Generically Determining the Prescence of Virtual Machines

["Michael Spath" <michael.spath () gmail com>]

> don't we all just love top-posting... anyway, looks like it's ia-32
> insn du jour, so here's my take (far from being original to follow
> suit ;-):
>
> #include <stdio.h>
> int main()
> {
>  unsigned long limit, seg;
>  asm("mov %%ds,%1\nlsll %2,%0" :"=r"(limit), "=r"(seg) : "1"(seg));
>  printf("seg:%lx lim:%lx\n", seg, limit);
> }

I hope you don't mind me trying too pip :) Here's the sample output
of a small ring3 VM detection tool I wrote some time ago :

W2K NATIVE :
------------
IDTbase=0x80036400    IDTlimit=0x7FF
LDT selector=0x0
GDTbase=0x80036000    GDTlimit=0x3FF
Descriptor 18 : DPL=3 32bits code r-x limit=FFFFFFFF
Descriptor 20 : DPL=3 32bits data rw- limit=FFFFFFFF
Descriptor 38 : DPL=3 32bits data rw- limit=00000FFF
Descriptor 40 : DPL=3 16bits data rw- limit=0000FFFF
Descriptor E0 : DPL=0 16bits code r-x limit=0000FFFF

W2K in VMWARE :
---------------
IDTbase=0xffc18000    IDTlimit=0x7FF
LDT selector=0x4058
GDTbase=0xffc07000    GDTlimit=0x40AF
Descriptor 18 : DPL=3 32bits code r-x limit=FFBFFFFF
Descriptor 20 : DPL=3 32bits data rw- limit=FFBFFFFF
Descriptor 38 : DPL=3 32bits data rw- limit=00000FFF
Descriptor 40 : DPL=3 16bits data rw- limit=0000FFFF
Descriptor E0 : DPL=1 16bits code r-x limit=0000FFFF


IDT base, LDT selector, GDT base, GDT limit, segment limit, DPL=1...
make your choice ;-)

regards,
--spath