Honeypots mailing list archives

4tphi: Detecting VMWare

From: "Andrew Hintz \(Drew\)" <drew () overt org>
Date: Thu, 7 Nov 2002 14:24:08 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Below is an Unix program that will tell you if it is running in a
VMWare virtual machine.  If you're interested in a Windows  or DOS
version, visit <http://chitchat.tripod.co.jp/vmware/>.

/*
 * 4tphi-vmchk.c
 * Detects if you are in a VMWare virtual machine.
 * 
 * Written by Andrew Hintz <http://guh.nu>
 *            and AAron Walters
 * Fortify Research Laboratories <http://4tphi.net>
 * 
 * "Oft at the hives of his tame bees
 *  They would their sugary thirst appease."
 *
 * This program is based on info and code from:
 *  http://chitchat.tripod.co.jp/vmware/
 *  by chitchat () lycos jp
 *
 * Notes:
 *  The program can be run as a normal user.
 *  We tested the program only in x86 Linux.
 *  The m4dn3ss lives on!
 */

#include <stdio.h>
#include <sys/signal.h>

#if __INTSIZE == 2  /* 16 bit environment */
typedef unsigned int uint16;
typedef unsigned long uint32;
#else        /* 32 bit environment */
typedef unsigned short uint16;
typedef unsigned int uint32;
#endif  /* __INTSIZE */

void segfault(){
  printf("Not running inside VMware.\n");
  exit(1);
}

int main(){
  uint32 verMajor, verMinor, magic, dout;

  signal(SIGSEGV, segfault);

  __asm__  __volatile__ ("
    mov $0x564D5868, %%eax; /* magic number */
    mov $0x3c6cf712, %%ebx; /* random number */
    mov $0x0000000A, %%ecx; /* specifies command */
    mov $0x5658, %%edx; /* VMware I/O port */

    in %%dx, %%eax;

    mov %%eax, %0;
    mov %%ebx, %1;
    mov %%ecx, %2;
    mov %%edx, %3;
    "
    : "=r"(verMajor), "=r"(magic), "=r"(verMinor), "=r"(dout)
    );

  if (magic == 0x564D5868) {
    printf("Running inside VMware. ");
    printf("(Version %lu,%lu)\n", verMajor, verMinor);
    /* I'm not really sure what the versions mean. */
  }

  return 0;

}/* end main */

/* end of file */

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPcq9dpAUypktoF54EQLpHwCePzWr5/TpUnZiwhvf1ctYD3uJv1AAoOl9
YmH+cbL9CDrjR5eL4gjJ2u5w
=nbMf
-----END PGP SIGNATURE-----

Current thread:

4tphi: Detecting VMWare Andrew Hintz (Drew) (Nov 08)
- Re: 4tphi: Detecting VMWare Kurt Seifried (Nov 08)
  - RE: 4tphi: Detecting VMWare Andrew Hintz (Drew) (Nov 11)
- <Possible follow-ups>
- RE: RE: 4tphi: Detecting VMWare Bridges Lloyd (Nov 11)