Skip navigation.
Home

Generically Determining the Presence of Virtual Machines

| |

NOTE: This is for windows hosts only!

At OffensiveComputing we were looking at ways to detect virtual machines and had found and discarded many unsophisticated methods such as looking for VMWare Tools running as a service or VMWare related registy keys, etc. Then we discovered Joanna Rutkowska's very interesting "Redpill" method. This was an eye opening work for us. After spending a little time playing with it we realized it wasn't fool proof on multiprocessor systems and so we decided to research the problems and possible ways to improve on the method. We discovered and implemented an improved method which is presented in the this paper.

Thanks to delchi and numerous others for help testing.

Papers and code can be found:

http://www.offensivecomputing.net/dc14/

V.

Windows only

Please be aware that these results were only tested under Windows. You'll have different results with Linux as it uses the LDT.

Why VPC on PPC gave no useful results.

Virtual PC [VPC], when running on PPC architecture, does dynamic translation [DT] of blocks of x86 code into PPC code. Aside from this little quick, it is for all intensive purposes, a full x86 emulator, not a hardware virtualization layer (Like VMWare or VPC on x86). The Descriptor Tables should look just the same as they do on real silicon.

Following this premise, QEMU – which always does DT, and fully emulates hardware – should also appear to have it's IDTs in the same location as on real silicon. Bochs would appear the same way (it doesn't do DT).

Xen should show the same IDT/LDT/GDT funkiness as VMWare et al. That is until... [dramatic music]

The Pacifica/Vanderpool (VT) extensions to the x86 instruction set are widely available. (AMD says Q2 2006, last I heard.) These add about 14 new instructions, and faults, and such, so that you can fully virtualize x86 on x86, without all of this tedious mucking about with IDT/LDT/GDT's.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Updated nopill.cpp

Fixed a size issue with the sidt/sldt/sgdt operations. Whoops.

VPC detection

As I stated before, it can all be done by checking one single byte. I've written a PE Encryptor that mutates the decryptor depending on this byte, meaning it'll crash on VPC's.

Check my blog out over on phorce.co.uk

vpc

phorce.co.uk is invalid. prepending www made it right.

Where did you state before, was it on bugtraq or fd or somewhere on this site? I must have missed it. I can't find it on your archives either. Maybe you can direct link us to a whitepaper you've written or some source code ?

These are all just different methods. Its intersting to know all the possible ways to do this.

V.

Cannot download files... broken links

Hi Valsmith, I am new to this forum. I was going through some of the stuff here and found this post interesting. Wanted to look at the downloads (links provided), but these seem to be broken. Is it possible for you to post new download links or point me to where you have moved them?

Thanks.

check the link i added to the post

We are having some drupal module issues, but I have provided a direct link to the files. Use that instead.

V.

hello

very nice

catching it up a few years

catching it up a few years later, very interesting, gonna test it right now, thank you.