undefined | Better HN

0 pointstalmand12y ago0 comments

Out of curiosity, how would the security applications know that it was being run on a VM? Why would they care? That suggests they believe no one has a legitimate reason to run Windows in a VM.

0 comments

1 comments · 1 top-level

cnvogel12y ago

On Detection:

There are a few things that leak presence of a virtual machine to running code (even in userspace).

There are the easy signs, e.g. that the virtualbox guest kernel-modules or utility programs for clipboard exchange are running. Or that your harddisk controller has a PCI ID identifying it as a Oracle Virtualbox AHCI device.

But on a hardware-virtualized machine there are also numerous inconsistencies to be observed which are not influencing the correct execution of "normal" code, but leak the existance of the hypervisor to the guest OS (and sometimes even to non-privileged user-code in the guest OS).

Google for "Red Pill VM detection", unfortunately currently invisiblethings.org (the site of the author) seems to be unavailable.

j / k navigate · click thread line to collapse