windows 8 task manager virtualization option

Question

I am trying to find a way to programatically detect that my program runs on a virtual machine, as far as I know there is no common way for parallels to do that.

Windows 8 task manager performance tab displays a "Virtaulization" option, what does it mean? When i run windows 8 in a virtual machine it changes to virtual processors and virtual machine: yes, so some how windows 8 detects that it is running inside a virtual machine, how does windows 8 detect that it is running in a virtual machine? Is it possible to get this information programatically? I tried both on parallels and vm ware and both works fine.

Answer 1

You should take a look at this interesting article Red Pill... or how to detect VMM using (almost) one CPU instruction by Joanna Rutkowska which used to be here but is now dead and can only be viewed with the waybackmachine here and Virtualization: Red Pill or Blue? by Steven McElwee which also used to be here but can now only be viewed here.

Heres the code:

int swallow_redpill()
{
    unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
    *((unsigned*)&rpill[3]) = (unsigned)m;
    ((void(*)())&rpill)();
    return (m[5]>0xd0) ? 1 : 0;
}

It should return 1 if running in a virtual machine and 0 if not.

---

Edit: It may return false-positives on modern cpus and its apparently better to combine a couple of tests together to make sure the result is real.

Answer 2

On VMware you could check for the CD drive vendor- should be "VMware" or "VMware, Inc." or something like this.

I don't know about VMware workstation but on ESXi your MAC address generally starts with "00:50:56". You could make use of this, too.

Have a look at virt-what. Maybe you can port it to Windows.

And maybe How to detect install is running on a VM? can help you.