views:

1730

answers:

13

Is there a way to identify, from within a VM, that your code is running inside a VM?

I guess there are more or less easy ways to identify specific VM systems, especially if the VM has the provider's extensions installed (such as for VirtualBox or VMWare). But is there a general way to identify that you are not running directly on the CPU?

A: 

There shouldn't be. Virtual Machines emulate the pieces of hardware you can't access directly, but actual code is executed directly on the host CPU 99.9% of the time. Your best bet is trying to identify known VM environments, but that will give you some false positives and many missed detections.

Identifying the CPU directly will give you the real CPU data, since modern VMs don't emulate that part of a computer anymore.

wvdschel
A: 

If it VM does the job well, it should be invisible to the client that it's being virtualized. However, one can look at other clues.

I would imagine that looking for known drivers or software specific to the VM environment would be the best possible way.

For example, on a VMWare client running Windows, vmxnet.sys would be the network driver, displayed as VMware accelerated AMD PCNet Adapter.

Mythokia
A: 

Virtual PC knows when it's installed in another instance of VPC and won't install. So it must be possible. Unfortunately I don't know how it does this.

A possible way would be to look at the default hardware configuration - at least for VPC it's standard. Don't think this is foolproof though.

kokos
A: 

One good example is that apparently doing a WMI query for the motherboard manufacturer, and if it returns "Microsoft" you're in a VM. Thought I believe this is only for VMWare. There are likely different ways to tell for each VM host software.

This article here http://blogs.technet.com/jhoward/archive/2005/07/26/407958.aspx has some good suggestions and links to a couple of ways to detect if you are in a VM (VMWare and VirtualPC at least).

Adam Haile
+5  A: 

A more empirical approach is to check for known VM device drivers. You could write WMI queries to locate, say, the VMware display adapter, disk drive, network adapter, etc. This would be suitable if you knew you only had to worry about known VM host types in your environment. Here's an example of doing this in Perl, which could be ported to the language of your choice.

spoulson
my computer -> properties -> hardware -> device managerhave a look at the display adapter - you usually will see microsoft VM something or VMWare something ...
thedrs
A: 

You might be able to identify whether you're in a virtual machine by looking at the MAC address of your network connection. Xen for example typically recommends using a specific range of addresses 00:16:3e:xx:xx:xx.

This isn't guaranteed as it's up to the administrator of the system to specify what MAC address they like.

tonylo
+1  A: 

I once ran across an assembly code snippet that told you if you were in a VM....I googled but couldn't find the original article.

I did find this though: Detect if your program is running inside a Virtual Machine.

Hope it helps.

Giovanni Galbo
You're thinking of the "Red Pill" or "No Pill" approach. This technique no longer works. (And could be argued didn't work back in 2004 as well, though multi-CPU and multi-core systems were less prevalent.) See http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/index.html#RedPill
Stéphane
+9  A: 

A lot of the research on this is dedicated to detecting so-called "blue pill" attacks, that is, a malicious hypervisor that is actively attempting to evade detection.

The classic trick to detect a VM is to populate the ITLB, run an instruction that must be virtualized (which necessarily clears out such processor state when it gives control to the hypervisor), then run some more code to detect if the ITLB is still populated. The first paper on it is located here, and a rather colorful explanation from a researcher's blog is located here.

Bottom line from discussions on this is that there is always a way to detect a malicious hypervisor, and it's much simpler to detect one that isn't trying to hide.

JawnV6
I'm not sure that the given approach will work with hosts using NPT/EPT.
Charles Duffy
+1  A: 

Red Hat has a program which detects which (if any) virtualization product it's being run under: virt-what.

Using a third-party-maintained tool such is this is a better strategy long-term than trying to roll your own detection logic: more eyes (testing against more virtualization products), etc.

Charles Duffy
A: 

It depends on what you are after:

  • If the VM is not hiding from you on purpose, you can use some known hook. LIke looking for VmWare drivers or the presence of certain strings in memory or certain other tell-tale signs.

  • If the VM is really wanting you to do special things for it, it will have some obvious hook in place, like modifying the ID of the processor or adding some special registers that you can access to detect it. Or s a special device in a known location in memory (presuming you can get raw access to the physical memory space of your world). NOte that modern machine designs like the IBM Power6 and Sun UltraSparc T1/T2 are designed to ALWAYS run a hypervisor, and never directly on raw hardware. The interface to the "hardware" that an OS uses is in fact the interface ot a hypervisor software layer, with no way to get around it. In this case, detection is trivial since it is a constant "yes". This is the likely future direction for all computer systems that can afford the overhead, look at the support in recent designs like the Freescale QorIQ P4080 chip, for example (www.freescale.com/qoriq).

  • If the VM is intentionally trying to hide, and you are chasing its presence, it is a game of cat-and-mouse where the timing disturbance and different performance profile of a VM is almost always going to give it away. Obviously, this depends on how the VM is implemented and how much hardware support there is in place in the architecture (I think a zSeries mainframe is much better at hiding the presence of a VM or stack of VMs under your particular OS than a regular x86 machine is, for example). See http://jakob.engbloms.se/archives/97 for some discussion on this topic. It is possible to try to hide as a VM, but detection is quite likely to always win if it tries hard enough.

jakobengblom2
A: 

Here is also a script for Linux in PERL detecting the possible virtual environment. It can be found here: http://micky.ibh.net/~liske/imvirt.html

StarWind Software
A: 

This looks promising - it has an exe and .c file download.

Tim
+1  A: 

The thing you do is, you have a small thing you carry on you at all times, and that you allow no one else to touch. And if it feels right and behaves right, then you're not running in a VM.

(Could not resist. Sorry.)

Zarkonnen