Bayu Prasetio’s Weblog

Exploring the Possibilities

«
»

Virtual Machine Detection

Posted by bprasetio on April 29, 2008

Marshall Fryman posts some code snippets on how to detect if application running under virtualized environment, such as VMWare, Virtual PC, Wine, etc.

So, I’ve made a demo based on the code he provided, and here some snapshots.

Native Environment

Virtual PC

VMWare GSX Server

VMWare Workstation

Wine

This entry was posted on April 29, 2008 at 2:26 pm and is filed under Delphi. Tagged: , , , , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Virtual Machine Detection”

  1. Marshall Fryman said

    May 5, 2008 at 11:05 pm

    Do you have a Parallels install? I found a security researcher who claimed that you could detect Parallels using an interrupt. I haven’t found anyone who has shown specifically how the call works (or even anyone else who documents that this exists). Since I really don’t do asm very well, I haven’t been able to decide what xxxxx should be. Well, that plus I don’t have a Parallels install. :)

    The article is here : http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf (pages 5 & 6). Any chance you grok asm enough to decipher what should be passed ?

    Reply

  2. bprasetio said

    May 6, 2008 at 9:38 am

    Thank you for pointing me to the article, first I have to get Parallels and others described in the article. I think it will be a lot of funs (and stresses??) about detecting many virtual machines. :D

    Reply

  3. Marshall Fryman said

    May 7, 2008 at 3:26 am

    np, let me know if you need anything.

    m

    Reply

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«
»