Determine when running in a virtual machine

Question

Is there an official way for an application to determine if it is running in VMWare or Virtual PC (or whatever Microsoft is calling it now)? The code I have seen i

Answer 1

I used the RedPill method (translated to Delphi, but the code isn't that hard to understand) which worked fairly well. I also included a few extra checks using WMI calls to get things like the network adapter vendor name and copyrights, but that was for detecting specific versions of Virtual PC.

My understanding of the RedPill method is that it should work and detect all virtual machines based on the nature of how it works. There is the possiblity that false positives might be generated also as the new Windows within Windows feature of Windows 7 can be configured to run selected programs in a copy of Windows XP seamlessly inside Windows 7.

Answer 2

I think the best approach to this is to check the hardware profiles. Virtualized hardware usually uses part of the companies name. If you check the motherboard description while in Virtual PC, you will notice it is made by "Microsoft Corporation". Likewise in VMWare, your ethernet adapter will be prefixed with VMNet.

Answer 3

I've had good luck with just looking at the MAC address as all manufacturers are given a block and the first 3 parts are unique to them.

//look at the MAC address and determine if it's a Virtual Machine
$temp = preg_split("/\s+/",exec("/sbin/ifconfig -a eth0 2>&1 | /bin/grep HWaddr"), -1, PREG_SPLIT_NO_EMPTY);
//Virtual Box MACs all start with '08:00:27:xx:xx:xx'
if (strpos($temp[4], '08:00:27') !== false) $_SESSION['DEVELOPMENT'] = true;  

Answer 4

If you want to generally detect the presence of any type of virtualization, you are best analyzing performance characteristics. Take something that is significantly slower in virtualization (such as MMU heavy workload like a fork-bomb) and time it against a normal CPU bound user space app. From the ratio you can easily tell.

Easiest in terms of effort if you only care about certain VMMs is to look for their hardware- i.e. VMware PCI devices:

00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08) Subsystem: VMware Inc Virtual Machine Chipset

15ad:1976

The vendor value is '15ad'

There are also specific backdoor ports that work across various VMMs in various versions. SIDT trick is good too, but what if a VMM is not on the list that his code is checking?