How to Programmatically Know If I Am in a Vm

How can I programmatically know if I am in a VM?

Here is one more useful command:

$ lscpu | grep -E 'Hypervisor vendor|Virtualization type'
Hypervisor vendor:     KVM
Virtualization type:   full

Example output of other commands:

$ sudo virt-what
kvm

$ dmesg | grep -i virtual
[    0.000000] Booting paravirtualized kernel on KVM
[    0.029160] CPU0: Intel QEMU Virtual CPU version 1.0 stepping 03

$ sudo dmidecode | egrep -i 'manufacturer|product|vendor|domU'
    Vendor: Bochs
    Manufacturer: Bochs
    Product Name: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs

How to detect if my application is running in a virtual machine?

According to Virtual PC Guy's blog post "Detecting Microsoft virtual machines", you can use WMI to check the manufacturer of the motherboard. In PowerShell:

 (gwmi Win32_BaseBoard).Manufacturer -eq "Microsoft Corporation"

How to detect if the script is running on a virtual machine?

I will talk specific to VMware and virtual Box Virtual Machines running Linux as guest Operating system.
If you run below command, you will come to know that the underlying hardware is VMware/VirtualBox which certifies that it is a Virtual Machine.

For VMware guest:

# dmidecode  | grep -i product
        Product Name: VMware Virtual Platform

For Virtual Box guest:

# dmidecode  | grep -i product
    Product Name: VirtualBox

"dmidecode" is a linux system command. You can have perl run dmidecode in the beginning of your script and extract the value. If it is a virtual machine then the script should exit without any further execution.

I do not have any other hypervisor at my disposal to get you what above command return on them.

Hope this helps.

How to identify that you're running under a VM?

A lot of the research on this is dedicated to detecting so-called "blue pill" attacks, that is, a malicious hypervisor that is actively attempting to evade detection.

The classic trick to detect a VM is to populate the ITLB, run an instruction that must be virtualized (which necessarily clears out such processor state when it gives control to the hypervisor), then run some more code to detect if the ITLB is still populated. The first paper on it is located here, and a rather colorful explanation from a researcher's blog and alternative Wayback Machine link to the blog article (images broken).

Bottom line from discussions on this is that there is always a way to detect a malicious hypervisor, and it's much simpler to detect one that isn't trying to hide.

Detect virtualized OS from an application?

Have you heard about blue pill, red pill?. It's a technique used to see if you are running inside a virtual machine or not. The origin of the term stems from the matrix movie where Neo is offered a blue or a red pill (to stay inside the matrix = blue, or to enter the 'real' world = red).

The following is some code that will detect whether you are running inside 'the matrix' or not:

(code borrowed from this site which also contains some nice information about the topic at hand):

 int swallow_redpill () {
   unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
   *((unsigned*)&rpill[3]) = (unsigned)m;
   ((void(*)())&rpill)();
   return (m[5]>0xd0) ? 1 : 0;
 }

The function will return 1 when you are running inside a virutal machine, and 0 otherwise.

C - Convenient way to check if system is a virtual machine?

The question is: Can I actually rely on output of cat /proc/cpuinfo | grep -o 'hypervisor'

No. First off, that only works on x86/x86_64 CPUs. It relies on the hypervisor bit from the CPUID instruction, which is always 0 when not virtualized, but even when running in a VM it isn't necessarily 1. For example, qemu can be configured not to set it; I know because I've used this setting to work around software that tried to detect a VM.

or is there a better/more convenient way to check if the system is a virtual machine?

Not really. You could call CPUID yourself (example); at least that would work on machines without /proc/cpuinfo (like those runnig Windows), but it's still x86-specific and unreliable.

You could use red pill. It's also x86-only, but might be more reliable than depending on CPUID, assuming it still works.

You may also want to read up on blue pill.

It's probably not feasible to make a perfect hypervisor that is impossible to detect even with timing attacks, but over time it will likely also get harder and harder to detect a hypervisor which is meant to be stealthy (like blue pill). There is no magical am_i_on_a_virtualized_machine() function that is completely reliable, and never will be, but if you're willing to spend a lot of time trying you can combine multiple exploits, and keep adding new ones over time… over all, detection will probably have the advantage for the foreseeable future.


Related Topics

How to Build Kernel Debug Info as Separate File

Deciphering Device Tree

Run Hydra (Mpiexec) Locally Gives Strange Ssh Error

Escaping Bash Variable

How to Make Sudo Save The Password

Git Says Everything Up-To-Date

./Configure-With-Boost No Such File or Directory

Cpu Usage in Top Batch Mode

Command Key to Meta in Emacs

Double Free - Crash or No Crash

How to Know If I Can Compile with Fma Instruction Sets

How to Create a File of Size More Than 2Gb in Linux/Unix

.Rodata Section Loaded in Executable Page

Using Awk to Get a Specific String in Line

Ansible Permissions Issue

Empty Plot in R

I2C Write Acknowledge Polling in Linux Kernel

How to Build Kernel Debug Info as Separate File


Leave a reply



Submit