<?

$plugins['authad']    = '0';
$plugins['authldap']  = '1';
$plugins['authmysql'] = '0';
$plugins['authpgsql'] = '0';
#include <idc.idc>

static main() {
    auto start, end, addr, mnem, count, opnd, opnd1, opnd2;
    start = SegStart( ScreenEA() );
    end = SegEnd( ScreenEA() );
    addr = start;
    count = 0;
    while( addr < end ) {
        mnem = GetMnem( addr );
        // Common VM detect instructions
        if( mnem == "sidt" || mnem == "sgdt" || mnem == "sldt" || mnem == "smsw" || mnem == "str" ) {
            Message( "%08x: Found %s\n", addr, mnem );
            SetColor( addr, CIC_ITEM, 0x0088ff ); // orange
        }
        // Read Time Stamp Counter
        if( mnem == "rdtsc" ) {
            Message( "%08x: Found %s\n", addr, mnem );
            SetColor( addr, CIC_ITEM, 0xff8800 ); // blue
        }
        // Exception Handling or other PEB/TEB access
        opnd = "";
        opnd1 = GetOpnd( addr, 0 );
        opnd2 = GetOpnd( addr, 1 );
        if( strstr( opnd1, "fs:" ) > -1 ) {
            opnd = opnd1;
        }
        else {
            if( strstr( opnd2, "fs:" ) > -1 ) opnd = opnd2;
        }
        if( opnd != "" ) {
            Message( "%08x: Found %s\n", addr, opnd );
            SetColor( addr, CIC_ITEM, 0xff8888 ); // purple
        }
        addr = NextHead( addr, BADADDR );
        count = count + 1;
    }
    Message( "Processed %d instructions from %08x to %08x\n", count, start, end );
}