Windows XP/Vista support is most important, though the mechanisms described in the referenced article are generic features of x86 and don't rely on any particular OS facility. The application is mostly Java, though I'm expecting to use native code plus JNI for this particular function. I don't care that my app would think it is not virtualized in these honeypots, I'm just looking for a "best effort" solution. For example, honeypots use virtualization but sometimes obscure the mechanisms that malware would use to detect it. I'm not concerned about cases where the platform is deliberately trying to hide itself. Similarly, is there a way to detect Xen or VirtualBox? Is there a better way? Is there a supported mechanism for either product? I suppose a future release of VMWare or VirtualPC might change the mechanism. This is workable, but appears to be undocumented behavior in both cases. VMware implements a particular invalid x86 instruction to return information about itself, while VirtualPC uses a magic number and I/O port with an IN instruction. The same article appears in multiple places, I'm unsure of the original source. I've found an article with some useful information on the topic. I need to detect whether my application is running within a virtualized OS instance or not.
0 Comments
Leave a Reply. |