SecurityFocus

RE: Generically Determining the Prescence of Virtual Machines Mar 20 2006 07:44PM
Thomas Guyot-Sionnest (Thomas zango com)

I suggest you make sure you're using the accelerator mode, which should put
qemu in "Virtualization" mode.

If you're doing full CPU emulation then the result you get was correct: you
weren't doing any virtualization inside qemu.

Thomas

> -----Original Message-----
> From: Jeff Epler [mailto:jepler (at) unpythonic (dot) net [email concealed]]
> Sent: March 18, 2006 12:01
> To: valsmith (at) metasploit (dot) com [email concealed]
> Cc: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Re: Generically Determining the Prescence of Virtual Machines
>
> I ran the code at the end of 'vm.pdf' inside qemu 0.8.0
> running a debian
> linux system. The host system was a single core amd64 machine running
> fedora linux. I believe that 'kqemu' acceleration may be in use, but
> I'm not sure.
>
> I modified the source code to use gcc-style inline assembly, e.g.,
> asm("sidt %0" : "=m" (m));
>
> Over 1000 runs, it consistently reported a native system,
> even though it
> is running under emulation.
>
> I don't feel that I was able to follow the paper, but I don't
> understand
> why this is claimed to detect (any) virtualization, as opposed to
> detecting some detail of vmware and virtual pc's emulation software.
> The results I got with qemu reinforce this impression.
>
> Jeff
> PS here's the output from the last run of the detection program:
> (transcribed, so there may be errors)
> (none):/mnt# ./a.out
> IDTR: ff 07 00 c0 44 c0
> GDTR: ff 00 80 d9 48 c0
> LDTR: 88 00 80 d9 48 c0
> Native machine detected.
>
0? *?H?÷
?0?10 +0? *?H?÷
?Á0?I0?² ©0
*?H?÷
0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
051013215446Z
061013215446Z0B10UThawte Freemail Member10 *?H?÷
thomas (at) zango (dot) com0 [email concealed]?0
*?H?÷
0?©;?Ù$>Î|i¾¶Ã²bñz?sv?aDFï½M·Ò4?à6p?5[JûÞzJb5{4Aÿ?¥1?¼ÕwUDp?KN????5HyåÓ?0#B1SKMZúª~Ò^:?eì??¶Yý?êÏ±ÎV7??nQz<Åf·ØåäÉ£-0+0U0thomas@z
ango.com0Uÿ00
*?H?÷
?9S}$ÿî%Õòke?®víðSl
¼ã¨üVõÿ±¿çs?³¬???ìC¡Ip/àrðÁúÞ?aTg¬n×¦óå¿O2§,KÉrß{â;ê¿Ëzp»Æçåßä??fÙ¾Û[;ãgõLäØtaAçÝ? 0?-0?? 0
*?H?÷
0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
personal-freemail (at) thawte (dot) com0 [email concealed]
960101000000Z
201231235959Z0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
personal-freemail (at) thawte (dot) com0 [email concealed]?0
*?H?÷
0?Ôi×Ô°?d[qéGØQ¶êr?°?^}-
{ß?%u(t:B,c'??{Kï~??ê£Ý¹Î?dÂnD¬|æèMq@8¦£?xöù??^êÀ^vëÙ£]nz|¥KU)??&Õj»8$j?Ç±Ú£??ýyÛåZÄ¹£00Uÿ0ÿ0
*?H?÷
Çì?~Nøõ?¥gb*¤ðM`Ðo`Xa¬&»R5\Ï0û¨J??bB#?ôºd?¬G)ß?^Òl`q\¢¬Üy
ãçnGµ
(èä?ýô¦Ù|±øÜ_#& ??sÐÞC©?%òæ?/Êþ¦«?u?ÝQ?käøÑÎw¢0??0?¨
0
*?H?÷
0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
*?H?÷
0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎÔåP
0×cZ,?p?ÝÉð+?Zª?qVË¯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?d×§¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û£?0?0Uÿ0ÿ0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U0)U"0 ¤010UPrivateLabel2-1380
*?H?÷
H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ýáabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?Ï0?Ë0i0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA©0 + ?¼0 *?H?÷
1 *?H?÷
0 *?H?÷
1
060320194402Z0# *?H?÷
1nVëÛß,3m¿+gÅghÕ Â0g *?H?÷
1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0+0
*?H?÷
0x +?71k0i0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA©0z*?H?÷
1k i0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA©0
*?H?÷
?ch[?K/1Y¶ãÒ0?¦zç?°ó¡Æó2H}sI¿?dWÖÝÌSÛYMé
\??Yu`¾?GR?t G?òj?ü?·¯£eÇÿËyï1C²ËûØÃ?ü_Û?DRìÒ#þË?2&2À?6æ¤6¾²*·:äÒð¶

[ reply ]