{"id":46,"date":"2026-04-14T15:16:23","date_gmt":"2026-04-14T07:16:23","guid":{"rendered":"https:\/\/www.seekinthevortex.cn\/?p=46"},"modified":"2026-04-14T15:16:23","modified_gmt":"2026-04-14T07:16:23","slug":"%e5%8f%8d%e6%b2%99%e7%ae%b1%e4%b8%8e%e8%99%9a%e6%8b%9f%e5%8c%96-2","status":"publish","type":"post","link":"https:\/\/www.seekinthevortex.cn\/index.php\/2026\/04\/14\/%e5%8f%8d%e6%b2%99%e7%ae%b1%e4%b8%8e%e8%99%9a%e6%8b%9f%e5%8c%96-2\/","title":{"rendered":"\u53cd\u6c99\u7bb1\u4e0e\u865a\u62df\u5316"},"content":{"rendered":"

\u7b80\u5355\u4ecb\u7ecd<\/h1>\n

\u901a\u7528\u7684\u4e00\u4e9b\u67e5\u8be2\u65b9\u5f0f<\/h1>\n
    \n
  1. \u68c0\u67e5\u7528\u6237\u540d\u662f\u5426\u7279\u5b9a\n
      \n
    • GetUserNameA\/W<\/li>\n<\/ul>\n<\/li>\n
    • \u68c0\u67e5\u8ba1\u7b97\u673a\u540d\u79f0\u662f\u5426\u7279\u5b9a\n
        \n
      • GetComputerNameA\/W<\/li>\n<\/ul>\n<\/li>\n
      • \u68c0\u67e5\u4e3b\u673a\u540d\u662f\u5426\u7279\u5b9a\n
          \n
        • GetComputerNameExA\/W<\/li>\n<\/ul>\n<\/li>\n
        • \u68c0\u67e5\u603b RAM \u662f\u5426\u8f83\u4f4e\n
            \n
          • GetMemoryStatusEx<\/li>\n
          • \u76f4\u63a5 syscall \u8c03\u7528\u5185\u6838\u51fd\u6570\uff0c\u7b49\u7b49\u3002\u3002\u3002\u3002<\/li>\n<\/ul>\n<\/li>\n
          • \u68c0\u67e5\u5904\u7406\u5668\u6570\u91cf\u662f\u5426\u8f83\u4f4e\n
              \n
            • GetSystemInfo<\/li>\n
            • \u5229\u7528\u5185\u8054\u6c47\u7f16\u6216\u5185\u90e8\u51fd\u6570\u4ece PEB \u4e2d\u83b7\u53d6\u5904\u7406\u5668\u6570\u91cf<\/li>\n
            • \u901a\u8fc7 KUSER_SHARED_DATA \u4e2d\u83b7\u53d6<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n
              __declspec(naked)\nDWORD get_number_of_processors() {\n\t__asm {\n\t\t; get pointer to Process Environment Block (PEB)\n\t\tmov eax, fs:0x30\n\n\t\t; read the field containing target number\n\t\tmov eax, [eax + 0x64]\n\n\t\t; return from function\n\t\tretn\n\t}\n}\n<\/code><\/pre>\n
              __declspec(naked)\n    DWORD get_number_of_active_processors() {\n    __asm {\n        mov eax, 0x7ffe0000  ; KUSER_SHARED_DATA structure fixed address\n        mov eax, byte ptr [eax+0x3c0] ; checking ActiveProcessorCount\n        retn  ; return from function\n    }\n}\n<\/code><\/pre>\n
                \n
              1. \u68c0\u67e5\u786c\u76d8\u9a71\u52a8\u5668\u5927\u5c0f\u548c\u53ef\u7528\u7a7a\u95f4\u662f\u5426\u8f83\u5c0f<\/li>\n
              2. \u68c0\u67e5\u7cfb\u7edf\u6b63\u5e38\u8fd0\u884c\u65f6\u95f4\u662f\u5426\u8f83\u77ed<\/li>\n<\/ol>\n
                \u901a\u8fc7\u6587\u4ef6\u7cfb\u7edf\u68c0\u6d4b<\/h1>\n
                \u68c0\u67e5\u7279\u5b9a\u6587\u4ef6\u662f\u5426\u5b58\u5728<\/h2>\n
                \u53ef\u4ee5\u5148\u901a\u8fc7\u7f16\u5199\u4e00\u4e9b\u83b7\u53d6\u4fe1\u606f\u7684\u7a0b\u5e8f\u4e0a\u4f20\u5230\u4e91\u6c99\u7bb1\u6216\u8005\u865a\u62df\u8bbe\u5907\u83b7\u53d6\u7279\u5f81\uff0c\u6839\u636e\u8fd9\u4e9b\u7279\u5f81\u7f16\u5199\u5bf9\u5e94\u7684\u5e94\u5bf9\u811a\u672c<\/p>\n
                BOOL is_FileExists(TCHAR* szPath)\n{\n    DWORD dwAttrib = GetFileAttributes(szPath);\n    return (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY);\n}\n\n\/*\nCheck against some of VMware blacklisted files\n*\/\nVOID vmware_files()\n{\n    \/* Array of strings of blacklisted paths *\/\n    TCHAR* szPaths[] = {\n        _T("system32\\\\drivers\\\\vmmouse.sys"),\n        _T("system32\\\\drivers\\\\vmhgfs.sys"),\n    };\n    \n    \/* Getting Windows Directory *\/\n    WORD dwlength = sizeof(szPaths) \/ sizeof(szPaths[0]);\n    TCHAR szWinDir[MAX_PATH] = _T("");\n    TCHAR szPath[MAX_PATH] = _T("");\n    GetWindowsDirectory(szWinDir, MAX_PATH);\n    \n    \/* Check one by one *\/\n    for (int i = 0; i < dwlength; i++)\n    {\n        PathCombine(szPath, szWinDir, szPaths[i]);\n        TCHAR msg[256] = _T("");\n        _stprintf_s(msg, sizeof(msg) \/ sizeof(TCHAR), _T("Checking file %s: "), szPath);\n        if (is_FileExists(szPath))\n            print_results(TRUE, msg);\n        else\n            print_results(FALSE, msg);\n    }\n}\n<\/code><\/pre>\n
                \u68c0\u67e5\u7279\u5b9a\u76ee\u5f55\u662f\u5426\u5b58\u5728<\/h2>\n
                BOOL is_DirectoryExists(TCHAR* szPath)\n{\n    DWORD dwAttrib = GetFileAttributes(szPath);\n    return (dwAttrib != INVALID_FILE_ATTRIBUTES) && (dwAttrib & FILE_ATTRIBUTE_DIRECTORY);\n}\n\n\/*\nCheck against VMware blacklisted directory\n*\/\nBOOL vmware_dir()\n{\n    TCHAR szProgramFile[MAX_PATH];\n    TCHAR szPath[MAX_PATH] = _T("");\n    TCHAR szTarget[MAX_PATH] = _T("VMware\\\\");\n    if (IsWoW64())\n        ExpandEnvironmentStrings(_T("%ProgramW6432%"), szProgramFile, ARRAYSIZE(szProgramFile));\n    else\n        SHGetSpecialFolderPath(NULL, szProgramFile, CSIDL_PROGRAM_FILES, FALSE);\n    PathCombine(szPath, szProgramFile, szTarget);\n    return is_DirectoryExists(szPath);\n}\n<\/code><\/pre>\n
                \u5176\u4f59\u7684\u65b9\u6cd5<\/h2>\n
                  \n
                • \u68c0\u67e5\u53ef\u6267\u884c\u6587\u4ef6\u7684\u5b8c\u6574\u8def\u5f84\u662f\u5426\u5305\u542b\u7279\u5b9a\u5b57\u7b26\u4e32\u4e4b\u4e00<\/li>\n
                • \u68c0\u67e5\u53ef\u6267\u884c\u6587\u4ef6\u662f\u5426\u4ece\u7279\u5b9a\u76ee\u5f55\u8fd0\u884c<\/li>\n
                • \u68c0\u67e5\u7269\u7406\u78c1\u76d8\u9a71\u52a8\u5668\u6839\u76ee\u5f55\u4e2d\u662f\u5426\u5b58\u5728\u5177\u6709\u7279\u5b9a\u540d\u79f0\u7684\u53ef\u6267\u884c\u6587\u4ef6<\/li>\n<\/ul>\n
                  \u901a\u8fc7\u6ce8\u518c\u8868\u68c0\u6d4b<\/h1>\n
                  \u68c0\u67e5\u7279\u5b9a\u6ce8\u518c\u8868\u8def\u5f84\u662f\u5426\u5b58\u5728<\/h2>\n
                  \/* sample of usage: see detection of VirtualBox in the table below to check registry path *\/\nint vbox_reg_key7() {\n    return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\\\ACPI\\\\FADT\\\\VBOX__");\n}\n\n\/* code is taken from "pafish" project, see references on the parent page *\/\nint pafish_exists_regkey(HKEY hKey, char * regkey_s) {\n    HKEY regkey;\n    LONG ret;\n\n    \/* regkey_s == "HARDWARE\\\\ACPI\\\\FADT\\\\VBOX__"; *\/\n    if (pafish_iswow64()) {\n        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);\n    }\n    else {\n        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);\n    }\n\n    if (ret == ERROR_SUCCESS) {\n        RegCloseKey(regkey);\n        return TRUE;\n    }\n    else\n        return FALSE;\n}\n<\/code><\/pre>\n
                  \u4e00\u4e9b\u53ef\u4ee5\u68c0\u6d4b\u7684\u6ce8\u518c\u8868\u8def\u5f84\uff08\u4f46\u662f\u6ce8\u610f\u8bbf\u95ee\u8fd9\u4e9b\u7279\u6b8a\u7684\u6ce8\u518c\u8868\u8def\u5f84\u53ef\u80fd\u4f1a\u88ab edr \u76d1\u63a7\uff0c\u5728\u4e91\u6c99\u7bb1\u4e2d\u62a5\u6bd2\uff09<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                  Detect<\/th>\nRegistry path<\/th>\nDetails (if any)<\/th>\n<\/tr>\n<\/thead>\n
                  [general]<\/td>\nHKLM\\Software\\Classes\\Folder\\shell\\sandbox<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Hyper-V<\/td>\nHKLM\\SOFTWARE\\Microsoft\\Hyper-V<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Hyper-V<\/td>\nHKLM\\SOFTWARE\\Microsoft\\VirtualMachine<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Hyper-V<\/td>\nHKLM\\SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters<\/code><\/td>\nUsually "HostName" and "VirtualMachineName" values are read under this path<\/td>\n<\/tr>\n
                  Hyper-V<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vmicheartbeat<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Hyper-V<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vmicvss<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Hyper-V<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vmicshutdown<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Hyper-V<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vmicexchange<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Parallels<\/td>\nHKLM\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AB8*<\/code><\/td>\nSubkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW<\/code><\/td>\n<\/tr>\n
                  Sandboxie<\/td>\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\SbieDrv<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Sandboxie<\/td>\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Sandboxie<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualBox<\/td>\nHKLM\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE*<\/code><\/td>\nSubkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW<\/code><\/td>\n<\/tr>\n
                  VirtualBox<\/td>\nHKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualBox<\/td>\nHKLM\\HARDWARE\\ACPI\\FADT\\VBOX__<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualBox<\/td>\nHKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualBox<\/td>\nHKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualBox<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\VBoxGuest<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualBox<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\VBoxMouse<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualBox<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\VBoxService<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualBox<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\VBoxSF<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualBox<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\VBoxVideo<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualPC<\/td>\nHKLM\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_5333*<\/code><\/td>\nSubkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW<\/code><\/td>\n<\/tr>\n
                  VirtualPC<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vpcbus<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualPC<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vpc-s3<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualPC<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vpcuhub<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VirtualPC<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\msvmmouf<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_15AD*<\/code><\/td>\nSubkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW<\/code><\/td>\n<\/tr>\n
                  VMware<\/td>\nHKCU\\SOFTWARE\\VMware, Inc.\\VMware Tools<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vmdebug<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vmmouse<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\VMTools<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\VMMEMCTL<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vmware<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vmci<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\vmx86<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE\\CdRomNECVMWar_VMware_IDE_CD*<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE\\CdRomNECVMWar_VMware_SATA_CD*<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE\\DiskVMware_Virtual_IDE_Hard_Drive*<\/code><\/td>\n<\/td>\n<\/tr>\n
                  VMware<\/td>\nHKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE\\DiskVMware_Virtual_SATA_Hard_Drive*<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Wine<\/td>\nHKCU\\SOFTWARE\\Wine<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Wine<\/td>\nHKLM\\SOFTWARE\\Wine<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Xen<\/td>\nHKLM\\HARDWARE\\ACPI\\DSDT\\xen<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Xen<\/td>\nHKLM\\HARDWARE\\ACPI\\FADT\\xen<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Xen<\/td>\nHKLM\\HARDWARE\\ACPI\\RSDT\\xen<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Xen<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\xenevtchn<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Xen<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\xennet<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Xen<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\xennet6<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Xen<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\xensvc<\/code><\/td>\n<\/td>\n<\/tr>\n
                  Xen<\/td>\nHKLM\\SYSTEM\\ControlSet001\\Services\\xenvdb<\/code><\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
                  \u68c0\u67e5\u7279\u5b9a\u6ce8\u518c\u8868\u9879\u662f\u5426\u5305\u542b\u6307\u5b9a\u5b57\u7b26\u4e32<\/h2>\n
                  \u901a\u8fc7 CPU \u7279\u5f81\u68c0\u6d4b<\/h1>\n
                  CPUID \u68c0\u6d4b\u4f9b\u5e94\u5546 ID<\/h2>\n
                  __declspec(naked) void get_cpuid_vendor(char *vendor_id) {\n  __asm {        \n    ; save non-volatile register\n    push ebx\n    \n    ; nullify output registers\n    xor ebx, ebx\n    xor ecx, ecx\n    xor edx, edx\n    \n    ; call cpuid with argument in EAX\n    mov eax, 0x40000000\n    cpuid\n    \n    ; store vendor_id ptr to destination\n    mov edi, vendor_id\n    \n    ; move string parts to destination\n    mov eax, ebx  ; part 1 of 3 from EBX\n    stosd\n    mov eax, ecx  ; part 2 of 3 from ECX\n    stosd\n    mov eax, edx  ; part 3 of 3 from EDX\n    stosd\n    \n    ; restore saved non-volatile register\n    pop ebx \n    \n    ; return from function\n    retn\n  }\n}\n<\/code><\/pre>\n
                  \u5bf9\u5e94\u7684\u4e00\u4e9b\u5382\u5546<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
                  Detect<\/th>\nEAX as argument to CPUID<\/th>\nString<\/th>\n<\/tr>\n<\/thead>\n
                  FreeBSD HV<\/td>\n0 x 40000000<\/code><\/td>\nbhyve bhyve<\/code><\/td>\n<\/tr>\n
                  Hyper-V<\/td>\n0 x 40000000<\/code><\/td>\nMicrosoft Hv<\/code><\/td>\n<\/tr>\n
                  KVM<\/td>\n0 x 40000000<\/code><\/td>\nKVMKVMKVM<\/code><\/td>\n<\/tr>\n
                  Parallels<\/td>\n0 x 40000000<\/code><\/td>\nprl hyperv<\/code><\/td>\n<\/tr>\n
                  VirtualBox<\/td>\n0 x 40000000<\/code><\/td>\nVBoxVBoxVBox<\/code><\/td>\n<\/tr>\n
                  VirtualPC<\/td>\n0 x 40000000<\/code><\/td>\nMicrosoft Hv<\/code><\/td>\n<\/tr>\n
                  VMware<\/td>\n0 x 40000000<\/code><\/td>\nVMwareVMware<\/code><\/td>\n<\/tr>\n
                  Xen<\/td>\n0 x 40000000<\/code><\/td>\nXenVMMXenVMM<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
                  \u901a\u8fc7\u4e00\u4e9b\u786c\u4ef6\u8bbe\u5907\u68c0\u6d4b<\/h1>\n