How to identify that you’re running under a VM?

by

A lot of the research on this is dedicated to detecting so-called “blue pill” attacks, that is, a malicious hypervisor that is actively attempting to evade detection.

The classic trick to detect a VM is to populate the ITLB, run an instruction that must be virtualized (which necessarily clears out such processor state when it gives control to the hypervisor), then run some more code to detect if the ITLB is still populated. The first paper on it is located here, and a rather colorful explanation from a researcher’s blog and alternative Wayback Machine link to the blog article (images broken).

Bottom line from discussions on this is that there is always a way to detect a malicious hypervisor, and it’s much simpler to detect one that isn’t trying to hide.

More Related Contents:

  1. Virtualizing an ItemsControl?
  2. What do I do when launching an application triggers repeating, endless Windows Installer self-repair?
  3. What are the differences between virtual memory and physical memory?
  4. Detect virtualized OS from an application?
  5. Intel’s HAXM equivalent for AMD on Windows OS
  6. Cross-browser testing: All major browsers on ONE machine
  7. VT Not Supported when Installing HAXM
  8. why setting ScrollViewer.CanContentScroll to false disable virtualization
  9. How to detect if my application is running in a virtual machine?
  10. WPF VirtualizingStackPanel for increased performance
  11. Commit data in a mysql container
  12. What is the overhead of a context-switch?
  13. How to Dockerize windows application
  14. WPF ListBox with a ListBox – UI Virtualization and Scrolling
  15. Just black screen after running Qemu
  16. I am getting this error “your cpu doesn’t support vt-x or svm, android studio 2.1.1 in AMD 6300 processor”
  17. What is meant by shared kernel in Docker?

Leave a Comment