Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Detect virtualized OS from an application?

I need to detect whether my application is running within a virtualized OS instance or not.

I've found an article with some useful information on the topic. The same article appears in multiple places, I'm unsure of the original source. VMware implements a particular invalid x86 instruction to return information about itself, while VirtualPC uses a magic number and I/O port with an IN instruction.

This is workable, but appears to be undocumented behavior in both cases. I suppose a future release of VMWare or VirtualPC might change the mechanism. Is there a better way? Is there a supported mechanism for either product?

Similarly, is there a way to detect Xen or VirtualBox?

I'm not concerned about cases where the platform is deliberately trying to hide itself. For example, honeypots use virtualization but sometimes obscure the mechanisms that malware would use to detect it. I don't care that my app would think it is not virtualized in these honeypots, I'm just looking for a "best effort" solution.

The application is mostly Java, though I'm expecting to use native code plus JNI for this particular function. Windows XP/Vista support is most important, though the mechanisms described in the referenced article are generic features of x86 and don't rely on any particular OS facility.

like image 275
DGentry Avatar asked Sep 30 '08 17:09

DGentry


People also ask

Can a virtual machine be traced?

Virtual machines are a convenience of many purposes but enhancing anonymity is not one of them. Yes using a browser in a VM will give different indicators such as User-Agent and Fingerprint, but that's just another set of tracking variables. It's extremely difficult to configure your own browser for privacy.


1 Answers

Have you heard about blue pill, red pill?. It's a technique used to see if you are running inside a virtual machine or not. The origin of the term stems from the matrix movie where Neo is offered a blue or a red pill (to stay inside the matrix = blue, or to enter the 'real' world = red).

The following is some code that will detect wheter you are running inside 'the matrix' or not:
(code borrowed from this site which also contains some nice information about the topic at hand):

 int swallow_redpill () {    unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";    *((unsigned*)&rpill[3]) = (unsigned)m;    ((void(*)())&rpill)();    return (m[5]>0xd0) ? 1 : 0;  }  

The function will return 1 when you are running inside a virutal machine, and 0 otherwise.

like image 80
sven Avatar answered Oct 05 '22 20:10

sven