1

I want to be able to do so from both Windows and from Linux. I know that there are ways by getting sysinfo and using thumb rules related to hardware identifiers.

I want to know if there is a more fundamental method, like looking at a memory address / issuing an interrupt etc.

BTW I am trying to do this on Intel hardware and the virtualization software I use are Vmware Workstation and Windows HyperV.

user1952500
  • 6,611
  • 3
  • 24
  • 37
  • 3
    Closely related: http://stackoverflow.com/questions/12874288/how-to-detect-if-the-script-is-running-on-a-virtual-machine and http://stackoverflow.com/questions/498371/how-to-detect-if-my-application-is-running-in-a-virtual-machine – Thilo Mar 12 '13 at 23:22
  • 1
    For Windows, have you found/tried `www.offensivecomputing.net/dc14/vmdetect.cpp` ? – azhrei Mar 12 '13 at 23:25
  • @azhrei: I didn't know that. That looks interesting. – user1952500 Mar 12 '13 at 23:52
  • @Thilo: the codeproject link from SO was very interesting. I'll try implementing one of the above. Thanks – user1952500 Mar 12 '13 at 23:55

3 Answers3

3

Here is one more useful command:

$ lscpu | grep -E 'Hypervisor vendor|Virtualization type'
Hypervisor vendor:     KVM
Virtualization type:   full

Example output of other commands:

$ sudo virt-what
kvm

$ dmesg | grep -i virtual
[    0.000000] Booting paravirtualized kernel on KVM
[    0.029160] CPU0: Intel QEMU Virtual CPU version 1.0 stepping 03

$ sudo dmidecode | egrep -i 'manufacturer|product|vendor|domU'
    Vendor: Bochs
    Manufacturer: Bochs
    Product Name: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
    Manufacturer: Bochs
dabest1
  • 2,347
  • 6
  • 25
  • 25
2

At least one of these should work to detect if you are running under VMware (or some other common virtual environment) on Linux:

Check for virtual devices detected by kernel when system boots.

dmesg | grep -i virtual

Another way to detect virtualized hardware devices, if dmesg doesn't say anything useful.

dmidecode | egrep -i 'manufacturer|product|vendor|domU'

You can also check for virtual disks:

cat /proc/ide/hd*/model

Virtuozzo can usually be detected by looking for /proc/vz or /dev/vzfs.

Charles Boyd
  • 316
  • 1
  • 7
  • I was more interested in understanding how the kernel detects it. I know that there are sysinfo/proc and other mechanisms that detect it based on hardware identifiers. Am looking for a more fundamental method. – user1952500 Mar 12 '13 at 23:57
  • Here's a possibly useful CPAN module that will detect virtualization (at least on Linux/BSD systems): http://search.cpan.org/dist/Sys-Detect-Virtualization/lib/Sys/Detect/Virtualization.pm – Charles Boyd May 02 '13 at 18:59
  • There is also `virt-what` from RedHat, but it also uses a heuristic method to detect virtualization. I do not think there is a fundamental method for doing this - also (as I understand) the kernel does not know or care if it is running in a VM or not. You may be able to figure it out though by inserting certain kernel modules and seeing what happens, or figure out some way to see if kernel has shared resources (back to the VM host) by looking at memory addresses belonging to certain kernel processes. – Charles Boyd May 02 '13 at 19:06
1

Most software check the hypervisor CPUID leaf - Leaf 0x40000000, Hypervisor CPUID information

EAX: The maximum input value for hypervisor CPUID info (0x40000010).

EBX, ECX, EDX: Hypervisor vendor ID signature. E.g. "KVMKVMKVM"

Leaf 0x40000010, Timing information.

EAX: (Virtual) TSC frequency in kHz.

EBX: (Virtual) Bus (local apic timer) frequency in kHz.

ECX, EDX: RESERVED

Ofcourse, you are still relying on the hypervisor to give you this information. It may very well decide to not report 0x40000000 at all, in turn leading the guest to believe that it's actually running on real hardware

Bandan
  • 596
  • 2
  • 4