Determine when running in a virtual machine
Asked Answered
F

10

42

Is there an official way for an application to determine if it is running in VMWare or Virtual PC (or whatever Microsoft is calling it now)? The code I have seen is usually a hack that took advantage of some odd behavioral side effect in a specific version of VMWare or Virtual PC.

Ideally Delphi code, but if you can link to an official explanation then I am sure I can convert it.

Footing answered 22/4, 2009 at 23:51 Comment(2)
Just curious what is the use case for knowing you are on VM? I've always considered one of the primary benefits of VM that (ideally) you don't need to know whether you are on physical hardware or not.Numbersnumbfish
Curiosity really. A co-worker asked and I had remembered reading about it, but wasn't sure the best way. Although I could see wanting to restrict your application from running in a VM for security reasons, but that would be REALLY ANNOYING to your users. I know Virtual PC won't let you run in VMWare (at least when I tried).Footing
C
36

I wrote a series of articles last year on this, with source code. VMware and Wine detection are here. Virtual PC is here. All three of these have pretty iron-clad detection because there are documented callbacks to the hypervisor (in the case of Wine, an extension to a standard DLL). I put up an untested VirtualBox detector (don't have it installed to test with) in the comment section. Parallels might be detectable using a callback also but I don't have it installed. The link for the documentation (which is poor since it's from a security researcher focusing on exploits) but located here if you have it installed and are interested. There's also a PPT here that has some information on detecting Sandbox, Bochs, and Xen. Not a lot of code in it but it might give you a starting point if you have to detect those.

Coldshoulder answered 23/4, 2009 at 1:15 Comment(2)
These were the articles I remembered reading about it. Thanks! The code is even in Delphi.Footing
It should be noted that it's not using some officially documented scheme to detect the presence of VirtualPC. It's using instructions that should be invalid on the real hardware, that VPC uses for communication to the outside. Nothing is to say that those instructions can't change in the future, or that Intel couldn't release a CPU that then uses those "unused" instructions.Eiland
M
5

Code Project shows a way to Detect if your program is running inside a Virtual Machine that goes in much detail on how to accomplish it to give a good understanding

Meal answered 22/4, 2009 at 23:55 Comment(4)
I had looked at that link before, but being that it was 4 years old and didn't really site any sources so I wasn't sure if it was still valid. Virtualization software has changed a lot since then.Footing
it has changed a lot, but that example checks the register that hypervisor uses for interupts and being a person that knows some info about hypervisors, that part still has yet to changeMeal
OK, I will test these on the latest virtual machines. Thanks!Footing
These tests work with VMWare Workstation 5 up to the latest. I don't use VPC.Arrange
D
2

I think the best approach to this is to check the hardware profiles. Virtualized hardware usually uses part of the companies name. If you check the motherboard description while in Virtual PC, you will notice it is made by "Microsoft Corporation". Likewise in VMWare, your ethernet adapter will be prefixed with VMNet.

Dawdle answered 22/4, 2009 at 23:57 Comment(0)
A
2

This thread on the SysInternals forums has a couple of answers (in Delphi, of course), including a single IsVM function. I've tested on XP and Win2003 hosted on both XP and Vista in VMWare with good results.

Arrange answered 23/4, 2009 at 10:26 Comment(0)
D
1

There is a WMI way posted here: http://blogs.msdn.com/virtual_pc_guy/archive/2005/10/27/484479.aspx

I've double checked in an XP image running on Virtual PC, and the value they're testing for is still the same. I won't guarantee what other VMs return here, though...

I've actually got a Delphi program I wrote a couple of years ago to get a list of and change the default printer using WMI, without requiring 3rd party components or anything like that. In case you're not used to working with WMI from Delphi, I can send you a copy so you have something to work off (it's not necessarily Unicode-compatible, though, but it shouldn't be too hard for me to upgrade it if need be).

Durarte answered 22/4, 2009 at 23:56 Comment(2)
There is also virtualbox, and VMWare among others.Dawdle
Correct, which is where everything gets a bit iffy if you want to check those as well - you need to look at the hardware info provided by these other VMs to see what special value you can look for there. However, the question asks for VPC, and that code handles it. I would argue that WMI is, regardless of VM, the best bet for a unified way of getting the required info, though, as all you need to change is the query and field name you're checking.Durarte
V
1

I used the RedPill method (translated to Delphi, but the code isn't that hard to understand) which worked fairly well. I also included a few extra checks using WMI calls to get things like the network adapter vendor name and copyrights, but that was for detecting specific versions of Virtual PC.

My understanding of the RedPill method is that it should work and detect all virtual machines based on the nature of how it works. There is the possiblity that false positives might be generated also as the new Windows within Windows feature of Windows 7 can be configured to run selected programs in a copy of Windows XP seamlessly inside Windows 7.

Vanda answered 24/4, 2009 at 23:39 Comment(3)
The problem with RedPill and likewise similar techniques such as the initial scoopy_doo is that it produces false-positives when run on multi-core systems. Google for "NoPill" for additional details.Gentlemanfarmer
Also, other techniques are obsolete or produce false positives: charette.no-ip.com:81/programming/2009-12-30_Virtualization/…Attitude
@skamradt: Have you seen this? -> blog.assarbad.net/20061105/redpill-getting-colorlessDegreeday
D
1

I've had good luck with just looking at the MAC address as all manufacturers are given a block and the first 3 parts are unique to them.

//look at the MAC address and determine if it's a Virtual Machine
$temp = preg_split("/\s+/",exec("/sbin/ifconfig -a eth0 2>&1 | /bin/grep HWaddr"), -1, PREG_SPLIT_NO_EMPTY);
//Virtual Box MACs all start with '08:00:27:xx:xx:xx'
if (strpos($temp[4], '08:00:27') !== false) $_SESSION['DEVELOPMENT'] = true;  
Dumps answered 1/12, 2009 at 1:40 Comment(1)
Also keep in mind that most virtualization software will let you modify the MAC address to anything you want. Thus, this technique is not reliable.Gentlemanfarmer
K
1

To determine the machine is physical or VM

dmidecode | egrep -i 'manufacturer|product'

If the dmidecode command not found install the respective rpm.

This is tested under EXSI, VMWARE and hyperv machines.

Kinsfolk answered 20/10, 2010 at 5:7 Comment(0)
F
1
dmidecode -s system-product-name

Tested on VirtualBox, result:

Virtualbox
Forcemeat answered 17/11, 2010 at 20:37 Comment(0)
S
0

If you want to generally detect the presence of any type of virtualization, you are best analyzing performance characteristics. Take something that is significantly slower in virtualization (such as MMU heavy workload like a fork-bomb) and time it against a normal CPU bound user space app. From the ratio you can easily tell.

Easiest in terms of effort if you only care about certain VMMs is to look for their hardware- i.e. VMware PCI devices:

00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08) Subsystem: VMware Inc Virtual Machine Chipset

15ad:1976

The vendor value is '15ad'

There are also specific backdoor ports that work across various VMMs in various versions. SIDT trick is good too, but what if a VMM is not on the list that his code is checking?

Smarmy answered 29/5, 2009 at 8:45 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.