[vbox-dev] vm detection
al4321 at gmail.com
Wed Dec 30 05:44:45 PST 2009
2009/12/30 Stéphane Charette <stephanecharette at gmail.com>:
> Spent the night trying various inline assembly to attempt to detect
> when my application is running within a VM.
> Couple of things to note: the web is full of really bad and really
> ***WRONG*** example code from people thinking they're being crafty.
> Some code is of course geared towards just Windows + VMWare, but there
> is a surprisingly large amount of example code calling things like
> SIDT and SGDT with just 2 bytes to store the result. I may not be an
> assembly programmer, but it doesn't take much Googling at AMD and
> Intel's sites to see that even at best-case when running in i386, it
> needs at least 6 bytes, while in AMD64 you'd need 10 bytes.
> I'm guessing things have progressed in the last few years, where some
> of the VM detection example code that made headlines when they were
> first discovered no longer applies...or perhaps only ever applied to
> VMWare? Things I tried include:
> - SIDT (aka "red pill" and "snoopy_doo")
> - SGDT (upper byte always 0xff for me, whether native or in VirtualBox)
> - SLDT (always returns zero for me, whether native or in VirtualBox)
> - STR (always returns 0x0040 whether native or in VirtualBox)
> I'm worried the only "solution" (and I use the term lightly) is to do
> something crazy like walking the PCI table or the DMI BIOS information
> looking for certain strings. Can someone recommend something better?
There is no way to ultimately know that this is a VM or not.
Some future (or rare) emulator/virtualizer will always render your
detection code useless.
As for current versions of VirtualBox - the best way to detect it is
by PCI ID of it's video card; "VirtualBox Graphics Adapter".
-Alexey Eromenko "Technologov"
More information about the vbox-dev