Can Operating Systems tell if they're running in a Virtual Machine?

Discussion in 'Main Lounge' started by Jason, Mar 19, 2007.

  1. Jason


    Sep 26, 2005
    Likes Received:
    r, do androids know they're dreaming of electric sheep...

    There was some recent news on Windows Vista EULA restrictions relating to Virtual Machines. Vista Home Editions aren't allowed to be run inside a Virtual Machine, and Vista Ultimate in a VM will restrict access to applications which use DRM. We're still waiting for clarification from Microsoft, but it seems like the popular interpretations are basically right.

    This raises the question - is this a EULA restriction, or is it going to be enforced. Can it be enforced? Can an operating system tell if it's running in a Virtual Machine?

    That's really two questions:

    1. Can Operating Systems currently detect if they're running in a VM?

    2. Will Operating Systems always be able to detect if they're running in a VM?

    Well, I only know what I read. Let me know if you disagree...

    Can Operating Systems currently detect if they're running in a VM?

    Yes, they can. Right now they do it through a couple of techniques - direct hardware fingerprinting and inferred hardware fingerprinting.

    Direct hardware fingerprinting is pretty straightforward. Virtual Machines have predictable hardware profiles, so you can just query for "virtual hardware" that's only available in VM's and can't easily be changed. The Virtual PC Guy describes this approach here:

    The easiest way to detect that you are inside of a virtual machine is by using 'hardware fingerprinting' - where you look for hardware that is always present inside of a given virtual machine. In the case of Microsoft virtual machines - a clear indicator is if the motherboard is made by Microsoft... [WMI Script to check the motherboard vendor]

    If the motherboard is made by "Microsoft Corporation" then you are inside of one of our virtual machines.

    The inferred hardware fingerprinting approach is a bit more dodgy. It works by making direct machine level calls to the virtualized CPU that will reveal if the CPU is real or virtual. Some of these call instructions that the VMM's don't currently support. Others make system calls that will only succeed on specific virtual hardware, usually because of special machine calls the VM's implement to allow communication with the host OS and optimize use of host OS resources (e.g. the Virtual Machine Additions for Virtual PC / Virtual Server , or VMWare's VMware Command Line Tools). This kind of stuff is pretty slick, but it makes "undocumented system calls" look boring.

    Here are some examples of indirect hardware fingerprinting:

    * A program on CodeProject that can detect if it is running in either VPC or VMWare.

    * More information on detecting the VMWare host through the presence of special IO ports implemented as system calls

    * The Red Pill approach, which exploits the fact that the interrupt descriptor table registor (IDTR) is relocated by VMM's. It writes to the IDTR via an SIDT instruction, the reads from the ITDR. If the values don't match, the code is executing in a VM.

    Of course, this approach is subject to the whims of each VMM release, and it may vary from host OS to host OS.

    These two approaches remind me of the two ways to target CSS to different browsers - ask them nicely, or beat it out of them.

    Will Operating Systems always be able to detect if they're running in a VM?

    Of course, that's not a question I can answer with certainty until I can get my hands on a flux capacitor and 1.21 gigawatts. That won't keep me from speculating, though...

    Let's step back a second and think about whether or not we want Operating Systems to know if they're running in a virtual environment. In the context of the recent Vista EULA flap, we might want to say no - the EULA restriction is stupid, and it's a good thing that they can't enforce it.

    But let's talk about The Blue Pill. It's a theoretical malware application of VM technology in which a rootkit consumes the host operating system and runs as a hypervisor (a hardware
    Jason, Mar 19, 2007
    1. Advertisements

  2. Jason


    Feb 20, 2007
    Likes Received:
    I suppose I'm not really answering the question since I do agree, but it was something I had already wondered about knowing something about hardware signing hash's and my conclusion was exactly the same, although admittedly not as thorough.:)
    cyclic, Mar 20, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.