib user32.lib .data szTitle db "VMDetect With RDTSC", 0h szInsideVM db "Inside VMware!", 0h szOutsideVM db "Native OS!", 0h .code start: RDTSC xchg ecx, eax RDTSC sub eax, ecx cmp eax, 0FFh jg Detected invoke MessageBox, 0, offset szOutsideVM, offset szTitle, 0 ret Detected: invoke MessageBox, 0, offset szInsideVM, offset szTitle, 0 ret end start
圖8
方法七:利用虛擬硬體指紋檢測虛擬機
利用虛擬硬體指紋也可用於檢測虛擬機的存在,比如VMware預設的網路卡MAC地址字首為“00-05-69,00-0C-29或者00-50-56”,這前3節是由VMware分配的唯一識別符號OUI,以供它的虛擬化介面卡使用。在我的VMWare WinXP下的MAC地址為00-0C-29-5B-D7-67,如圖9所示:
圖9
但由於這些可經過修改配置檔案來繞過檢測。另外,還可通過檢測特定的硬體控制器,BIOS,USB控制器,顯示卡,網路卡等特徵字串進行檢測,這些在前面使用登錄檔檢測方法中已有所涉及。
另外之前在看雪論壇上也有朋友提到通過檢測硬碟Model Number是否含有“vmware”或“virtual”等字樣來實現檢測虛擬機的功能,具體轉載如下:
小試 anti vmware
今天偶然看到一款綠色版的硬碟專業工具,突然發現可以利用其中的一項功能來實現anti vmware。
今日事今日畢,那就在今晚12:00之前把這個想法實現吧,let's go!
我的想法就是檢測硬碟的modelnumber,具體什麼是modelnumber自己網上搜吧,反正不是硬碟序列號。難點就是在多種作業系統下都要能起到anti vmware的效果。程式在xp、2k、2003下都可以檢測到vmware的執行。
直接貼程式碼了,如果看不懂也沒關係,我也是逆了人家的程式碼寫出來的。Delphi也可以當組合語言開發工具用,難道不是嗎?
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Buttons;
type
TForm1 = class(TForm)
BitBtn1: TBitBtn;
procedure BitBtn1Click(Sender: TObject);
procedure FormClose(Sender: TObject; var Action: TCloseAction);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
hDeviceHandle:Thandle;
implementation
{$R *.dfm}
procedure TForm1.BitBtn1Click(Sender: TObject);
var
InBuffer: array[0..$8f] of byte;
cb:Cardinal;
tmp:Pchar;
begin
hDeviceHandle:=CreateFile('\\.\PHYSICALDRIVE0',$C0000000,$3,nil,OPEN_EXISTING,$8000000,0);
ZeroMemory(@InBuffer,sizeof(InBuffer));
asm
pushad
lea ebx,InBuffer
xor ecx,ecx
mov al,$2c
MOV [ebx],al
MOV EAX,$200c0000
MOV [ebx+4], eax
mov al,$01
MOV [ebx+8],al
mov al,$40
MOV [ebx+$c],al
MOV EAX,$0001a5E0
MOV [ebx+$10], eax
mov al,$30
MOV [ebx+$18],al
mov al,$12
MOV [ebx+$1c],al
mov al,$40
MOV [ebx+$20],al
add ecx,ebx
add ecx,$50
MOV [ebx+$14], ecx
popad
end;
if DeviceIoControl(hDeviceHandle,$4D014,@InBuffer,$50,@InBuffer,$50,cb,nil) then
begin
asm
pushad
lea ebx,InBuffer
add ebx,$58
mov tmp,ebx
popad
end; //asm
if ((pos('vmware',LowerCase(tmp))>0) or (pos('virtual',LowerCase(tmp))>0)) then
showmessage('檢測到 VMware Workstation!!!')
else
showmessage('請在VMware中測試!');
end;
end;
procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);
begin
closehandle(hDeviceHandle);
end;
end.
程式碼很短,但是效果不錯。截圖幾張,留作紀念!C++程式碼實現如下:
通過IOCTL_STORAGE_QUERY_PROPERTY
typedef enum _STORAGE_QUERY_TYPE {PropertyStandardQuery = 0,PropertyExistsQuery,PropertyMaskQuery,PropertyQueryMaxDefined} STORAGE_QUERY_TYPE, *PSTORAGE_QUERY_TYPE;
typedef enum _STORAGE_PROPERTY_ID {StorageDeviceProperty = 0,StorageAdapterProperty} STORAGE_PROPERTY_ID, *PSTORAGE_PROPERTY_ID;
typedef struct _STORAGE_PROPERTY_QUERY {
STORAGE_PROPERTY_ID PropertyId;
STORAGE_QUERY_TYPE QueryType;
UCHAR AdditionalParameters[1];
} STORAGE_PROPERTY_QUERY, *PSTORAGE_PROPERTY_QUERY;
typedef struct _STORAGE_DEVICE_DESCRIPTOR {
ULONG Version;
ULONG Size;
UCHAR DeviceType;
UCHAR DeviceTypeModifier;
BOOLEAN RemovableMedia;
BOOLEAN CommandQueueing;
ULONG VendorIdOffset;
ULONG ProductIdOffset;
} STORAGE_DEVICE_DESCRIPTOR, *PSTORAGE_DEVICE_DESCRIPTOR;
#define IOCTL_STORAGE_QUERY_PROPERTY CTL_CODE(IOCTL_STORAGE_BASE, 0x0500, METHOD_BUFFERED, FILE_ANY_ACCESS)
bool IsSandboxed()
{
HANDLE hPhysicalDriveIOCTL = 0;
int j = 0,k = 0;
char szModel[128],szBuffer[128];
char *szDrives[] = {
"qemu",
"virtual",
"vmware",
NULL
};
hPhysicalDriveIOCTL = CreateFile ("\\\\.\\PhysicalDrive0", 0,FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,OPEN_EXISTING, 0, NULL);
if (hPhysicalDriveIOCTL != INVALID_HANDLE_VALUE)
{
STORAGE_PROPERTY_QUERY query;
DWORD cbBytesReturned = 0;
memset ((void *) & query, 0, sizeof (query));
query.PropertyId = StorageDeviceProperty;
memset (szBuffer, 0, sizeof (szBuffer));
memset (szModel, 0, sizeof (szModel));
if (DeviceIoControl(hPhysicalDriveIOCTL, IOCTL_STORAGE_QUERY_PROPERTY,& query,sizeof (query),& szBuffer,sizeof (szBuffer),& cbBytesReturned, NULL)){
STORAGE_DEVICE_DESCRIPTOR *descrip = (STORAGE_DEVICE_DESCRIPTOR*)&szBuffer;
int pos = descrip->ProductIdOffset;
int m = 0;
for(int g = pos;szBuffer[g] != '\0';g++){
szModel[m++] = szBuffer[g];
}
CharLowerBuff(szModel,strlen(szModel));
for (int i = 0; i < (sizeof(szDrives)/sizeof(LPSTR)) - 1; i++ ) {
if (szDrives[i][0] != 0) {
if(strstr(szModel,szDrives[i]))
return TRUE;
}
}
}
CloseHandle (hPhysicalDriveIOCTL);
}
return FALSE;
}總結
國外SANS安全組織的研究人員總結出當前各種虛擬機檢測手段不外乎以下四類:
● 搜尋虛擬環境中的程式,檔案系統,登錄檔;
● 搜尋虛擬環境中的記憶體
● 搜尋虛擬環境中的特定虛擬硬體
● 搜尋虛擬環境中的特定處理器指令和功能
因為現代計算系統大多是由檔案系統,記憶體,處理器及各種硬體元件構成的,上面提到的四種檢測手段均包含了這些因素。縱觀前面各種檢測方法,也均在此四類當中。除此之外,也有人提出通過網路來檢測虛擬機,比如搜尋ICMP和TCP資料通訊的時間差異,IP ID資料包差異以及資料包中的異常頭資訊等等。隨著技術研究的深入,相信會有更多的檢測手段出現,與此同時,虛擬機廠商也會不斷進化它們的產品,以增加anti-vmware的難度,這不也正是一場永無休止的無煙戰爭!
================================================================================
anti VM的解決方法
對於上邊 方法一二三四六的解決方案是 :
1.在本機BIOS的CPU設定中開啟VT(虛擬化)選項。 注意要先做這一步以後 才能安裝VM 順序錯了只能把VM完全解除安裝重新安裝。
2.新建虛擬機器 在CPU設定如下圖設定:
主要目的是為了 關閉二進位制優化 開啟虛擬機器的VT虛擬化。
3.關閉一些虛擬機器的設定 用記事本開啟 VMX 檔案 這個檔案是VM的配置檔案 如類似地址"C:\VM Machines\Windows 7 (32位)\Windows 7 (32位).vmx",在文字末尾加入
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.restrict_backdoor = "TRUE"方法七的解決方案就是修改硬體資訊,這裡的VM特徵硬體資訊有很多,這裡只說網路卡的,直接下載一個mac地址修改器,修改mac這樣一來mac地址就不是VM特有的了,從而達到過方法七的效果。
方法五,很多商業軟體都是用這個方法來驗證,原因很簡單不管是在驅動還是在應用層都可以很方便的讀取登錄檔,只要保護開發人員自己安裝一個VM就能提取裡邊特徵註冊碼,這個解決方案就是 搜尋登錄檔的“VMware” "virtual" 等欄位,把能修改的都修改了,然後匯出登錄檔,以便重啟系統後匯入,因為重啟VM後有些登錄檔資訊會還原。
例項如下:
環境:VM虛擬機器 WIN7 32位,光碟映象名稱 XBL_GHOST_WIN7_SP1_07ZJB.iso
原理:修改登錄檔中的 “VMware” 修改為了 “test123”
登錄檔:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation]
"BIOSVersion"="6.00"
"BIOSReleaseDate"="07/02/2012"
"SystemManufacturer"="test123, Inc."
"SystemProductName"="test123 test123 Platform"
"InformationSource"=dword:00000001
[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS]
"BiosMajorRelease"=dword:00000004
"BiosMinorRelease"=dword:00000006
"ECFirmwareMajorRelease"=dword:00000000
"ECFirmwareMinorRelease"=dword:00000000
"BaseBoardManufacturer"="Intel Corporation"
"BaseBoardProduct"="440BX Desktop Reference Platform"
"BaseBoardVersion"="None"
"BIOSReleaseDate"="07/02/2012"
"BIOSVendor"="Phoenix Technologies LTD"
"BIOSVersion"="6.00"
"SystemFamily"=""
"SystemManufacturer"="test123, Inc."
"SystemProductName"="test123 test123 Platform"
"SystemSKU"=""
"SystemVersion"="None"
[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0]
"InquiryData"=hex:00,00,02,02,1f,00,00,73,56,4d,77,61,72,65,2c,20,56,4d,77,61,\
72,65,20,56,69,72,74,75,61,6c,20,53,31,2e,30,20
"Identifier"="test123, test123 Virtual S1.0 "
"DeviceType"="DiskPeripheral"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000]
"CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\
64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\
00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00
"InfPath"="oem2.inf"
"InfSection"="vmx_svga_vista"
"ProviderName"="test123, Inc."
"DriverDateData"=hex:00,80,de,95,e5,e0,ca,01
"DriverDate"="4-21-2010"
"DriverVersion"="11.6.0.35"
"MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00"
"DriverDesc"="test123 SVGA II"
"FeatureScore"=dword:000000fc
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation]
"BIOSVersion"="6.00"
"BIOSReleaseDate"="07/02/2012"
"SystemManufacturer"="test123, Inc."
"SystemProductName"="test123 test123 Platform"
"InformationSource"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
"Resolution.0"=hex:33,32,30,78,32,34,30,00
"Resolution.1"=hex:34,30,30,78,33,30,30,00
"Resolution.2"=hex:35,31,32,78,33,38,34,00
"Resolution.3"=hex:36,34,30,78,34,38,30,00
"Resolution.4"=hex:38,30,30,78,36,30,30,00
"Resolution.5"=hex:31,30,32,34,78,37,36,38,00
"Resolution.6"=hex:31,31,35,32,78,38,36,34,00
"Resolution.7"=hex:31,32,38,30,78,39,36,30,00
"Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00
"Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00
"Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00
"Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00
"Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00
"Resolution.13"=hex:38,35,34,78,34,38,30,00
"Resolution.14"=hex:31,32,38,30,78,37,32,30,00
"Resolution.15"=hex:31,33,36,36,78,37,36,38,00
"Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00
"Resolution.17"=hex:31,32,38,30,78,38,30,30,00
"Resolution.18"=hex:31,34,34,30,78,39,30,30,00
"Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00
"Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00
"Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00
"Resolution.22"=hex:37,32,30,78,34,38,30,00
"Resolution.23"=hex:37,32,30,78,35,37,36,00
"Resolution.24"=hex:33,32,30,78,32,30,30,00
"Resolution.25"=hex:36,34,30,78,34,30,30,00
"Resolution.26"=hex:38,30,30,78,34,38,30,00
"Resolution.27"=hex:31,32,38,30,78,37,36,38,00
"Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00
"HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
"HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\
00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
"HardwareInformation.MemorySize"=hex:00,00,00,08
"HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\
00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
"HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000\VolatileSettings]
"{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\
00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\
45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\
00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\
45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\
00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\
35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\
00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\
31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001\VolatileSettings]
"{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\
00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\
45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\
00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\
45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\
00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\
35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\
00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\
31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vmx_svga\Device0]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000]
"CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\
64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\
00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00
"InfPath"="oem2.inf"
"InfSection"="vmx_svga_vista"
"ProviderName"="test123, Inc."
"DriverDateData"=hex:00,80,de,95,e5,e0,ca,01
"DriverDate"="4-21-2010"
"DriverVersion"="11.6.0.35"
"MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00"
"DriverDesc"="test123 SVGA II"
"FeatureScore"=dword:000000fc
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
"Resolution.0"=hex:33,32,30,78,32,34,30,00
"Resolution.1"=hex:34,30,30,78,33,30,30,00
"Resolution.2"=hex:35,31,32,78,33,38,34,00
"Resolution.3"=hex:36,34,30,78,34,38,30,00
"Resolution.4"=hex:38,30,30,78,36,30,30,00
"Resolution.5"=hex:31,30,32,34,78,37,36,38,00
"Resolution.6"=hex:31,31,35,32,78,38,36,34,00
"Resolution.7"=hex:31,32,38,30,78,39,36,30,00
"Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00
"Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00
"Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00
"Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00
"Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00
"Resolution.13"=hex:38,35,34,78,34,38,30,00
"Resolution.14"=hex:31,32,38,30,78,37,32,30,00
"Resolution.15"=hex:31,33,36,36,78,37,36,38,00
"Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00
"Resolution.17"=hex:31,32,38,30,78,38,30,30,00
"Resolution.18"=hex:31,34,34,30,78,39,30,30,00
"Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00
"Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00
"Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00
"Resolution.22"=hex:37,32,30,78,34,38,30,00
"Resolution.23"=hex:37,32,30,78,35,37,36,00
"Resolution.24"=hex:33,32,30,78,32,30,30,00
"Resolution.25"=hex:36,34,30,78,34,30,30,00
"Resolution.26"=hex:38,30,30,78,34,38,30,00
"Resolution.27"=hex:31,32,38,30,78,37,36,38,00
"Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00
"HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
"HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\
00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
"HardwareInformation.MemorySize"=hex:00,00,00,08
"HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\
00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
"HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\vmx_svga\Device0]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000]
"CoInstallers32"=hex(7):76,00,6d,00,78,00,5f,00,6d,00,6f,00,64,00,65,00,2e,00,\
64,00,6c,00,6c,00,2c,00,20,00,56,00,4d,00,58,00,5f,00,4d,00,6f,00,64,00,65,\
00,43,00,68,00,61,00,6e,00,67,00,65,00,00,00,00,00
"InfPath"="oem2.inf"
"InfSection"="vmx_svga_vista"
"ProviderName"="test123, Inc."
"DriverDateData"=hex:00,80,de,95,e5,e0,ca,01
"DriverDate"="4-21-2010"
"DriverVersion"="11.6.0.35"
"MatchingDeviceId"="pci\\ven_15ad&dev_0405&subsys_040515ad&rev_00"
"DriverDesc"="test123 SVGA II"
"FeatureScore"=dword:000000fc
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation]
"BIOSVersion"="6.00"
"BIOSReleaseDate"="07/02/2012"
"SystemManufacturer"="test123, Inc."
"SystemProductName"="test123 test123 Platform"
"InformationSource"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
"Resolution.0"=hex:33,32,30,78,32,34,30,00
"Resolution.1"=hex:34,30,30,78,33,30,30,00
"Resolution.2"=hex:35,31,32,78,33,38,34,00
"Resolution.3"=hex:36,34,30,78,34,38,30,00
"Resolution.4"=hex:38,30,30,78,36,30,30,00
"Resolution.5"=hex:31,30,32,34,78,37,36,38,00
"Resolution.6"=hex:31,31,35,32,78,38,36,34,00
"Resolution.7"=hex:31,32,38,30,78,39,36,30,00
"Resolution.8"=hex:31,34,30,30,78,31,30,35,30,00
"Resolution.9"=hex:31,36,30,30,78,31,32,30,30,00
"Resolution.10"=hex:31,39,32,30,78,31,34,34,30,00
"Resolution.11"=hex:32,30,34,38,78,31,35,33,36,00
"Resolution.12"=hex:32,35,36,30,78,31,39,32,30,00
"Resolution.13"=hex:38,35,34,78,34,38,30,00
"Resolution.14"=hex:31,32,38,30,78,37,32,30,00
"Resolution.15"=hex:31,33,36,36,78,37,36,38,00
"Resolution.16"=hex:31,39,32,30,78,31,30,38,30,00
"Resolution.17"=hex:31,32,38,30,78,38,30,30,00
"Resolution.18"=hex:31,34,34,30,78,39,30,30,00
"Resolution.19"=hex:31,36,38,30,78,31,30,35,30,00
"Resolution.20"=hex:31,39,32,30,78,31,32,30,30,00
"Resolution.21"=hex:32,35,36,30,78,31,36,30,30,00
"Resolution.22"=hex:37,32,30,78,34,38,30,00
"Resolution.23"=hex:37,32,30,78,35,37,36,00
"Resolution.24"=hex:33,32,30,78,32,30,30,00
"Resolution.25"=hex:36,34,30,78,34,30,30,00
"Resolution.26"=hex:38,30,30,78,34,38,30,00
"Resolution.27"=hex:31,32,38,30,78,37,36,38,00
"Resolution.28"=hex:31,32,38,30,78,31,30,32,34,00
"HardwareInformation.ChipType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
"HardwareInformation.DacType"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,53,\
00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
"HardwareInformation.MemorySize"=hex:00,00,00,08
"HardwareInformation.AdapterString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,\
00,53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
"HardwareInformation.BiosString"=hex:56,00,4d,00,77,00,61,00,72,00,65,00,20,00,\
53,00,56,00,47,00,41,00,20,00,49,00,49,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0000\VolatileSettings]
"{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\
00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\
45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\
00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\
45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\
00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\
35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\
00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\
31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{AB246128-79BD-44A8-95C3-DC6CB912ED85}\0001\VolatileSettings]
"{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"=hex:5c,00,3f,00,3f,00,5c,00,50,00,43,\
00,49,00,23,00,56,00,45,00,4e,00,5f,00,31,00,35,00,41,00,44,00,26,00,44,00,\
45,00,56,00,5f,00,30,00,34,00,30,00,35,00,26,00,53,00,55,00,42,00,53,00,59,\
00,53,00,5f,00,30,00,34,00,30,00,35,00,31,00,35,00,41,00,44,00,26,00,52,00,\
45,00,56,00,5f,00,30,00,30,00,23,00,33,00,26,00,32,00,61,00,63,00,66,00,31,\
00,65,00,39,00,26,00,30,00,26,00,37,00,38,00,23,00,7b,00,35,00,62,00,34,00,\
35,00,32,00,30,00,31,00,64,00,2d,00,66,00,32,00,66,00,32,00,2d,00,34,00,66,\
00,33,00,62,00,2d,00,38,00,35,00,62,00,62,00,2d,00,33,00,30,00,66,00,66,00,\
31,00,66,00,39,00,35,00,33,00,35,00,39,00,39,00,7d,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmx_svga\Device0]
"InstalledDisplayDrivers"=hex(7):76,00,6d,00,78,00,5f,00,66,00,62,00,00,00,00,\
00
"VgaCompatible"=dword:00000000
"DefaultSettings.XResolution"=dword:00000280
"DefaultSettings.YResolution"=dword:000001e0
"DefaultSettings.BitsPerPel"=dword:00000020
"Device Description"="test123 SVGA II"
相關文章
- 反虛擬機器技術總結虛擬機
- 虛擬化技術之kvm虛擬機器建立工具qemu-kvm虛擬機
- LUA指令碼虛擬機器逃逸技術分析指令碼虛擬機
- VC++檢測VM、VPC虛擬機器程式碼 .C++虛擬機
- VC++檢測VM、VPC虛擬機器程式碼C++虛擬機
- 虛擬化技術之kvm虛擬機器建立工具virt-install虛擬機
- 虛擬機器遷移技術原理與應用虛擬機
- 深入理解虛擬機器、容器和Hyper技術虛擬機
- 虛擬機器快速搭建 Android 包分析檢測工具虛擬機Android
- 深入淺出解讀 Java 虛擬機器的差別測試技術Java虛擬機
- Dalvik虛擬機器、Java虛擬機器與ART虛擬機器虛擬機Java
- 學術乾貨|深入淺出解讀 Java 虛擬機器的差別測試技術Java虛擬機
- KVM宿主機上檢視虛擬機器ip虛擬機
- Qtum x86 虛擬機器技術文件連載(二)QT虛擬機
- 虛擬化技術(-)
- 虛擬化技術
- 親測好用的虛擬機器軟體:vm虛擬機器 mac中文版虛擬機Mac
- java虛擬機器和Dalvik虛擬機器Java虛擬機
- Android 虛擬機器 Vs Java 虛擬機器Android虛擬機Java
- 虛擬化四、KVM虛擬化技術
- 虛擬機器虛擬機
- 伺服器虛擬化技術深度科普伺服器
- 連線虛擬機器oracle 和虛擬機器KEY虛擬機Oracle
- 虛擬機器(三)虛擬機器配置靜態Ip虛擬機
- Docker技術( 容器虛擬化技術 )Docker
- Java 虛擬機器之一:Java 技術體系與平臺Java虛擬機
- 技術界中的虛擬機器、容器和沙箱的關係虛擬機
- 虛擬機器、容器與沙盒技術有什麼區別?虛擬機
- 技術工坊|WASM應用區塊鏈虛擬機器的技術實踐(上海)ASM區塊鏈虛擬機
- 怎樣檢視虛擬機器裡面的程式!虛擬機
- 虛擬現實技術
- KVM 虛擬化技術
- 虛擬技術與雲
- LOL虛擬機器 最新測試可玩虛擬機
- PD虛擬機器 18 for Mac(Mac虛擬機器軟體)虛擬機Mac
- 伺服器虛擬化技術的優點伺服器
- Linux雲端計算技術學習:常用虛擬機器引數Linux虛擬機
- JVM 虛擬機器JVM虛擬機