About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  Detection of Hyper-V virtual machines

Topic created on: October 4, 2012 15:38 CDT by spoofy .

Anyone here know of any work dealing with detection of hyper-v virtual machines? Most research I find references VMware and virtualPC

  PeterFerrie     October 5, 2012 12:25.04 CDT
check bit 31 of eflags register, it's 1 if Hyper-V is running

  pk     October 7, 2012 10:30.16 CDT
check HKLM\System\\CurrentControlSet\services\vmicheartbeat key + "virtual hd" string is used in STORAGE_DEVICE_DESCRIPTOR.Product

  spoofy   October 7, 2012 18:45.47 CDT
eflags doesn't work . its the same on both vm and non-vm.

  PeterFerrie     October 8, 2012 17:43.12 CDT
yes, I misremembered. :-(
it's actually bit 31 of ECX after CPUID.EAX=1

  waleedassar     October 8, 2012 18:55.29 CDT

int main(int argc, char* argv[])
{
bool x=0;
__asm
{
        pushad
        pushfd
        pop eax
        or eax,0x00200000
        push eax
        popfd
        pushfd
        pop eax
        and eax,0x00200000
        jz CPUID_NOT_SUPPORTED ;Are you still alive?
        xor eax,eax
        xor edx,edx
        xor ecx,ecx
        xor ebx,ebx
        inc eax ;processor info and feature bits
        cpuid
        test ecx,0x80000000 ;Hypervisor present
        jnz Hypervisor
        mov x,0
        jmp bye
Hypervisor:
        mov x,1
        jmp bye
CPUID_NOT_SUPPORTED:
        mov x,2
bye:
        popad
    }
    if(x==1)
    {
        MessageBox(0,"Hypervisor detected","waliedassar",0);
        ExitProcess(3);
    }
return 0;
}

Check these links:

http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/detecting-x86-virtual-machines.html
http://en.wikipedia.org/wiki/CPUID

Note: Registration is required to post to the forums.

There are 31,314 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit