Virtual Machine Detection
Posted by bprasetio on April 29, 2008
Marshall Fryman posts some code snippets on how to detect if application running under virtualized environment, such as VMWare, Virtual PC, Wine, etc.
So, I’ve made a demo based on the code he provided, and here some snapshots.
Marshall Fryman said
Do you have a Parallels install? I found a security researcher who claimed that you could detect Parallels using an interrupt. I haven’t found anyone who has shown specifically how the call works (or even anyone else who documents that this exists). Since I really don’t do asm very well, I haven’t been able to decide what xxxxx should be. Well, that plus I don’t have a Parallels install.
The article is here : http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf (pages 5 & 6). Any chance you grok asm enough to decipher what should be passed ?
bprasetio said
Thank you for pointing me to the article, first I have to get Parallels and others described in the article. I think it will be a lot of funs (and stresses??) about detecting many virtual machines.
Marshall Fryman said
np, let me know if you need anything.
m