Is it possible to avoid VMWare detection against the following method?
I found this code is used really often:
push edx
push ecx
push ebx
mov eax, 'VMXh'
mov ebx, 0 // anything but 'VMXh'
mov ecx, 10 // get VMWare version
mov edx, 'VX' // port number
in eax, dx // read port
cmp ebx, 'VMXh' // is it a reply from VMWare?
je lblInVMWare
xor ecx, ecx // not in VMWare - clear return value
lblInVMWare:
mov [nVersion], ecx // vmware product type
pop ebx
pop ecx
pop edx
There is a description how it works: https://www.codeproject.com/Articles/9823/Detect-if-your-program-is-running-inside-a-Virtual
To be brief, that 'magic'/special port (in eax, dx // read port) gives something and that's impossible to run on a real computer because of the exception (privileged instruction)
According to this article I tried to use a few parameters in my VMX file:
monitor_control.disable_directexec = true"
monitor_control.disable_chksimd = "true"
monitor_control.disable_ntreloc = "true"
monitor_control.disable_selfmod = "true"
monitor_control.disable_reloc = "true"
monitor_control.disable_btinout = "true"
monitor_control.disable_brmemspace = "true"
monitor_control.disable_btpriv = "true"
monitor_control.disable_btseg = "true"
isolation.tools.getPtrLocation.disable = "true"
isolation.tools.setPtrLocation.disable = "true"
isolation.tools.setVersion.disable = "true"
isolation.tools.getVersion.disable = "true"
and removed VMWare Tools but failed
(I use x32dbg to see what's going on - the code works successfully on VM and doesn't give me any exceptions)