Dailydave mailing list archives
Generically Determining the Prescence of Virtual Machines
From: "Michael Spath" <michael.spath () gmail com>
Date: Mon, 20 Mar 2006 08:18:07 +0100
don't we all just love top-posting... anyway, looks like it's ia-32 insn du jour, so here's my take (far from being original to follow suit ;-): #include <stdio.h> int main() { unsigned long limit, seg; asm("mov %%ds,%1\nlsll %2,%0" :"=r"(limit), "=r"(seg) : "1"(seg)); printf("seg:%lx lim:%lx\n", seg, limit); }
I hope you don't mind me trying too pip :) Here's the sample output of a small ring3 VM detection tool I wrote some time ago : W2K NATIVE : ------------ IDTbase=0x80036400 IDTlimit=0x7FF LDT selector=0x0 GDTbase=0x80036000 GDTlimit=0x3FF Descriptor 18 : DPL=3 32bits code r-x limit=FFFFFFFF Descriptor 20 : DPL=3 32bits data rw- limit=FFFFFFFF Descriptor 38 : DPL=3 32bits data rw- limit=00000FFF Descriptor 40 : DPL=3 16bits data rw- limit=0000FFFF Descriptor E0 : DPL=0 16bits code r-x limit=0000FFFF W2K in VMWARE : --------------- IDTbase=0xffc18000 IDTlimit=0x7FF LDT selector=0x4058 GDTbase=0xffc07000 GDTlimit=0x40AF Descriptor 18 : DPL=3 32bits code r-x limit=FFBFFFFF Descriptor 20 : DPL=3 32bits data rw- limit=FFBFFFFF Descriptor 38 : DPL=3 32bits data rw- limit=00000FFF Descriptor 40 : DPL=3 16bits data rw- limit=0000FFFF Descriptor E0 : DPL=1 16bits code r-x limit=0000FFFF IDT base, LDT selector, GDT base, GDT limit, segment limit, DPL=1... make your choice ;-) regards, --spath
Current thread:
- Generically Determining the Prescence of Virtual Machines Michael Spath (Mar 20)