How to Detect Application is Running within a Virtualized OS Instance – the fact is that the virtual machine is not an entirely the accurate representation of a real dedicated system. You got the point! A virutalized OS is a kind of ‘second’ OS on a machine. This means that the resources needs to be shared.
How to Detect Application is Running within a Virtualized OS Instance : Facts!
How to Detect Application is Running within a Virtualized OS Instance is important from another aspect – there are Web Hosting Companies (usually who do not have own datacenter), who offer Dedicated Server at very lesser cost. Well, the low price tag never means that they are pushing a Virtualized OS or rather a VPS covered with cPanel Like Web Hosting Control Panel. Dedicated server can vary in cost due to various factors. Rackspace is usually taken as The Standard for Dedicated Hosting – their charge starts from 500 USD per month, even if we deduct the $100 bundled support (cost of $100 per month is for Cloud Server, we are taking it is the same for Dedicated Hosting) and cost of higher quality of Hardware, Isolated Network (roughly $150 per month), with the same configuration, minimum charge of Dedicated Hosting should be $250 USD per month. But, there are web hosting companies who offers at lesser than $200 USD per month. The chance of cheating can not be entirely ruled out.
With cPanel, it is possible to detect, but we are assuming a fully bland, default Linux instance. The question, How to Detect Application is Running within a Virtualized OS is often asked in various webmasters forums.
---
How to Detect Application is Running within a Virtualized OS
Obviously, we can easily run a virtualization software on a Dedicated Server, as it is the only Operating System on the Physical Machine. Virtualization on Virtualization is possible to run, but we will not go through this way.
Blue pill, Red pill is a technique used to see whether you are running inside a virtual machine or not. The origin of the term is, as can be guessed from The Matrix movie where Neo is offered a blue or a red pill (to stay inside The Matrix = Blue or to enter the ‘real’ world = Red). The Matrix means Virtualized System (Blue Pill).
RedPill technique will return false positives on multi-core CPUs. On a quad-core system, 75% of the time it will tell you that it is running in a VM. NoPill” to get additional details. Blue pill, Red pill practically historically important.
The CPUID instruction retrieves info about the CPU directly from the chip. Issuing a CPUID instruction shouldn™t touch memory. But on Intel chips, if you™re in a VT-x guest virtual machine, CPUID causes a œVM exit ”- a trap to the hypervisor.
Here is Blue Pill (this is updated one) :
1 | https://github.com/bluepill-rb/bluepill |
Actually, the blue pill rootkit is malware that executes as a hypervisor to gain control of computer resources. The hypervisor has to emulate the CPUID instruction to the guest machine on behalf of the actual hardware. The hypervisor is just code, probably written in C, just like the kernel. And at a minimum, it has to touch memory to figure out what kind of trap it is handling. In the original Intel VT-x implementation, a VM exit flushed the whole TLB, just like a CR3 write does in a process switch. So that™s pretty noticeable.
1 2 | # vmware http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458 |
dmidecode is a tool for dumping a computer’s DMI (some say SMBIOS) table contents in a human-readable format. Running dmidecode as command (works both on deb based and rpm based Linux) will return some result, pointing towards the fact – it is a Virtual Machine. Examples :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | # VMWare $ command dmesg | grep -i virtual $ output VMware vmxnet virtual NIC driver Vendor: VMware Model: Virtual disk Rev: 1.0 hda: VMware Virtual IDE CDROM Drive, ATAPI CD/DVD-ROM drive #KVM $ command dmesg | grep -i virtual $output CPU: AMD QEMU Virtual CPU version 0.9.1 stepping 03 ~or [ 0.000000] Booting paravirtualized kernel on KVM #Xen $command dmesg | grep -i xen $output Xen virtual console successfully installed as tty1 #Virtuozzo $command ls -al /proc/vz $output veinfo veinfo_redir veredir vestat vzaquota vzdata |
Here is manual page (you can grep other info) :
1 | http://linux.die.net/man/8/dmidecode |
Under Linux, you can report on /proc/cpuinfo. If it is on VMware, it usually comes-up differently than if it is on bare metal, but not always. Virtuozzo shows a pass-through to the underlying hardware. virt-what, imvirt are other such tools :
1 2 3 4 5 6 | http://linux.die.net/man/1/virt-what https://github.com/DE-IBH/imvirt # For RedHat https://bugzilla.redhat.com/show_bug.cgi?id=573771 # For Windows http://msdn.microsoft.com/en-us/library/ff538624(VS.85).aspx |
There are also anti-methods, practically blackhats which can make the tests false negative. dmesg is quite good if tested against multiple hardware. Actually the Networking can be non Dedicated. The cheating adds some vulnerability too. As we say, unless there is huge need of dedicated resources, it is better to go with a VPS or Cloud Server.
Tagged With blue pill github rootkit , nopill vm , what is the use of programs like imvirt that detect if they are running in a virtual lenvironmennt