Detecting VMWare
Interested in how to detect the presence of VMware / VirtualServer I came across this bit of code to detect whether an application is being run in virtual environment.
int swallow_redpill (){
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}
This works by abusing the SIDT instruction which stores the contents of the Interrupt Descriptor Table Register (IDTR) . It can be executed in ring3 revealing a sensitive register used by the OS. Because there can only be one IDTR the VM software needs to relocate the guest VM IDTR to a new point, which is software predictable.
Kudos to Invisible Things for an interesting read. There are some expansions on this code over at TrapKit for anyone who’s interested.