flat assembler
Message board for the users of flat assembler.
Index
> Windows > detect registry virtualization |
Author |
|
revolution 26 Feb 2014, 01:59
It is complicated and no simple method will work in all cases. Perhaps detecting combinations of the various associated flags will reveal the virtualised status? I think you will have to experiment a bit to see if it possible.
|
|||
26 Feb 2014, 01:59 |
|
typedef 26 Feb 2014, 02:43
For registry I/O. A simple flag will do.
First read this : http://msdn.microsoft.com/en-us/library/windows/desktop/ms724072(v=vs.85).aspx Then this: http://msdn.microsoft.com/en-us/library/windows/desktop/aa965884(v=vs.85).aspx You can also detect the OS version and operating bits. That will help you divide and conquer your problem. But the flag has always worked for me. |
|||
26 Feb 2014, 02:43 |
|
randomdude 26 Feb 2014, 11:20
thanks for answering but i already had read those pages and none are of help
edit: nvm guys, doesnt seem to there any way to detect it. il just let my key get redirected to virtualstore edit2: found this! http://stackoverflow.com/questions/14005081/how-to-detect-file-redirection-to-the-windows-virtualstore Code: proc CheckVirtualization locals TokenHandle dd ? TokenInformation dd ? ReturnLength dd ? endl push ebx lea ebx,dword[TokenInformation] and dword[ebx],0 lea eax,dword[TokenHandle] push eax invoke GetCurrentProcess invoke OpenProcessToken,eax,TOKEN_QUERY test eax,eax jz .end lea eax,dword[ReturnLength] invoke GetTokenInformation,dword[TokenHandle],TokenVirtualizationEnabled,ebx,4,eax .end: invoke CloseHandle,dword[TokenHandle] xor eax,eax mov ebx,dword[ebx] test ebx,ebx setnz al pop ebx ret endp |
|||
26 Feb 2014, 11:20 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.