确定何时在虚拟机中运行

发布于 2024-07-17 23:30:33 字数 198 浏览 15 评论 0原文

应用程序是否有一种官方方法来确定它是否在 VMWare 或 Virtual PC(或 Microsoft 现在所说的任何名称)中运行? 我看到的代码通常是一种黑客攻击,利用了特定版本的 VMWare 或 Virtual PC 中的一些奇怪的行为副作用。

理想情况下是 Delphi 代码,但如果您可以链接到官方解释,那么我确信我可以转换它。

Is there an official way for an application to determine if it is running in VMWare or Virtual PC (or whatever Microsoft is calling it now)? The code I have seen is usually a hack that took advantage of some odd behavioral side effect in a specific version of VMWare or Virtual PC.

Ideally Delphi code, but if you can link to an official explanation then I am sure I can convert it.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(10

魂牵梦绕锁你心扉 2024-07-24 23:30:33

我去年写了一系列关于此的文章,并附有源代码。 VMware 和 Wine 检测位于此处。 虚拟 PC 位于此处。 所有这三个都具有非常可靠的检测,因为有对虚拟机管理程序的回调记录(对于 Wine,是标准 DLL 的扩展)。 我在评论部分放置了一个未经测试的 VirtualBox 检测器(没有安装来测试)。 也可以使用回调来检测并行,但我没有安装它。 文档的链接(该链接很差,因为它来自专注于漏洞利用的安全研究人员),但位于 如果您已安装并感兴趣,请点击此处此处还有一个 PPT,其中包含有关检测 Sandbox、Bochs 和 Xen 的一些信息。 其中代码不多,但如果您必须检测这些代码,它可能会为您提供一个起点。

I wrote a series of articles last year on this, with source code. VMware and Wine detection are here. Virtual PC is here. All three of these have pretty iron-clad detection because there are documented callbacks to the hypervisor (in the case of Wine, an extension to a standard DLL). I put up an untested VirtualBox detector (don't have it installed to test with) in the comment section. Parallels might be detectable using a callback also but I don't have it installed. The link for the documentation (which is poor since it's from a security researcher focusing on exploits) but located here if you have it installed and are interested. There's also a PPT here that has some information on detecting Sandbox, Bochs, and Xen. Not a lot of code in it but it might give you a starting point if you have to detect those.

梦幻的味道 2024-07-24 23:30:33

Code Project 展示了一种检测您的程序是否在虚拟机内运行的方法详细介绍了如何实现它以提供良好的理解

Code Project shows a way to Detect if your program is running inside a Virtual Machine that goes in much detail on how to accomplish it to give a good understanding

南七夏 2024-07-24 23:30:33

我认为最好的方法是检查硬件配置文件。 虚拟化硬件通常使用公司名称的一部分。 如果您在 Virtual PC 中检查主板描述,您会发现它是由“Microsoft Corporation”制造的。 同样,在 VMWare 中,您的以太网适配器将以 VMNet 为前缀。

I think the best approach to this is to check the hardware profiles. Virtualized hardware usually uses part of the companies name. If you check the motherboard description while in Virtual PC, you will notice it is made by "Microsoft Corporation". Likewise in VMWare, your ethernet adapter will be prefixed with VMNet.

小清晰的声音 2024-07-24 23:30:33

SysInternals 论坛上的这个帖子 有几个答案(当然是在 Delphi 中),其中包括一个 IsVM 函数。 我已经在 VMWare 中的 XP 和 Vista 上托管的 XP 和 Win2003 上进行了测试,结果良好。

This thread on the SysInternals forums has a couple of answers (in Delphi, of course), including a single IsVM function. I've tested on XP and Win2003 hosted on both XP and Vista in VMWare with good results.

海螺姑娘 2024-07-24 23:30:33

这里贴出一个WMI的方法:
http://blogs.msdn.com/virtual_pc_guy/archive/ 2005/10/27/484479.aspx

我已经仔细检查了在 Virtual PC 上运行的 XP 映像,并且他们测试的值仍然相同。 不过,我不能保证其他虚拟机会返回什么...

我实际上有一个几年前编写的 Delphi 程序,用于使用 WMI 获取默认打印机列表并更改默认打印机,而不需要第 3 方组件或任何东西像那样。 如果您不习惯使用 Delphi 中的 WMI,我可以向您发送一份副本,以便您可以完成一些工作(虽然它不一定与 Unicode 兼容,但对我来说升级它应该不会太难)如果需要的话)。

There is a WMI way posted here:
http://blogs.msdn.com/virtual_pc_guy/archive/2005/10/27/484479.aspx

I've double checked in an XP image running on Virtual PC, and the value they're testing for is still the same. I won't guarantee what other VMs return here, though...

I've actually got a Delphi program I wrote a couple of years ago to get a list of and change the default printer using WMI, without requiring 3rd party components or anything like that. In case you're not used to working with WMI from Delphi, I can send you a copy so you have something to work off (it's not necessarily Unicode-compatible, though, but it shouldn't be too hard for me to upgrade it if need be).

み零 2024-07-24 23:30:33

我使用了 RedPill 方法(翻译为Delphi,但代码并不难理解)效果相当好。 我还使用 WMI 调用进行了一些额外的检查,以获取网络适配器供应商名称和版权等信息,但这是为了检测 Virtual PC 的特定版本。

我对 RedPill 方法的理解是,它应该起作用并根据其工作方式的性质检测所有虚拟机。 由于 Windows 7 的新 Windows 中的 Windows 功能可以配置为在 Windows 7 中无缝运行 Windows XP 副本中的选定程序,因此也可能会生成误报。

I used the RedPill method (translated to Delphi, but the code isn't that hard to understand) which worked fairly well. I also included a few extra checks using WMI calls to get things like the network adapter vendor name and copyrights, but that was for detecting specific versions of Virtual PC.

My understanding of the RedPill method is that it should work and detect all virtual machines based on the nature of how it works. There is the possiblity that false positives might be generated also as the new Windows within Windows feature of Windows 7 can be configured to run selected programs in a copy of Windows XP seamlessly inside Windows 7.

亽野灬性zι浪 2024-07-24 23:30:33

我很幸运只查看了 MAC 地址,因为所有制造商都获得了一个块,并且前 3 部分对他们来说是唯一的。

//look at the MAC address and determine if it's a Virtual Machine
$temp = preg_split("/\s+/",exec("/sbin/ifconfig -a eth0 2>&1 | /bin/grep HWaddr"), -1, PREG_SPLIT_NO_EMPTY);
//Virtual Box MACs all start with '08:00:27:xx:xx:xx'
if (strpos($temp[4], '08:00:27') !== false) $_SESSION['DEVELOPMENT'] = true;  

I've had good luck with just looking at the MAC address as all manufacturers are given a block and the first 3 parts are unique to them.

//look at the MAC address and determine if it's a Virtual Machine
$temp = preg_split("/\s+/",exec("/sbin/ifconfig -a eth0 2>&1 | /bin/grep HWaddr"), -1, PREG_SPLIT_NO_EMPTY);
//Virtual Box MACs all start with '08:00:27:xx:xx:xx'
if (strpos($temp[4], '08:00:27') !== false) $_SESSION['DEVELOPMENT'] = true;  
能否归途做我良人 2024-07-24 23:30:33

确定机器是物理机还是虚拟机,

dmidecode | egrep -i 'manufacturer|product'

如果未找到 dmidecode 命令,请安装相应的 rpm。

这是在 EXSI、VMWARE 和 hyperv 机器下进行测试的。

To determine the machine is physical or VM

dmidecode | egrep -i 'manufacturer|product'

If the dmidecode command not found install the respective rpm.

This is tested under EXSI, VMWARE and hyperv machines.

你的背包 2024-07-24 23:30:33
dmidecode -s system-product-name

在 VirtualBox 上测试,结果:

Virtualbox
dmidecode -s system-product-name

Tested on VirtualBox, result:

Virtualbox
七颜 2024-07-24 23:30:33

如果您想要普遍检测任何类型虚拟化的存在,最好分析性能特征。 采用虚拟化中速度明显较慢的东西(例如 MMU 繁重的工作负载,如叉子炸弹),并将其与正常 CPU 绑定的用户空间应用程序进行比较。 从比例就可以很容易看出。

如果您只关心某些 VMM,那么最简单的方法就是查找其硬件 - 即 VMware PCI 设备:

00:07.3 桥:Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08)
子系统:VMware Inc 虚拟机芯片组

15ad:1976

供应商值为“15ad”

还有一些特定的后门端口可跨不同版本的各种 VMM 工作。 SIDT 技巧也很好,但是如果 VMM 不在其代码正在检查的列表中怎么办?

If you want to generally detect the presence of any type of virtualization, you are best analyzing performance characteristics. Take something that is significantly slower in virtualization (such as MMU heavy workload like a fork-bomb) and time it against a normal CPU bound user space app. From the ratio you can easily tell.

Easiest in terms of effort if you only care about certain VMMs is to look for their hardware- i.e. VMware PCI devices:

00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08)
Subsystem: VMware Inc Virtual Machine Chipset

15ad:1976

The vendor value is '15ad'

There are also specific backdoor ports that work across various VMMs in various versions. SIDT trick is good too, but what if a VMM is not on the list that his code is checking?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文