如何确定您正在 VM 下运行? [英] How to identify that you're running under a VM?

问题描述

有没有办法从虚拟机内部识别您的代码是否在虚拟机内运行?

Is there a way to identify, from within a VM, that your code is running inside a VM?

我想有或多或少的方法可以识别特定的 VM 系统，尤其是如果 VM 安装了提供程序的扩展(例如 VirtualBox 或 VMWare).但是有没有一种通用的方法来确定您没有直接在 CPU 上运行?

I guess there are more or less easy ways to identify specific VM systems, especially if the VM has the provider's extensions installed (such as for VirtualBox or VMWare). But is there a general way to identify that you are not running directly on the CPU?

推荐答案

很多关于这方面的研究都致力于检测所谓的蓝色药丸"攻击，即主动试图逃避检测的恶意虚拟机管理程序.

A lot of the research on this is dedicated to detecting so-called "blue pill" attacks, that is, a malicious hypervisor that is actively attempting to evade detection.

检测 VM 的经典技巧是填充 ITLB，运行必须虚拟化的指令(当它将控制权交给虚拟机管理程序时，它必须清除此类处理器状态)，然后运行一些更多代码来检测是否仍然填充了 ITLB.关于它的第一篇论文位于这里，以及来自研究人员的博客 和替代Wayback Machine 博客文章链接(图片损坏).

The classic trick to detect a VM is to populate the ITLB, run an instruction that must be virtualized (which necessarily clears out such processor state when it gives control to the hypervisor), then run some more code to detect if the ITLB is still populated. The first paper on it is located here, and a rather colorful explanation from a researcher's blog and alternative Wayback Machine link to the blog article (images broken).

关于此问题的讨论的底线是，总有一种方法可以检测恶意虚拟机管理程序，而检测一个不试图隐藏的虚拟机管理程序要简单得多.

Bottom line from discussions on this is that there is always a way to detect a malicious hypervisor, and it's much simpler to detect one that isn't trying to hide.

这篇关于如何确定您正在 VM 下运行?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！