Author Topic: Assembler methods for Virtual Machine Detection  (Read 206 times)

Jovanna

  • Regular Member
  • *
  • Posts: 15
Assembler methods for Virtual Machine Detection
« on: July 10, 2019, 01:13:40 AM »
Dear Assembler Masters,

I created this topic mainly for sharing code/functions/methods&Ideas/approach how wisely&smartly to detect that your app is running on a virtual machine.

I understand detecting it is quite a difficult issue, as described by Stéphane Charette in article:
 http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/index.html
(my favorite article even if it seems quite hopeless)
Stéphane Charette was kind to provide a code-example
http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/2009-12-30_Virtualization.c
I pasted it in Code::Blocks, C Console App and there are some errors:
Line 40: Error: width of ‘base’ exceeds its type
Line 114: Error: unknown type name ‘cpu_set_t’
Maybe the compiler GNU GCC is not the proper one? Would you please help?
Thanks.

Kind regards

TimoVJL

  • Member
  • ***
  • Posts: 337
Re: Assembler methods for Virtual Machine Detection
« Reply #1 on: July 10, 2019, 02:21:20 AM »
linux specific code ?

fake include ?
Code: [Select]
#define __SLONGWORD_TYPE        long int
#define __ULONGWORD_TYPE        unsigned long int

/* X32 kernel interface is 64-bit.  */
#if defined __x86_64__ && defined __ILP32__
# define __SYSCALL_SLONG_TYPE        __SQUAD_TYPE
# define __SYSCALL_ULONG_TYPE        __UQUAD_TYPE
#else
# define __SYSCALL_SLONG_TYPE        __SLONGWORD_TYPE
# define __SYSCALL_ULONG_TYPE        __ULONGWORD_TYPE
#endif

//cpu-set.h

/* Size definition for CPU sets.  */
#define __CPU_SETSIZE        1024
#define __NCPUBITS        (8 * sizeof (__cpu_mask))

#define __CPU_MASK_TYPE         __SYSCALL_ULONG_TYPE

/* Type for array elements in 'cpu_set_t'.  */
typedef __CPU_MASK_TYPE __cpu_mask;

/* Data structure to describe CPU mask.  */
typedef struct
{
  __cpu_mask __bits[__CPU_SETSIZE / __NCPUBITS];
} cpu_set_t;
May the source be with you

fearless

  • Member
  • ***
  • Posts: 435
    • LetTheLightIn
Re: Assembler methods for Virtual Machine Detection
« Reply #2 on: July 10, 2019, 02:22:42 AM »
https://github.com/LordNoteworthy/al-khaser
has a lot of info on detecting vm's
fearless

CM690II Case, HX1000 PSU, Asus Z97, Intel i7-4790K, Seidon 120v Cooler, 16GB DDR3, MSI GTX 980TI

My Github  Twitter

AW

  • Member
  • *****
  • Posts: 2111
  • Let's Make ASM Great Again!
Re: Assembler methods for Virtual Machine Detection
« Reply #3 on: July 10, 2019, 03:13:32 AM »
This method will tell you which VM you are in (or not in).
Of course, kernel mode malware can subvert it, and in general can subvert any other method.

Edit: I removed the attachment because it contains a bug. It will be fixed later.
« Last Edit: July 10, 2019, 03:06:54 PM by AW »

AW

  • Member
  • *****
  • Posts: 2111
  • Let's Make ASM Great Again!
Re: Assembler methods for Virtual Machine Detection
« Reply #4 on: July 11, 2019, 12:21:50 AM »
There was a small bug in the code, which is now fixed.
It was also tested in VBox in addition to VMWare. I don't expect problems on other Virtual Machines, but I have no current installs of them to confirm.