How to identify that you're running under a VM?

Question

Is there a way to identify, from within a VM, that your code is running inside a VM?

I guess there are more or less easy ways to identify specific VM systems, especi

Answer 1

Here is a (java + windows) solution to identify whether underlying machine is physical or virtual.

Virtual Machines Examples:

Manufacturer

• Xen
• Microsoft Corporation
• innotek GmbH
• Red Hat
• VMware, Inc.

Model

• HVM domU
• Virtual Machine
• VirtualBox
• KVM

• VMware Virtual Platform

  import java.io.BufferedReader;
  import java.io.InputStreamReader;
  import java.util.ArrayList;
  import java.util.List;
  
  public abstract class OSUtil {
  
  public static final List<String> readCmdOutput(String command) {
      List<String> result = new ArrayList<>();
  
      try {
          Process p=Runtime.getRuntime().exec("cmd /c " + command);
          p.waitFor();
          BufferedReader reader=new BufferedReader(
                  new InputStreamReader(p.getInputStream())
                  );
          String line;
          while((line = reader.readLine()) != null) {
              if(line != null && !line.trim().isEmpty()) {
                  result.add(line);
              }
          }
      } catch (Exception e) {
          e.printStackTrace();
      }
  
      return result;
  }
  
  public static final String readCmdOutput(String command, int lineNumber) {
      List<String> result = readCmdOutput(command);
      if(result.size() < lineNumber) {
          return null;
      }
  
      return result.get(lineNumber - 1);
  }
  
  public static final String getBiosSerial() {
      return readCmdOutput("WMIC BIOS GET SERIALNUMBER", 2);
  }
  
  public static final String getHardwareModel() {
      return readCmdOutput("WMIC COMPUTERSYSTEM GET MODEL", 2);
  }
  
  public static final String getHardwareManufacturer() {
      return readCmdOutput("WMIC COMPUTERSYSTEM GET MANUFACTURER", 2);
  }
  
  public static void main(String[] args) {
      System.out.println("BIOS Serial: " + getBiosSerial());
      System.out.println("Hardware Model: " + getHardwareModel());
      System.out.println("Hardware Manufacturer: " + getHardwareManufacturer());
  }
  }
  

You can use the output to decide whether it is a VM or a physical machine:

Physical machine output:

BIOS Serial: 2HC3J12
Hardware Model: Inspiron 7570
Hardware Manufacturer: Dell Inc.

Virtual machine output:

BIOS Serial: 0
Hardware Model: Innotec GmBH
Hardware Manufacturer: Virtual Box

Answer 2

TrapKIT provides ScoopyNG, a tool for VMware identification -- it attempts to work around evasion techniques, but doesn't necessarily target any virtualization software other than VMware. Both source and binaries are available.

Answer 3

A more empirical approach is to check for known VM device drivers. You could write WMI queries to locate, say, the VMware display adapter, disk drive, network adapter, etc. This would be suitable if you knew you only had to worry about known VM host types in your environment. Here's an example of doing this in Perl, which could be ported to the language of your choice.

Answer 4

If it VM does the job well, it should be invisible to the client that it's being virtualized. However, one can look at other clues.

I would imagine that looking for known drivers or software specific to the VM environment would be the best possible way.

For example, on a VMWare client running Windows, vmxnet.sys would be the network driver, displayed as VMware accelerated AMD PCNet Adapter.

Answer 5

In Linux systems, you can try to search for common files on /proc.

Example, the existente of /proc/vz/ tell you is a OpenVZ.

Here's a full guide to detect VM's environent under Linux without have to "drink pills" :)

Answer 6

It depends on what you are after:

• If the VM is not hiding from you on purpose, you can use some known hook. LIke looking for VmWare drivers or the presence of certain strings in memory or certain other tell-tale signs.

• If the VM is really wanting you to do special things for it, it will have some obvious hook in place, like modifying the ID of the processor or adding some special registers that you can access to detect it. Or s a special device in a known location in memory (presuming you can get raw access to the physical memory space of your world). NOte that modern machine designs like the IBM Power6 and Sun UltraSparc T1/T2 are designed to ALWAYS run a hypervisor, and never directly on raw hardware. The interface to the "hardware" that an OS uses is in fact the interface ot a hypervisor software layer, with no way to get around it. In this case, detection is trivial since it is a constant "yes". This is the likely future direction for all computer systems that can afford the overhead, look at the support in recent designs like the Freescale QorIQ P4080 chip, for example (www.freescale.com/qoriq).

• If the VM is intentionally trying to hide, and you are chasing its presence, it is a game of cat-and-mouse where the timing disturbance and different performance profile of a VM is almost always going to give it away. Obviously, this depends on how the VM is implemented and how much hardware support there is in place in the architecture (I think a zSeries mainframe is much better at hiding the presence of a VM or stack of VMs under your particular OS than a regular x86 machine is, for example). See http://jakob.engbloms.se/archives/97 for some discussion on this topic. It is possible to try to hide as a VM, but detection is quite likely to always win if it tries hard enough.