The VMWare backdoor commands page no longer exists, but the latest online version (2010) can be found archived here - I recommend saving a local copy:
2014 revision for PBCC5/6 & PBWin9/10...
Code:
#COMPILE EXE
#REGISTER NONE
#INCLUDE "WIN32API.INC"
TYPE SEH
dwPrevLink AS DWORD
dwCurrentHandler AS DWORD
dwSafeOffset AS DWORD
dwPrevEsp AS DWORD
dwPrevEbp AS DWORD
END TYPE
TYPE VMWareReply
eax AS DWORD
ebx AS DWORD
ecx AS DWORD
edx AS DWORD
END TYPE
FUNCTION SEH_Handler CDECL( BYVAL ptExcept AS EXCEPTION_RECORD PTR, BYVAL ptFrame AS SEH PTR, BYVAL ptContext AS CONTEXT PTR, BYVAL pdwDispatch AS DWORD) AS LONG
@ptContext.regEip = @ptFrame.dwSafeOffset
END FUNCTION
FUNCTION VMWareCall (VMReply AS VMWareReply, BYVAL vmebx AS DWORD, BYVAL vmecx AS DWORD, BYVAL vmedx AS DWORD) AS LONG '// VMWare backdoor call master gateway function
#REGISTER NONE
LOCAL lEbp AS LONG, lEsp AS LONG, tSeh AS SEH, ptrReply AS DWORD
ptrReply = VARPTR(VMReply)
! push dword fs:[0]
tSeh.dwCurrentHandler = CODEPTR(SEH_HANDLER)
tSeh.dwSafeOffset = CODEPTR(Except)
! lea esi, tSeh
! mov fs:[0], esi
! mov lEsp, esp
! mov lEbp, ebp
tSeh.dwPrevEsp = lEsp
tSeh.dwPrevEbp = lEbp
! mov eax, "VMXh"
! mov ebx, vmebx
! mov ecx, vmecx
! mov edx, vmedx
! in eax, dx
! push esi
! mov esi, ptrReply
! mov [esi], eax
! mov [esi+4], ebx
! mov [esi+8], ecx
! mov [esi+12], edx
! pop esi
FUNCTION = 1
Except:
! pop dword fs:[0]
END FUNCTION
'### VMWARE CALLS ######################################################################
FUNCTION GetVMVersion() AS STRING '// Returns VMWare version and product type
LOCAL VMReply AS VMWareReply, sVer AS STRING
IF VMWareCall(VMReply, BYVAL 0, BYVAL &h0000000A, BYVAL &h00005658) <> 1 THEN
FUNCTION = "Error": EXIT FUNCTION
ELSE
SELECT CASE VMReply.ecx '// not updated since 2008, there may be more/newer/different versions...
CASE 1: sVer = "Express"
CASE 2: sVer = "ESX Server"
CASE 3: sVer = "GSX Server"
CASE 4: sVer = "Workstation"
END SELECT
sVer = sVer & " (Version: " & HEX$(VMReply.eax) & ")"
FUNCTION = sVer
END IF
END FUNCTION
FUNCTION GetVMHardwareVersion() AS STRING '// Returns virtual machine hardware version
LOCAL VMReply AS VMWareReply
IF VMWareCall(VMReply, BYVAL 0, BYVAL &h00000011, BYVAL &h00005658) <> 1 THEN
FUNCTION = "Error": EXIT FUNCTION
ELSE
SELECT CASE VMReply.eax
CASE 1, 2: FUNCTION = TRIM$(STR$(VMReply.eax)) & " - WS3.x/GSX2.x"
CASE 3: FUNCTION = "3 - WS4.x, ESX2.x, GSX3.x, ACE1.x, and with WS5.x"
CASE 4: FUNCTION = "4 - WS5.x"
CASE ELSE: FUNCTION = TRIM$(STR$(VMReply.eax)) & " - Unknown"
END SELECT
END IF
END FUNCTION
FUNCTION GetVMCPUSpeed() AS STRING '// Returns host CPU speed in MHz
LOCAL VMReply AS VMWareReply
IF VMWareCall(VMReply, BYVAL 0, BYVAL &h00000001, BYVAL &h00005658) <> 1 THEN
FUNCTION = "Error": EXIT FUNCTION
ELSE
FUNCTION = TRIM$(STR$(VMReply.eax)) & "MHz"
END IF
END FUNCTION
FUNCTION GetVMCursorPos() AS STRING '// Returns current cursor position
LOCAL VMReply AS VMWareReply
IF VMWareCall(VMReply, BYVAL 0, BYVAL &h00000004, BYVAL &h00005658) <> 1 THEN
FUNCTION = "Error": EXIT FUNCTION
ELSE
FUNCTION = "X=" & TRIM$(STR$(LOWRD(VMReply.eax))) & " Y=" & TRIM$(STR$(HIWRD(VMReply.eax)))
END IF
END FUNCTION
FUNCTION GetVMHostScreenSize() AS STRING '// Returns dimensions of the host screen size
LOCAL VMReply AS VMWareReply
IF VMWareCall(VMReply, BYVAL 0, BYVAL &h0000000F, BYVAL &h00005658) <> 1 THEN
FUNCTION = "Error": EXIT FUNCTION
ELSE
FUNCTION = TRIM$(STR$(LOWRD(VMReply.eax))) & " x " & TRIM$(STR$(HIWRD(VMReply.eax)))
END IF
END FUNCTION
FUNCTION GetVMClipboardTextLen() AS DWORD '// Returns length of text in clipboard
LOCAL VMReply AS VMWareReply, sBuf AS STRING
IF VMWareCall(VMReply, BYVAL 0, BYVAL &h00000006, BYVAL &h00005658) <> 1 THEN
EXIT FUNCTION
ELSE
FUNCTION = VMReply.eax
END IF
END FUNCTION
FUNCTION GetVMMemorySize() AS STRING '// Returns amount of memory assigned to the virtual machine
LOCAL VMReply AS VMWareReply
IF VMWareCall(VMReply, BYVAL 0, BYVAL &h00000014, BYVAL &h00005658) <> 1 THEN
EXIT FUNCTION
ELSE
FUNCTION = TRIM$(STR$(VMReply.eax)) & " MBs"
END IF
END FUNCTION
FUNCTION GetVMHostSystemTime() AS STRING '// Returns hosts current system time (GMT)
LOCAL VMReply AS VMWareReply, sTime AS STRING
IF VMWareCall(VMReply, BYVAL 0, BYVAL &h00000017, BYVAL &h00005658) <> 1 THEN
EXIT FUNCTION
ELSE
sTime = HEX$(VMReply.eax,8) & " (Timezone: " & TRIM$(STR$(VMReply.edx)) & ")"
FUNCTION = sTime
END IF
END FUNCTION
FUNCTION GetVMClipboardText() AS STRING '// Returns text from clipboard
LOCAL VMReply AS VMWareReply, sBuf AS STRING, txtLen AS LONG, dwPtr AS DWORD PTR
txtLen = GetVMClipboardTextLen
IF txtLen <= 0 THEN
FUNCTION = "{Empty}": EXIT FUNCTION
END IF
sBuf = STRING$(txtLen+4,0)
dwPtr = STRPTR(sBuf)
DO
IF VMWareCall(VMReply, BYVAL 0, BYVAL &h00000007, BYVAL &h00005658) <> 1 THEN
FUNCTION = "Error": EXIT FUNCTION
ELSE
IF VMReply.eax = 0 THEN EXIT DO
@dwPtr = VMReply.eax
dwPtr = dwPtr + 4
END IF
LOOP
FUNCTION = LEFT$(sBuf, txtLen)
END FUNCTION
FUNCTION InsideVMWare() AS LONG '// Returns 1 if we're running inside VMWare
LOCAL VMReply AS VMWareReply
FUNCTION = VMWareCall(VMReply, BYVAL 0, BYVAL &h0000000A, BYVAL &h00005658)
END FUNCTION
FUNCTION PBMAIN() AS LONG
IF InsideVMWare <> 1 THEN STDOUT "Not running in VMWare.": GOTO TheEnd
? "Type/Version: " & GetVMVersion
? "CPU Speed: " & GetVMCPUSpeed
? "Cursor: " & GetVMCursorPos
? "Host Screen Size: " & GetVMHostScreenSize
? "Clipboard Text: " & GetVMClipboardText
? "Virtual Hardware Version: " & GetVMHardwareVersion
? "Memory: " & GetVMMemorySize
? "Host System Time (unix-style timestamp): " & GetVMHostSystemTime
TheEnd:
#IF %DEF(%PB_CC32)
WAITKEY$
#ENDIF
END FUNCTION
Leave a comment: