Re: Generically Determining the Prescence of Virtual Machines

[pageexec () freemail hu]

don't we all just love top-posting... anyway, looks like it's ia-32
insn du jour, so here's my take (far from being original to follow
suit ;-):

#include <stdio.h>
int main()
{
  unsigned long limit, seg;
  asm("mov %%ds,%1\nlsll %2,%0" :"=r"(limit), "=r"(seg) : "1"(seg));
  printf("seg:%lx lim:%lx\n", seg, limit);
}


On 17 Mar 2006 at 8:17, Pusscat wrote:

> Nice work val! :)
>
> I looked at this a short while ago as well, and ended up using a redpill
> style determination of virtualization, but I also wanted to know what kind
> of virtual machine I¹d landed myself in.  A few people pointed me at the
> back door attacks for vmware and virtual pc, but after some testing I
> determined that they were none too stable. (They crashed and burned on
> non-virtualized linux...) So I cheated and simply queried the first scsi
> device for a vendor and this works pretty well ;)  Certainly, you could
> create a vmware machine that didn¹t use scsi drives, but that seems pretty
> rare as it¹s the default.
>
> Seems like I ought to update my code to use your technique though ;)
>
> http://daemonkitty.net/MSF3/isvirtualized.asm
>
>
> On 3/16/06 8:00 PM, "valsmith" <valsmith () metasploit com> wrote:
>
> > At OffensiveComputing we were looking at ways to detect virtual machines and
> > had found and discarded many unsophisticated methods such as looking for
> > VMWare Tools running as a service or VMWare related registy keys, etc. Then we
> > discovered Joanna Rutkowska's very interesting "Redpill" method. This was an
> > eye opening work for us. After spending a little time playing with it we
> > realized it wasn't fool proof on multiprocessor systems and so we decided to
> > research the problems and possible ways to improve on the method. We
> > discovered and implemented an improved method which is presented in the this
> > paper.
> >
> > Check http://www.offensivecomputing.net for the paper.
> >
> > V.
>
>
> ~ Puss