Honeypots mailing list archives
VMWare Detection?
From: "Polazzo Justin" <Justin.Polazzo () facilities gatech edu>
Date: Mon, 15 Nov 2004 08:18:17 -0500
2004-11-14 Shortly after Dave posted his Trip Report from Poland, I started getting emails from people wanted to know "how to detect VMWare using one instruction"... So, although I'm not the first one who discovered this trick, I decided to put a short paper about it accompanied by a simple C code. This trick is able to detect not only VMWare, but any VMM running on Pentium processor. from http://invisiblethings.org/papers/redpill.html: int swallow_redpill () { unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3"; *((unsigned*)&rpill[3]) = (unsigned)m; ((void(*)())&rpill)(); return (m[5]>0xd0) ? 1 : 0; We already knew VMWare was detectable, just not sure if this code made it to everyone. -JP
Current thread:
- VMWare Detection? Polazzo Justin (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- RE: [in] Re: (pacsec bonus) Re: VMWare Detection? Curt Purdy (Nov 17)
- Re: (pacsec bonus) Re: VMWare Detection? Lance Spitzner (Nov 18)
- Re: (pacsec bonus) Re: VMWare Detection? Stef (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Mike Tremoulet (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? MrDemeanour (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? awalters (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Dave Dittrich (Nov 22)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)