富连网网站开发,响应式商业网站开发实训报告,网站产品详情页怎么做,银州铁岭做网站ACPI ACPI table
ACPI 表示高级配置和电源管理接口#xff08;Advanced Configuration and Power Management Interface#xff09;#xff0c;对于Windows2000#xff0c;ACPI定义了Windows2000、BIOS和系统硬件之间的新型工作接口。这些新接口包括允许Windows 200…ACPI ACPI table
ACPI 表示高级配置和电源管理接口Advanced Configuration and Power Management Interface对于Windows2000ACPI定义了Windows2000、BIOS和系统硬件之间的新型工作接口。这些新接口包括允许Windows 2000控制电源管理和设备配置的机制。ACPI table 是填写这些配置的地方。
很好的是ACPI可以通过R3的 NtQuerySystemInformation 拿得到
https://github.com/classic130/VMProtect-Source/blob/a8433f06ee84fa2546e40bef71183827dc230a3b/runtime/core.cc#L329 这是一个vmp3.x后读Firmware 拿配置。很早之前的技术。
我们本次介绍的是一个新技术让我们编写代码获取虚拟机与物理机之间的差异
#include Windows.h
#include stdio.h
#include cstdint
#include iostream
struct acpi_table_header {uint32_t signature;uint32_t length;uint8_t revision;uint8_t checksum;char oem_id[6];uint64_t oem_table_id;uint32_t oem_revision;uint32_t creator_id;uint32_t creator_revision;
};
struct hpet_acpi_data {uint32_t hardware_block_id;uint8_t space_id;uint8_t bit_width;uint8_t bit_offset;uint8_t encoded_access_width;uint64_t address;uint8_t sequence_number;uint16_t minimum_clock_ticks;uint8_t flags;
};
static const auto FirmwareTableProviderSignature ACPI;
auto main()-int{printf(acpi sandbox detect by BOSS\n);auto firmwareTableBufferSizeEnumSystemFirmwareTables(FirmwareTableProviderSignature,0,0);char* firmwareTableBuffer NULL;do {if (firmwareTableBufferSize 0) {break;}firmwareTableBuffer reinterpret_castchar*(malloc(firmwareTableBufferSize));if (firmwareTableBuffer nullptr) {break;}firmwareTableBufferSize EnumSystemFirmwareTables(FirmwareTableProviderSignature, firmwareTableBuffer,firmwareTableBufferSize);if (firmwareTableBufferSize 0) {break;}bool foundHpet false;auto index 0;for (size_t i 0; i firmwareTableBufferSize / 4; i) {const auto tableHeader reinterpret_castacpi_table_header*(reinterpret_castuint64_t(firmwareTableBuffer) i);const auto tableID *firmwareTableBuffer;char tid[6] {0};char oemid[7] {0};memcpy(tid, tableHeader-signature, sizeof(unsigned long));memcpy(oemid, reinterpret_castchar*(tableHeader-oem_id),sizeof(tableHeader-oem_id));// printf(tid: %s oemid: %s oem_table_id: %llX oem_table_xd: %llX// \n,// tid, oemid, tableHeader-oem_table_id,// (tableHeader-oem_table_id 0xFFFFFFFF));if (memcmp(oemid, WAET, 4) 0) {printf([detected] Vmware detected by Windows ACPI Emulated\n);}if (foundHpet false memcmp(oemid, HPET, 4) 0) {foundHpet true;}if ((tableHeader-oem_table_id 0xFFFFFFFF) 0) {printf([detected] Cuckoo sandbox detected by oem table id\n);}index;}if (index 8) {printf([detected] vm-guest detected by table size \n);}if (foundHpet false) {printf([detected] HPET not found,Cuckoo detected \n);}} while (false);if (firmwareTableBuffer ! nullptr) {free(firmwareTableBuffer);}getchar();return 0;
}
这个POC检测什么
检测ACPI表内容如果小于8那么可能是虚拟机检测ACPI是否有windows的WEATH如果有则说明windows在虚拟机中检测ACPI表中是否没有HPET如果没有则说明可能在linux下的沙箱中
GitHub - huoji120/ACPI_SANDBOX_DETECT: 通过ACPI检测沙箱
https://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/WAET.docx
