Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - Virtual machine detection
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Virtual machine detection
 Post Reply Post Reply
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
cedrou View Drop Down
Newbie
Newbie


Joined: 16 June 2008
Location: France
Status: Offline
Points: 16 		Post Options Post Options   Thanks (0) Thanks(0)   Quote cedrou Quote  Post ReplyReply Direct Link To This Post Topic: Virtual machine detection
    Posted: 01 August 2008 at 5:44pm
Hi all,

Is there a way to detect at run-time that my process is running on a virtual machine ?

Thanks
Cédric
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Status: Offline
Points: 251 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 01 August 2008 at 5:48pm
Yes.

RDTSC check between two instructions will detect VMWare/Virtual PC like VM's.
Back to Top
babon View Drop Down
Groupie
Groupie


Joined: 09 April 2008
Status: Offline
Points: 57 		Post Options Post Options   Thanks (0) Thanks(0)   Quote babon Quote  Post ReplyReply Direct Link To This Post Posted: 01 August 2008 at 6:28pm
there's also some code which generates exceptions on specific VM or something like that, can't find them now , i'll post it once i find them .
Back to Top
babon View Drop Down
Groupie
Groupie


Joined: 09 April 2008
Status: Offline
Points: 57 		Post Options Post Options   Thanks (0) Thanks(0)   Quote babon Quote  Post ReplyReply Direct Link To This Post Posted: 02 August 2008 at 5:45pm
Example from developpez.net in delphi(pascal) :

program IsInVM;
 
{$APPTYPE CONSOLE}
 
uses
  windows;
 
function InVMware: Boolean;
asm
    XOR     EAX, EAX
 
    PUSH    OFFSET @@Handler
    PUSH    DWORD PTR FS:[EAX]
    MOV     DWORD PTR FS:[EAX], ESP
    MOV     EAX, 564D5868h
    MOV     EBX, 3c6cf712h
    MOV     ECX, 0Ah
    MOV     DX, 5658h
    IN      EAX, DX
    MOV     EAX, True
    JMP     @@NotHandle
@@Handler:
    MOV     EAX, [ESP+$C]
    MOV     TContext(EAX).EIP, OFFSET @@Handled
    XOR     EAX, EAX
    RET
@@Handled:
    XOR     EAX, EAX
@@NotHandle:
    XOR     EBX, EBX
    POP     DWORD PTR FS:[EBX]
    ADD     ESP, 4
end;
 
 function IsInVPC: boolean; assembler;
asm
  push ebp
 
  mov  ecx, offset @@exception_handler
  mov  ebp, esp
 
  push ebx
  push ecx
  push dword ptr fs:[0]
  mov  dword ptr fs:[0], esp
 
  mov  ebx, 0 // flag
  mov  eax, 1 // VPC function number
 
  // call VPC
  db 00Fh, 03Fh, 007h, 00Bh
 
  mov eax, dword ptr ss:[esp]
  mov dword ptr fs:[0], eax
  add esp, 8
 
  test ebx, ebx
  setz al
  lea esp, dword ptr ss:[ebp-4]
  mov ebx, dword ptr ss:[esp]
  mov ebp, dword ptr ss:[esp+4]
  add esp, 8
  jmp @@ret
  @@exception_handler:
  mov ecx, [esp+0Ch]
  mov dword ptr [ecx+0A4h], -1
  add dword ptr [ecx+0B8h], 4
  xor eax, eax
  ret
  @@ret:
end;
 
begin
 
 
if IsInVPC then writeln('Virtual PC detected') else writeln('Virtual Pc not detected');
if InVMware then writeln('VMWare Machine detected') else writeln('VMWare Machine not detected');
 
readln;
 
end.


source : http://www.developpez.net/forums/showthread.php?t=564211


Edited by babon - 02 August 2008 at 5:45pm
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Status: Offline
Points: 251 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 02 August 2008 at 6:13pm
Well, then I will add mine too.

Quote function IsVm(): dword; register;
var
k: DWORD;
asm
push ebx
push edi
@@r1:
db $0f, $31
mov edi, edx
mov ebx, eax
db $0f, $31
cmp edi, edx
jnz @@r1
sub eax, ebx
mov k, eax
mov ecx, $0a
@@cycle:
db $0f, $31
mov edi, edx
mov ebx, eax
db $0f, $31
cmp edi, edx
jnz @@cycle
sub eax, ebx
cmp eax, k
jg @@ext1
mov k, eax
@@ext1:
dec ecx
jnz @@cycle
mov eax, k
pop edi
pop ebx
end;

begin
if (IsVm > 200) then MessageBoxW(0, 'Virtual Machine detected', '', MB_OK) else
MessageBoxW(0, 'Nothing detected', '', MB_OK);
ExitProcess(0);
end.
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Status: Offline
Points: 251 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 07 August 2008 at 9:29am
May I ask you topic starter, for what purpose you're asking this? Are you writing trojan?
Back to Top
cedrou View Drop Down
Newbie
Newbie


Joined: 16 June 2008
Location: France
Status: Offline
Points: 16 		Post Options Post Options   Thanks (0) Thanks(0)   Quote cedrou Quote  Post ReplyReply Direct Link To This Post Posted: 07 August 2008 at 12:57pm
No, don't worry !Evil%20Smile
It was only to satisfy my curiosity, thanks for your answers Thumbs%20Up

Cédric
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down