Detect virtualized OS from an application?
Solution 1
Have you heard about blue pill, red pill?. It's a technique used to see if you are running inside a virtual machine or not. The origin of the term stems from the matrix movie where Neo is offered a blue or a red pill (to stay inside the matrix = blue, or to enter the 'real' world = red).
The following is some code that will detect wheter you are running inside 'the matrix' or not:
(code borrowed from this site which also contains some nice information about the topic at hand):
int swallow_redpill () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}
The function will return 1 when you are running inside a virutal machine, and 0 otherwise.
Solution 2
Under Linux I used the command: dmidecode ( I have it both on CentOS and Ubuntu )
from the man:
dmidecode is a tool for dumping a computer's DMI (some say SMBIOS) table contents in a human-readable format.
So I searched the output and found out its probably Microsoft Hyper-V
Handle 0x0001, DMI type 1, 25 bytes
System Information
Manufacturer: Microsoft Corporation
Product Name: Virtual Machine
Version: 5.0
Serial Number: some-strings
UUID: some-strings
Wake-up Type: Power Switch
Handle 0x0002, DMI type 2, 8 bytes
Base Board Information
Manufacturer: Microsoft Corporation
Product Name: Virtual Machine
Version: 5.0
Serial Number: some-strings
Another way is to search to which manufacturer the MAC address of eth0 is related to: http://www.coffer.com/mac_find/
If it return Microsoft, vmware & etc.. then its probably a virtual server.
Solution 3
VMware has a Mechanisms to determine if software is running in a VMware virtual machine Knowledge base article which has some source code.
Microsoft also has a page on "Determining If Hypervisor Is Installed". MS spells out this requirement of a hypervisor in the IsVM TEST" section of their "Server Virtualization Validation Test" document
The VMware and MS docs both mention using the CPUID instruction to check the hypervisor-present bit (bit 31 of register ECX)
The RHEL bugtracker has one for "should set ISVM bit (ECX:31) for CPUID leaf 0x00000001" to set bit 31 of register ECX under the Xen kernel.
So without getting into vendor specifics it looks like you could use the CPUID check to know if you're running virtually or not.
Solution 4
No. This is impossible to detect with complete accuracy. Some virtualization systems, like QEMU, emulate an entire machine down to the hardware registers. Let's turn this around: what is it you're trying to do? Maybe we can help with that.
Solution 5
I think that going forward, relying on tricks like the broken SIDT virtualization is not really going to help as the hardware plugs all the holes that the weird and messy x86 architecture have left. The best would be to lobby the Vm providers for a standard way to tell that you are on a VM -- at least for the case when the user has explicitly allowed that. But if we assume that we are explicitly allowing the VM to be detected, we can just as well place visible markers in there, right? I would suggest just updating the disk on your VMs with a file telling you that you are on a VM -- a small text file in the root of the file system, for example. Or inspect the MAC of ETH0, and set that to a given known string.
Mooh
Embedded Software engineer and general curmudgeon. Coding blog: Coding Relic
Updated on July 05, 2022Comments
-
Mooh almost 2 years
I need to detect whether my application is running within a virtualized OS instance or not.
I've found an article with some useful information on the topic. The same article appears in multiple places, I'm unsure of the original source. VMware implements a particular invalid x86 instruction to return information about itself, while VirtualPC uses a magic number and I/O port with an IN instruction.
This is workable, but appears to be undocumented behavior in both cases. I suppose a future release of VMWare or VirtualPC might change the mechanism. Is there a better way? Is there a supported mechanism for either product?
Similarly, is there a way to detect Xen or VirtualBox?
I'm not concerned about cases where the platform is deliberately trying to hide itself. For example, honeypots use virtualization but sometimes obscure the mechanisms that malware would use to detect it. I don't care that my app would think it is not virtualized in these honeypots, I'm just looking for a "best effort" solution.
The application is mostly Java, though I'm expecting to use native code plus JNI for this particular function. Windows XP/Vista support is most important, though the mechanisms described in the referenced article are generic features of x86 and don't rely on any particular OS facility.
-
Kirk Strauser over 15 yearsCorrection: it will return 1 when you are running inside some of the virtual machines that are available today, on some bits of hardware. -
sven over 15 yearsyes, it indeed uses the fact that the virtual machine is not an entirely accurate representation of a real pc. If it was then there is no (good) way to detect you are running virtual -
Erik Forbes over 15 yearsYour solution (at the end of your paragraph) won't work if you don't have control over the VM you're running in. =\
-
jakobengblom2 over 15 yearsNo, but if you do not have control over the VM, all bets are off anyway. Then it might well deliberately hide. So the question is really why and when and in which situation you want to do this.
-
sven over 15 years@erik: it uses the fact that a virutalised OS is a 'second' OS on a machine. This means that resources needs to be shared. In this code it's the IDTR (Interrupt descriptor table register: check wikipedia) that will be checked against, if it is not in the usual place, then we know that we are virtual
-
epochwolf over 15 yearsJust to note. This code fails in Windows XP Pro running in VMWare Fusion (Version 2.0 (116369)) on OSX 10.5
-
ZelluX almost 15 yearsThis is possible. Although you can emulate every instructions a virtual machine executes, the application can still discover the truth by resourse limitation, etc,.
-
Stéphane over 14 yearsNote that RedPill and the initial scoopy_doo techniques will return false positives on multi-core CPUs. For example: on a quad-core system running natively, 75% of the time it will tell you it is running in a VM. Google for things like "NoPill" to get additional details.
-
JdeBP over 12 yearsEveryone is gradually coming around to the idea of singing from the same songsheet.
-
Raedwald about 11 yearsdmidecodeneeds super-user (root) permission to run, so it's not that useful from an application. -
Thanasis Petsas almost 11 yearsis there a way to understand it through a Java program??
-
Schwern over 9 years@BlackMamba It depends on if you have read permission to
/dev/mem. -
Felype over 8 yearsThis is interesting, mainly on what Stephane said, some software I use here are accusing my native windows 10 x64 of being a VM, i tried running that code and it just crashes with access violation (even with UAC elevation). -
Eugene Mala almost 7 yearsIf we emulate old PC on a new powerful hardware - we can emulate latencies and resources.
-
LotoLo almost 6 yearsIs this working on modern Virtual machines? And why? -
Matthew Sharp almost 5 yearsWell that's emulation rather than virtualization. The hardest to hide is timing information, especially if the guest has network access and can use an external clock.
-
Sorry IwontTell almost 4 yearsThanks but you detecting virtualization software not virtualization. -
Sorry IwontTell almost 4 yearsadd little info, Is this one gets some info from cpu ?
-
marsh-wiggle over 3 yearsI lack the knowledge to judge the code which was also posted in other places. Here are two interesting comments from there:
To clarify, this piece of code uses the cpuid instruction to detect if the feature bit is set that indicates the code is running on a hypervisor. There is, of course, no requirement that an actual hypervisor always sets this bit, especially for software hypervisors.andI would not use this. Tested false positive (Windows 10, VS) on my PC. I have virtualization support turned on in BIOS, but not running in VM, so it might be that (?). -
Gray Programmerz about 3 yearsThere is more easier way in powershell.
Get-WMIObject MSAcpi_ThermalZoneTemperature -Namespace root/wmi. But it requires admin rights. -
Ken Haynes over 2 yearsWorks perfectly on Oracle VirtualBox with the Windows 11 Enterprise evaluation version installed. Thanks.
