flat assembler
Message board for the users of flat assembler.

Index > OS Construction > detecting Virtual Machine

Author
Thread Post new topic Reply to topic
CandyMan



Joined: 04 Sep 2009
Posts: 319
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan
What method you know in order to detect virtual machine?
Post 03 Oct 2011, 17:46
View user's profile Send private message Reply with quote
Coty



Joined: 17 May 2010
Posts: 554
Location: ␀
Coty
Here is some code Smiddy posted on Dex's old forum, it will detect VM, VPC, and Bochs.

Code:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; VM - Detects if we're in a virtual mcahine like Virtual PC, VMWare, or
;;      Bochs. If there are others, this is where they shall reside for
;;      detecting them.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

BochsDetectedMessage    db 'Bochs detected',13,10,0
BochsNotDetectedMessage db 'Bochs not detected',13,10,0
BochsOn                 dd 0

DetectBochs:

    mov dx,0E9h
    in al,dx
   
    cmp al,0E9h
    je .InBochs
    mov eax,0
    mov esi,BochsNotDetectedMessage
    jmp .Done
   
.InBochs:

    mov eax,1
    mov esi,BochsDetectedMessage
   
.Done:

    mov [BochsOn],eax
    call PrintString
   
    ret



    ret


align 4
VPCDetectedMessage      db  'Virtual PC Detected',13,10,0
VPCNotDetectedMessage   db  'Virtual PC Not Detected',13,10,0
align 4
VPCOn       dd 0

DetectVPC:

    push ebx
   
    cli                                     ; Turn off interrupts
    mov esi,VPCInvalidOpcodeException       ; Store new Invalid Opcode Exception
    mov eax,6                               ; Invalid Opcode is 6
    call AddExceptionToIDT                  ; Call routine to replace it
    sti                                     ; Turn on interrupts
   
    mov ebx,0                               ; This will stay 0 if VPC running
    mov eax,1                               ; VPC function number
   
.CallVPC:
   
    db 0Fh,3Fh,07h,0Bh                      ; Call VPC
   
    test ebx,ebx
    jz .InVPC
    mov eax,0
    mov esi,VPCNotDetectedMessage
    jmp .Done
   
.InVPC:

    mov eax,1
    mov esi,VPCDetectedMessage
   
.Done:

    mov [VPCOn],eax
    call PrintString
   
    cli
    mov esi,UnhandledINT                    ; Restore original unhandled interrupt
    mov eax,6                               ; Invalid Opcode is 6
    call AddExceptionToIDT
    sti
   
    pop ebx
   
    ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; VPCInvalidOpcodeException - replaced invalid opcode exception handler with
;;                             this one to go past the VPC call in the above
;;                             procedure.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

VPCInvalidOpcodeException:

    mov ebx,-1                              ; Not running VPC
    add DWORD [esp],4                       ; Fix the EIP in stack to skip past call VPC
   
    iret

;---------------------------------
; We need this because ATA
; Identify command is NOT working
; under vmware Wink surprise!
;---------------------------------
align 4
VMWareDetectedMessage       db  'VM Ware Detected',13,10,0
VMWareNotDetectedMessage    db  'VM Ware Not Detected',13,10,0

ALIGN 4
VMWareOn                    dd  0           ; Default = 0 = OFF, 1 = ON

DetectVMWare:
   
    mov eax,564D5868h                       ; 'VMXh'
    mov ebx,12345h                          ; This can be any number, but not 'VMXh'
    mov ecx,00Ah                            ; Get VMWare version
    mov edx,'VX'                            ; Port number
    IN  eax,dx                              ; Read port 5658h
    cmp ebx,564D5868h                       ; Is this from the EAX?
    je .InVMWare                            ; Yes, goto flag it
    mov eax,0
    mov esi,VMWareNotDetectedMessage
    jmp .Done
   
.InVMWare:

    mov eax,1
    mov esi,VMWareDetectedMessage
   
.Done:

    mov [VMWareOn],eax
    call PrintString
   
    ret 
    


If you wish to detect QEmu x86 you can't (to my knollage) but you can detect QEmu x86-64 by checking the vendor string (I think).

_________________
http://codercat.org/
Post 03 Oct 2011, 18:21
View user's profile Send private message Send e-mail Visit poster's website Reply with quote
DJ Mauretto



Joined: 14 Mar 2007
Posts: 464
Location: Rome,Italy
DJ Mauretto
There are many ways that you can detect virtual machines,
Usually this VM use old Chipset HW, you can scan PCi for this..
Also in SMBios you'll find the string Bochs, Microsoft virtual machine and so on..
Every VM is detectable, open you mind Wink

Example:

Code:
Qemu PCI is:
Vendor ID    Device ID
8086                1237          82440LX/EX PCI & Memory
8086               7000          82371SB PIIX3 PCI-to-ISA Bridge (Triton II)
8086               7010          82371SB PIIX3 IDE Interface (Triton II)
8086           100E          82540EM Intel Pro 1000/MT
1013                 00B8          CL-GD5446 64-bit VisualMedia Accelerator
1274                  5000          ES1371 AudioPC    


Qemu report also CPUID with CPU name = QEMU virtual cpu version .......
Wink

_________________
Nil Volentibus Arduum Razz
Post 03 Oct 2011, 18:51
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4242
Location: 2018
edfed
maybe one day, everybody will use the way of bochs...

it is something needed i think, it will give work to some standardisation organism, and it will give some reliable way for everybody around virtual/real machines.

because if you know you are in a vm, you can think differentlly your applications. as VM can be everywhere, even in firefox if we have a plugin for, it can become very cool, and may let you code in asm, in a web editor, compile using a distant server, or a plugin in firefox...depends on what is to be coded.

if there is a shared project, with no source in clients, and only a centralizing server, it will be different than just the editor in firefox, and the compiler in firefox, working on some file, with possibility to save on local, or on server.

that's what can be possible with VM detection, and it i forgot a lot of things.

it can make man dream Smile Laughing


CPUID is a good solution, if not the best.
Post 03 Oct 2011, 19:42
View user's profile Send private message Visit poster's website Reply with quote
Goplat



Joined: 15 Sep 2006
Posts: 181
Goplat
There's good reason to make VMs not detectable (or at least make it possible to turn detectability off). It has become common for programs to include both desirable and malicious functionality (for example: any game that installs a kernel-mode driver for copy protection). VMs ideally let you use these programs without letting them screw with your system, but if VMs are easily detectable the programs will be written to just refuse to run in them.
Post 03 Oct 2011, 20:31
View user's profile Send private message Reply with quote
cod3b453



Joined: 25 Aug 2004
Posts: 619
cod3b453
As others have mentioned, each VM usually has a uniquely identifying device ID or device vendor ID somewhere.

To add to your list, Virtual Box can be spotted from:
- The VESA vendor string "...VirtualBox..."
- Display controller - PCI vendor 80EE, device BEEF
- Memory controller - PCI vendor 80EE, device CAFE
- CD vendor string "VBOX CD-ROM" (probably HD too)
Post 04 Oct 2011, 22:17
View user's profile Send private message Reply with quote
smiddy



Joined: 31 Oct 2004
Posts: 559
smiddy
Coty wrote:
Here is some code Smiddy posted on Dex's old forum, it will detect VM, VPC, and Bochs.

Code:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; VM - Detects if we're in a virtual mcahine like Virtual PC, VMWare, or
;;      Bochs. If there are others, this is where they shall reside for
;;      detecting them.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

BochsDetectedMessage    db 'Bochs detected',13,10,0
BochsNotDetectedMessage db 'Bochs not detected',13,10,0
BochsOn                 dd 0

DetectBochs:

    mov dx,0E9h
    in al,dx
   
    cmp al,0E9h
    je .InBochs
    mov eax,0
    mov esi,BochsNotDetectedMessage
    jmp .Done
   
.InBochs:

    mov eax,1
    mov esi,BochsDetectedMessage
   
.Done:

    mov [BochsOn],eax
    call PrintString
   
    ret



    ret


align 4
VPCDetectedMessage      db  'Virtual PC Detected',13,10,0
VPCNotDetectedMessage   db  'Virtual PC Not Detected',13,10,0
align 4
VPCOn       dd 0

DetectVPC:

    push ebx
   
    cli                                     ; Turn off interrupts
    mov esi,VPCInvalidOpcodeException       ; Store new Invalid Opcode Exception
    mov eax,6                               ; Invalid Opcode is 6
    call AddExceptionToIDT                  ; Call routine to replace it
    sti                                     ; Turn on interrupts
   
    mov ebx,0                               ; This will stay 0 if VPC running
    mov eax,1                               ; VPC function number
   
.CallVPC:
   
    db 0Fh,3Fh,07h,0Bh                      ; Call VPC
   
    test ebx,ebx
    jz .InVPC
    mov eax,0
    mov esi,VPCNotDetectedMessage
    jmp .Done
   
.InVPC:

    mov eax,1
    mov esi,VPCDetectedMessage
   
.Done:

    mov [VPCOn],eax
    call PrintString
   
    cli
    mov esi,UnhandledINT                    ; Restore original unhandled interrupt
    mov eax,6                               ; Invalid Opcode is 6
    call AddExceptionToIDT
    sti
   
    pop ebx
   
    ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; VPCInvalidOpcodeException - replaced invalid opcode exception handler with
;;                             this one to go past the VPC call in the above
;;                             procedure.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

VPCInvalidOpcodeException:

    mov ebx,-1                              ; Not running VPC
    add DWORD [esp],4                       ; Fix the EIP in stack to skip past call VPC
   
    iret

;---------------------------------
; We need this because ATA
; Identify command is NOT working
; under vmware Wink surprise!
;---------------------------------
align 4
VMWareDetectedMessage       db  'VM Ware Detected',13,10,0
VMWareNotDetectedMessage    db  'VM Ware Not Detected',13,10,0

ALIGN 4
VMWareOn                    dd  0           ; Default = 0 = OFF, 1 = ON

DetectVMWare:
   
    mov eax,564D5868h                       ; 'VMXh'
    mov ebx,12345h                          ; This can be any number, but not 'VMXh'
    mov ecx,00Ah                            ; Get VMWare version
    mov edx,'VX'                            ; Port number
    IN  eax,dx                              ; Read port 5658h
    cmp ebx,564D5868h                       ; Is this from the EAX?
    je .InVMWare                            ; Yes, goto flag it
    mov eax,0
    mov esi,VMWareNotDetectedMessage
    jmp .Done
   
.InVMWare:

    mov eax,1
    mov esi,VMWareDetectedMessage
   
.Done:

    mov [VMWareOn],eax
    call PrintString
   
    ret 
    


If you wish to detect QEmu x86 you can't (to my knollage) but you can detect QEmu x86-64 by checking the vendor string (I think).


Whoa! I wrote that ages ago...

I have heard, but haven't tested, that things have changed a lot with virtual machines. This is older code, so YMMV (Your mileage may vary).
Post 07 Oct 2011, 18:07
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.