Detecting Qemu

TehUser · March 22, 2006, 11:58 AM

Does anyone know of a way to detect whether or not a program is being run from within Qemu emulation? I'm familiar with the methods of detection for Virtual PC and VMWare, but I've not read anything about Qemu. Any information would be appreciated.

MyndFyre · March 22, 2006, 05:41 PM

I haven't been able to find anything; however, I'd suggest checking against the hardware specs provided by Qemu and what the OS has. There can't be that many computers these days running a Sound Blaster 16 and Cirrus Logic VGA card.

Warrior · March 22, 2006, 06:30 PM

I don't know if there is a method, best place to try would be the Qemu forums. Only things I know of are Bochs/VPC/VMWare detection methods, sorry.

Kp · March 22, 2006, 06:33 PM

Quote from: Warrior on March 22, 2006, 06:30 PM
I don't know if there is a method, best place to try would be the Qemu forums. Only things I know of are Bochs/VPC/VMWare detection methods, sorry.

Although I've no use for it yet, I'm now curious: how does one detect the various emulators? Is there a specific sequence of instructions/calls which the emulator is programmed to recognize, or is the detection just based off imperfections in the emulation? Explanations or links to explanations would be welcome.

Darawk · March 22, 2006, 07:03 PM

http://www.offensivecomputing.net/?q=node/172 <-- Generic VM detection method
http://www.invisiblethings.org/papers/redpill.html <-- Works on some VM's...but has some faults, as described in the above paper
http://www.trapkit.de/research/vmm/vmm.htm <-- A nice collection of more general research on the topic of "defeating"(detecting and/or breaking out of) VMM's.

Warrior · March 22, 2006, 07:14 PM

I think most either have special ports assigned or others have quirks which give them away.

MyndFyre · March 22, 2006, 07:19 PM

Quote from: Kp on March 22, 2006, 06:33 PM
Although I've no use for it yet, I'm now curious: how does one detect the various emulators? Is there a specific sequence of instructions/calls which the emulator is programmed to recognize, or is the detection just based off imperfections in the emulation? Explanations or links to explanations would be welcome.

VMWare and VirtualPC are "backdoored," in that they support the host PC interacting with the client emulated machine through instructions that would normally not function. I believe VMWare allows access to the host PC through an IN or OUT instruction specifying a port that does not exist, while Virtual PC attempts to access a privileged instruction within the virtual machine environment. The client OS needs to be specifically equipped to deal with these issues, as well.

In any case, these two emulators are detected by attempting to generate the errors that would be raised, catching the exceptions, and if exceptions were raised, you know you're not on one of these emulators.

dxoigmn · March 22, 2006, 08:00 PM

If you do come across anything about detecting qemu (other then just detecting a particular set of hardware), please do let me know. I have not come across anything of the sort, but I have read most of the papers for detecting VMWare, Virtual PC, and UML. Seems like Xen would be another VM to look into as well, although most of my work has been with VMWare, qemu and UML.

Just curious, why are you doing this?

TehUser · March 23, 2006, 02:08 PM

http://www.codeproject.com/system/VmDetect.asp

Specific code for detecting VMWare and VirtualPC is there, along with an explanation of how it works.

Quote from: dxoigmn on March 22, 2006, 08:00 PM
Just curious, why are you doing this?

Curiosity, fun, whatever.